SecurityGateway for Email Servers v6.0 Release Notes

Developed with 20 years of proven email security expertise, SecurityGateway provides affordable email security. It protects against spam, viruses, phishing, spoofing, and other forms of malware that present an ongoing threat to the legitimate email communications of your business.

Click here to learn more about SecurityGateway for Email Servers.

SecurityGateway 6.0.0 - February 12, 2019

SPECIAL CONSIDERATIONS

• [21138] SecurityGateway now requires at least Windows Vista or Windows Server 2008

  Due to the discontinuation of security patches from Microsoft, and the lack of required functionality, Windows XP and Windows 2003 are no longer supported.

• [21168] Changed the default installation directory for new installations from %PROGRAMFILES%\Alt-N Technologies to %PROGRAMFILES%\MDaemon Technologies

MAJOR NEW FEATURES

[9809] Message Archiving

• Added support for long term email archiving.  Archived messages are fully searchable.  The archived messages are stored in configurable archive stores.

[17480] 64bit Version

• A 64-bit version of SecurityGateway is now avaliable for installation on 64-bit operating systems. The 64-bit version can handle a higher number of active sessions before running out of memory.

[18560] Improved Data Leakage Prevention

• Over sixty additional data leakage prevention rule templates are now avaliable.

CHANGES AND NEW FEATURES

• [20782] Improved support for Google G Suite.  If a domain mail server is configured to deliver mail to Google G Suite (aspmx.l.google.com), connections from any Google G Suite mail server will be treated as from a domain mail server.   This facilitates in SecurityGateway being used as an outbound mail gateway with Google G Suite.
• [20946] The options to refuse messages that are not RFC compliant or incompatible with DMARC do additional checks for invalid syntax in the From header
• [21065] Updated inbound/outbound icons in the message log view
• [21119] Added support for TLS Server Name Indication (SNI) which allows a different certificate to be used for each domain without requiring them to be on different IP addresses. Multiple certificates can be active, and SG will use whichever one has the requested host name in its Subject Alternative Name field.
• [21124] Self-signed certificates can now be created with larger key sizes, use SHA2 instead of SHA1, and automatically include the main host name in the Subject Alternative Name field.
• [21060] Updated Cyren AV engine to version 6.2.0r2.  This version fixes a few reported scanning errors.
• [21074] SMTP Callback Verification now supports encrypted connections utilizing STARTTLS
• [21194] Updated ClamAV to version 0.101.1

FIXES

• [20619] fix to possible memory corruption when sending DMARC aggregate reports
• [20867] fix to IPv6 Connection from Domain Mail Server is not recognized
• [20903] fix to DMARC aggregate reports generating invalid "policy_evaluated/disposition" value
• [21055] fix to standard email headers may not be displayed when viewing a message from the message log
• [21077] fix to attempt is made to bind to ::1 even when IPv6 is not enabled in the operating system.  This results in an error being logged to the system.log file.
• [21013] fix to several sub options on the Security | Anti-Spoofing | Reverse Lookups page are not properely indented
• [20938] [20939] fix to correct domain branding images may not be displayed
• [20351] fix to maliciously formed HTML message may cause the sieve "body" test to hang
• [21142] fix to when viewing an HTML message the content is not placed in an iframe
• [21158] LetsEncrypt: updated the script to properly handle situations when a certificate has never been enabled
• [21259] fix to DLP rule editor always displays action as "administrative quarantine"
• [21260] fix to unable to enable custom DLP rule from rule editor pop-up window

SecurityGateway 5.5.0 - May 8, 2018

MAJOR NEW FEATURES

[17479] IPV6 SUPPORT

Support for IPv6 has been added.  SecurityGateway will detect the level of IPv6 capability that your OS supports and dual-stack where possible; otherwise, SecurityGateway will monitor both networks independently.  If enabled, outbound SMTP connections will prefer IPv6 over IPv4 whenever possible.

A few options related to use of IPv6 can be found at Setup | System | IPv6.

CHANGES AND NEW FEATURES

• [20332] Updated Cyren AV engine to AVSDK 5.4.30.7.  This fixes some possible scanning error issues.
• [20333] Updated ClamAV to version 0.99.4

FIXES

• [14919] fix to values less than seven characters in length cannot be added to the IP Whitelist and Blacklist, this prevents certain valid wildcard entries from being entered
• [20308] fix to unable to load Content Filter Rule editor dialog in German language
• [20282] Updated to version 3.12.2 of the FusionChart libraryy

SecurityGateway 5.0.1 - February 20, 2018

CHANGES AND NEW FEATURES

• [11945] Added the ability to define which DNS servers to SecurityGateway should query.  By default the DNS servers defined in the operating system are queried.
• [20189] Updated ClamAV to version 0.99.3
• [20013] Renamed Alt-N Technologies to MDaemon Technologies
• [19927] The suffix domain "rpost.biz" is now appened to the To and CC fields of email messages that are sent via RMail.  This is necessary for certain RMail reports to display properly.
• [20167] Custom branding now also uses domain IP binding to determine if a domain specific branding images should be used

FIXES

• [19826] fix to logon via the XMLRPC API requires accepting terms of use
• [19869] fix to when an "Office 365" domain mail server is configured, connections from any Office 365 mail server are considered to be from the domain mail server.  This can cause relay and anti-spam checks to be skipped for mail received from other Office 365 domains.  The logic has been improved to also verify that the message is from a local domain before considering an Office 365 mail server to be a domain mail server.
• [19989] fix to Mailsploit address spoofing issues
• [20053] fix to matching text is not logged when Content Filter rule matches text in a message header
• [20165] fix to per domain branding images are not shown if HTTP request specifies a port number
• [20197] fix to domain may be added to SSL white list when it was not attempting an SSL negotiation

SecurityGateway 5.0.0

MAJOR NEW FEATURES

[18924] LOCATION SCREENING

A geographically based blocking system has been developed which allows you to block incoming SMTP and Remote Administration connections being attempted from unauthorized regions of the world. A new screen has been added at Security|Anti-Abuse|Location Screening to configure this.

CHANGES AND NEW FEATURES

• [19501] In order to assist administrators with compliance to laws such as the General Data Protection Regulation in the EU we are adding the ability (Setup | User Options | Terms of User) for an administrator to add a terms of service statement which must be accepted by the users each time they login.  The user can accept the statement by checking a box.
• [18094] Added hyperlinks to the message details view to find the matching list entry for whitelist and blacklist matches.
• [19685] Improved support for Office 365.  If a domain mail server is configured to deliver mail to Office 365 (mail.protection.outlook.com), connections from an Office 365 mail connector will be treated as from a domain mail server.
• [18420] Added a button, to the Message Log | Message Source view to download a message in EML format. This option is only available when the message's content is still available in the SecurityGateway database.
• [19537] LetsEncrypt logging will now include additional details that will make it easier to troubleshoot. The log will include a URL to LetsEncrypt.com that will help explain why challenges fail.
• [19284] When a message is released from the Administrative Quarantine the username of the administrator performing the action is now logged.

FIXES

• [19556] LetsEncrypt: fix to error handling when running certutil.exe
• [18883] fix to SPF resolver does not resolve returned CNAME records when performing lookup for TXT policy record
• [18904] fix to DMARC reports sent with wrong "mail from" address
• [18934] fix to Unable to delete item from IP black/whist list using XMLRPC API
• [19680] fix to the "RPost | Use specific relay host" option is not honored when the "Mail Delivery | Always send every outbound email to the server specified" option is enabled
• [19712] fix to the LetsEncrypt script does not work if the option to redirect HTTP requests to HTTPS is enabled
• [18935] fix to DMARC reports may specify wrong SMTP return path value until the service is restarted
• (beta only) [19780] fix to "Data Leak Prevention" section appears twice on Security landing page

MAJOR NEW FEATURES

[15657] SecurityGateway now integrates with the RMail™ service from RPost®

RMail™ is intuitive to use and there’s no requirement for your recipients to have any special software whatsoever. RMail™ empowers email usage for consumers and businesses of all sizes, across all industries and departments.

The RMail™ service is powered by RPost's Registered Email® technology, the global standard for email delivery proof. The RMail™ service extends your email platform, providing:

• Track your important emails and know precisely when they’re delivered and opened.
• Proof of Delivery, Time, and Exact Content.
• Easily encrypt sensitive emails and attachments for security or legal compliance.
• RMail™ makes it easy for all parties to e-sign and complete a transaction. delivered and opened.

Using a free RPost account, each user is limited to sending/receiving 10 encrypted messages per month. Additional messages can be purchased through RPost.  Click here for information on plans/pricing for increased message limits.

The RMail™ service may be enabled from the Security | RMail™ page or as an action of a message content filter rule.

CHANGES AND NEW FEATURES

• [18524] Updated Firebird database components to version 2.1.7

FIXES

• [18602] fix to messages over 10KB in size with invalid MIME structure are not delivered
• [18605] fix to potential crash in logic that converts HTML to text when searching message bodies
• [18644] fix to SPF mechanisms after an "include" mechanism may not be evaluated correctly
• [17294] fix to header is not added to quarantined messages when the "Allow mail server or client to filter quarantined messages" and "...add header" quarantine options are selected
• [18516] fix to scheduled database maintenance may occur in the minute before the scheduled time
• [18517] fix to automatic database backup does not run more than once in the same day even if the backup type or time has been changed
• [18692] fix to unable to delete message from bad message queue

SecurityGateway 4.5.0 - April 4, 2017

SPECIAL CONSIDERATIONS

[18161] The option "Honor CRAM-MD5 authentication method" found at Setup / Users | Mail Configuration | Email Protocol has changed to disabled by default for security and technical reasons. Using TLS is the preferred way to avoid transmission of passwords in the clear.

CHANGES AND NEW FEATURES

• [17644] Added a set of built-in "Data Leak Prevention" rules.  These rules can be used to assist in detecting if sensitive information is being sent outside of the organization.
• [18447] Added the ability to compare the message body or subject in a content filter rule condition
• [18473] Added a "MAIL and RCPT" item in the "Rule Condition Editor" for Message Content Filter and Data Leak Prevention rules.  Comparators for this item are Inbound, Outbound, and Internal along with a negative option for each.
  • Inbound - Message is to a local user and is not from a local user of the same domain
  • Outbound - Message is from a local user and is not to a local user of the same domain
  • Internal - Message is to and from a local user of the same domain
• [1894] Added "contains word" and "does not contain word" comparators for message content filter and data leak prevention rule conditions.  These are similar to the "contains" and "does not contain" comparators but will only match if there is a word boundary anchor proceeding and following the string.  This avoids the need to manually create a regular expression in the format of \b(word1|word2|word3)\b.
• [18491] Added the ability to edit a "Currently defined string" for a content filter or data leak prevention rule condition by double clicking it.
• [17875] Integration with Let's Encrypt via PowerShell script
  
  Let's Encrypt is a certificate authority that provides free certificates for Transport Layer Security (TLS) encryption via an automated process designed to eliminate the current complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites. 
  
  A PowerShell script that supports LetsEncrypt is now installed to the SecurityGateway\LetsEncrypt directory.  A dependency of the script, the ACMESharp module, requires PowerShell 3.0. This means this script will not work on Windows 2003.
  
  The SecurityGateway HTTP service must be listening on port 80 or the HTTP challenge cannot be completed and the script will not work. You will need to correctly set the execution policy for PowerShell before it will allow you to run this script. Running the script will set everything up for LetsEncrypt, including putting the necessary files in the SecurityGateway HTTP (templates) directory to complete the http-01 challenge. It uses the FQDN configured in SecurityGateway for the default domain as the domain for the certificate, retrieves the certificate, imports it into Windows, and configures SecurityGateway to use the certificate using SecurityGateway's XMLRPC API.
  
  The script creates a log file in the SecurityGateway\Logs\ directory called LetsEncrypt.log. This log file is removed and recreated each time the script runs. The log includes the starting date/time of the script but it does not include a date/time stamp for each action. Notification emails can be sent when an error occurs.
  
  If you have an FQDN setup for your default domain that does not point to the SecurityGateway server, this script will not work. If you want to setup alternate host names in the certificate you can do so. You need to pass the alternate host names on the command line.
  
  Example usage: .\SGLetsEncrypt.ps1 -UserName admin@domain.com -Password Password1 -AlternateHostNames mail.domain.com,imap.domain.com,wc.domain.com -EmailErrorsTo admin@domain.com
  
  You do not need to include the FQDN for the default domain in this list. For example, our default domain, altn.com, is configured with an FQDN of mail1.altn.com. We use an alternate host name of mail.altn.com. When I run the script, I only pass mail.altn.com as an alternate host name. If you pass alternate host names, an HTTP challenge will need to be completed for each them. If the challenges are not all completed the process will not complete correctly.
  
  If you do not need to pass in alternate host names then do not include the –AlternateHostNames parameter in the command line. If you do not want to have email notifications sent when an error occurs do not include the –EmailErrorsTo parameter in the command line.
• [17670] Updated Cyren Anti-Virus engine to version 5.4.28-r1
• [18271] Updated to version 8.00.0125 of the Cyren Outbreak Protection SDK
• [17657] Changed the write mode for the Firebird database from asynchronous to synchronous as this should resolve some instances of database corruption.  However, this change does come with a performance cost. This will not be an issue for most installations.  A new screen has been added at Setup | Database | Configuration to specify the database write mode.  Asynchronous write mode is only recommended when the performance of synchronous write mode is not sufficient. It is critical that the system be protected by a reliable UPS and that database backups are maintained.
• [15753] Replaced built in crash memory dump generation code with code that creates registry entries for Windows Error Reporting.  This functionality requires Windows Server 2008/Windows Vista or later.  A memory dump file should be created in the "CrashDumps" folder if the securitygateway.exe process crashes.  The location of this folder may be changed from Setup/Users | System | Directories.
• [16730] Added "Result" column to the Queued for Delivery view
• [17746] Implemented Sieve extension "proximity" tag for "allof" test.  This allows for scripts where multiple search terms must exist within a proximity of a specified number of characters of each other.
• [17792] Added GetSetting and PutSetting methods to the XML-RPC API
• [10223] Added option to Setup | Mail Configuration | Email Protocol to "Hide software version identification in responses and 'Received:' headers".  This option is disabled by default.
• [17866] SecurityGateway may report the version of the OS version that it is running on when it requests an updated license file from Alt-N. This information is helpful as we make decisions about which OSes to support. To not report such information, disable the "Include optional usage and environment data in license request" option on the Setup | Registration page in the web interface.
• [13464] Added options to Security|Anti-Spam|Backscatter Protection to specify IP addresses and domain names of sites that are exempt from Backscatter Protection return-path signing
• [17924] Updated SpamAssassin engine (SGSpamD.exe) to include Encode module for charset conversion and normalization
• [11776] Added a per-domain option for the maximum acceptable SMTP message size
• [18485] SecurityGateway starts warning about impending license deactivation 7 days in advance (up from 5 days).
• [18362] Improved logging in DMARC processing when SPF lookup was not performed due to a NULL SMTP return path

FIXES

• [17452] fix to it is possible to add a content filter condition when an empty criteria string
• [16163] fix to updating a Message Content Filter Rule may result in the truncation of the last character of the condition string
• [17753] fix to usage key returned by activation server is not saved when "Click here to request an updated license file" link is manually clicked
• [17765] fix to the "Exclude the files listed below" virus scanning options only apply to the "Quarantine messages that cannot be scanned" option and need to be indented
• [17860] fix to "Account Hijack Detection" is not activated if sender authenticates as a user account alias address
• [17934] fix to DMARC failure reports (RUF) are not DKIM signed
• [16922] fix to Bayesian learning process fails when SecurityGateway is installed under the Program Files (x86) directory and support for NTFS short file names is not enabled on the volume.  This is the default configuration for new volumes created by Windows Server 2012.
• [18023] fix to Sieve "envelope" test "domain" tag does not match as expected
• [18155] fix to the DNS parser adds an additional space character between the lines of multi-line TXT DNS records. This may result in erroneous SPF and DMARC policy failures when a single policy element spans multiple lines.
• [18167] fix to the message count contained in the administrative quarantine report may be incorrect for domain administrators
• [18054] fix to unable to disable DKIM signing for a domain
• [18189] fix to browser may autofill other password fields with saved logon password
• [18251] fix to SPF test may errantly return pass result if SPF policy contains the "include" directive
• [18298] fix to regular expression for detecting blank subjects not working
• [17035] fix to unable to edit a condition in a Message Content Filter rule while that rule is disabled
• [18417] fix to the Whitelist/Blacklist list view may display characters in an entry's comments encoded as HTML entities
• [18361] fix to incorrect DMARC / DKIM / SPF lookups occurring for some domains
• [18573] fix to a corrupted .zip file may cause securitygateway.exe process to consume all system memory and crash
• [18021] fix to under specific conditions, a message may be accepted but not delivered to the domain email server.  In the outbound log, the session for the message will contain SIZE=0 and delivery will fail.

 SecurityGateway 4.0.0 - June 14, 2016

MAJOR NEW FEATURES

[15999] Web Interface Updated to use a Mobile First Responsive Design

The web interface has been updated to use a mobile first responsive design.  Browser support is limited to IE10+, the latest Chrome, the latest Firefox, and the latest Safari on Mac and iOS.  Android stock browsers have been known to have issues with scrolling, but Chrome on Android devices works well.

This design is based entirely on the size of the window being used.  Whether the user is on a phone, tablet, or PC, the appearance is the same for the same window size.  The most important change here is the menu.  From 1024 pixels width on down the menu is hidden on the left side of the browser.  There are two methods that can be used to display the menu.  If a touch device is in use, swiping to the right will show the secondary menu.  Whether or not a touch device is in use, there is also a "menu" button in the top left corner that will display the secondary menu.  Tapping or clicking the menu title with the left arrow next to it at the top of the menu will display the primary menu.  The help, about, and sign out menu in the top right corner changes based on the width of the screen as well.  From 768 pixels up shows the words Help, About, and Sign Out, from 481 pixels to 767 pixels only displays the icons, and 480 pixels or less displays a "gear" icon which when clicked or tapped will display a drop down menu with the Help, About, Sign Out options.  List views with more than one column have column on/off buttons.

[11232] DMARC

Support for DMARC (Domain-based Message Authentication, Reporting, and Conformance) has been added. DMARC defines a scalable mechanism by which a mail sending organization can express, using the Domain Name System, domain level policies and preferences for message validation, disposition, and reporting, and a mail receiving organization can use those policies and preferences to improve mail handling. The DMARC specification and full details about what it does and how it works can be found here: http://www.dmarc.org/.

DMARC allows domain owners to express their wishes concerning the handling of messages purporting to be from their domain(s) but which were not sent by them.  Possible message handling policy options are "none" in which case SecurityGateway takes no action, "reject" in which case SecurityGateway refuses to accept the message during the SMTP session itself, and "quarantine" in which case SecurityGateway places the following header into each message for easy filtering into your user's Junk E-mail folder:  "X-SGDMARC-Fail-policy: quarantine".  This header is only added when the result of the DMARC check is "fail" and the resulting DMARC policy is something other than "none."  It is possible to configure SecurityGateway to accept messages even though DMARC requests that they be rejected.  In fact, this is the default operational mode.  In these cases SecurityGateway will place an "X-SGDMARC-Fail-policy: reject" header into the message in case you want to filter more seriously on that.

DMARC supersedes ADSP and the message disposition features of SPF.  However, you can still use all of them together with DMARC.   ADSP and SPF message rejection now takes place after DMARC processing if DMARC verification is enabled.

DMARC depends in part upon the use of a "Public Suffix List." A "Public Suffix" is one under which Internet users can directly register names. Some examples of public suffixes are .com, .co.uk and pvt.k12.ma.us. A "Public Suffix List" is a list of all known public suffixes. SecurityGateway uses the one maintained for the community by the Mozilla Foundation that is found here: https://publicsuffix.org/. A copy of this list is installed into your \App\ folder as effective_tld_names.dat. There is currently no comprehensive or single authoritative source for such a list which is an issue the Internet community should address. Over time this file will grow obsolete and must be replaced by downloading it afresh from https://publicsuffix.org/list/effective_tld_names.dat and saving it to your \App\ folder. SecurityGateway will periodically and automatically download and install this file as part of the daily maintenance event approximately once every two weeks.  Various controls to govern this can be found on the new DMARC configuration screens.  The DMARC log and the new DMARC window within the Security tab inside the main UI will contain the results of the update and all other DMARC processing operations.  You can set a different file download URL if needed but the data downloaded must conform to the format specified by Mozilla for their file. You can read about this at the URL mentioned above.  SecurityGateway strictly follows the parsing algorithm specified by Mozilla. Create a (possibly empty) file called "PUBLICSUFFIX.SEM" and place it in SecurityGateway's \App\ folder if you replace or edit the effective_tld_names.dat file yourself and need SecurityGateway to reload it without a reboot.

To use DMARC as a mail sender you must publish a DMARC TXT record within your domain's DNS setup.  Information on how this record is defined and structured can be found at http://www.dmarc.org. When you publish a DMARC record to your DNS you may begin receiving DMARC reports from many different sources via email. These reports are provided as a compressed XML file whose format is governed by the DMARC specification. Consuming these reports is outside the scope of SecurityGateway's DMARC implementation. However, the data within these reports can provide important insight into a domain's mail flow, improper domain use, DKIM signing integrity, and SPF message path accuracy/completeness. The addresses to which these reports are sent is configured by you when you create your DMARC record.

When setting up a DMARC record for one or more of your domains take care with use of p=reject.  Take particular care if your domain provides email accounts for general use by human users.  If such users have signed up for any mailing lists, make use of a mail forwarding service, or expect to use common things like "share this article with a friend" you should know now that a DMARC p=reject policy could make those things entirely impossible and if so you'll hear about it.  DMARC p=reject is perfectly appropriate and useful but only when it is applied to domains that control how their email accounts are used (for example, transactional mail, automated (i.e. non-human) accounts, or to enforce corporate policies against use of the account outside organizational boundaries).

In order to support DMARC aggregate reporting SecurityGateway will store data which it will need later in order to generate aggregate reports according to the DMARC specification. SecurityGateway ignores the DMARC "ri="; tag and only produces DMARC aggregate reports that cover from 00:00:00 UTC to 23:59:59 UTC for a given day. At midnight UTC (which is not necessarily midnight local time) SecurityGateway consumes this stored data to generate the reports. SecurityGateway needs to be running at this time or the stored data could grow and grow and never be consumed. Therefore, if you do not run your SecurityGateway 24/7 you should not enable DMARC aggregate reporting.  DMARC aggregate reporting is disabled by default.

In order to support DMARC failure reporting RFC 5965 "An Extensible Format for Email Feedback Reports", RFC 6591 "Authentication Failure Reporting Using the Abuse Reporting Format", RFC 6652 "Sender Policy Framework (SPF) Authentication Failure Reporting Using the Abuse Reporting Format", RFC 6651 "Extensions to DomainKeys Identified Mail (DKIM) for Failure Reporting", and RFC 6692 "Source Ports in Abuse Reporting Format (ARF) Reports" have been fully implemented.  Failure reports are created in real-time as the incidents which trigger them occur.  SecurityGateway implements DMARC AFRF type failure reports and not IODEF type reports.  Therefore, only values of "afrf" in the DMARC "rf=" tag are honored.  See the DMARC specification for complete details.  Multiple failure reports can be generated from a single message depending upon the number of recipients in the DMARC record's "ruf=" tag and upon the value of the "fo=" tag times the number of independent authentication failures which were encountered by the message during processing.  When the DMARC "fo=" tag requests reporting of SPF related failures SecurityGateway sends SPF failure reports according to RFC 6522.  Therefore, that specification's extensions must be present in the domain's SPF record.  SPF failure reports are not sent independent of DMARC processing or in the absence of RFC 6522 extensions.  When the DMARC "fo=" tag requests reporting of DKIM related failures SecurityGateway sends DKIM and ADSP failure reports according to RFC 6651.  Therefore, that specification's extensions must be present in the DKIM-Signature header field and the domain must publish a valid DKIM reporting TXT record in DNS and/or valid ADSP extensions in the ADSP TXT record.  DKIM and ADSP failure reports are not sent independent of DMARC processing or in the absence of RFC 6651 extensions.  See the various specifications referenced herein for complete details.  DMARC failure reporting is disabled by default.

Important Note:  A DMARC record can specify that reports should be sent to an intermediary operating on behalf of the domain owner. This is done when the domain owner contracts with an entity to monitor mail streams for abuse and performance issues. Receipt by third parties of such data may or may not be permitted by your privacy policy, terms of use, or other similar governing document.  You should review and understand if your own internal policies constrain the use and transmission of DMARC reporting and if so you should disable DMARC reporting as appropriate.

DMARC requires use of STARTTLS whenever it is offered by report receivers however there's no way to predict or police this.  However, you should enable STARTTLS if you haven't already (see Setup | System | Encryption).

The Authentication-Results header has been extended to include DMARC processing results. Note that Authentication-Results includes some data in comments for debugging purposes including the DMARC policy requested by the domain owner which is not necessarily the action taken on the message. For example, when the result of a DMARC check is "pass" it does not matter what the DMARC policy states as policy is only applied to DMARC checks which "fail". Similarly, when the result of a DMARC check is "fail" and the policy is "reject" the message may be accepted anyway for local policy reasons. Use of this header for filtering should take all this into account.  Alternatively, filter for "X-SGDMARC-Fail-policy: quarantine" or "X-SGDMARC-Fail-policy: reject" to filter these messages into spam folders or whatever you want to do.  SecurityGateway strips out the "X-SGDMARC-Fail-policy:" header from every incoming message.

Messages must conform to DMARC section 15.1 with respect to the RFC 5322 From header or they are not processed which basically means that the absence of a single (one and only one) properly formed (according to RFC specifications) RFC5322 From field renders the message invalid generally and therefore invalid for DMARC processing.

Several new screens have been added at Security | Anti-Spoofing where you can set various options related to DMARC use. 

DMARC requires SPF and/or DKIM verification to be enabled as it is based upon the verified identities that those two mechanisms provide.  You can't make productive use of DMARC for inbound mail without one or both of those technologies enabled. The UI will try to enforce this. 

[3961] Bind Domain to an IP address

 For servers that have multiple IP addresses assigned, each domain may be bound to a specific IP address.  Mail from the domain will be sent from this IP address.

A SMTP Hostname may also be specified for the domain. This value is the Fully Qualified Domain Name (FQDN) that will be used in the SMTP HELO/EHLO instruction when sending mail for the domain. For incoming connections, this value will be used unless multiple domains are bound to the IP address, in which case the FQDN used will be the one that is associated with the domain that is first in alphabetical order.

CHANGES AND NEW FEATURESS

• [16701] Updated ClamAV engine to version 0.99.2
• [16263] Updated to version 8.00.0122 of the Cyren Outbreak Protection SDK
• [16594] All support for the original DomainKeys message authentication system has been removed.  DomainKeys is obsolete and has been replaced by the acceptance and adoption of DKIM which SecurityGateway continues to support.  Some web interface dialogs related to DomainKeys and DKIM found within Security | Anti-Spoofing have been reorganized as a result and options related to DomainKeys removed and the remaining options better consolidated.  The install process will remove DomainKeys.dll.
• [16983] All support for Sender-ID has been removed.  This technology never caught on and is obsolete.
• [16338] All references to "company.mail" have been changed to "company.test" to comply with RFC 6761
• [15573] Updated the look of the quarantine report emails to match the new SG GUI update
• [15568] Added check boxes to lists that allow the selecting of multiple list items
• [16424] Added an option to decide when to display the charts on the Main and My Account landing pages to Main -> My Account -> Settings and to Setup / Users -> Account -> User Options. The 4 choices are "Automatic" (default), "Always", "Manual", and "Never".
• [16365] Added X-Frame-Options: SAMEORIGIN header to HTTP responses
• [16425] Added X-XSS-Protection: 1 header to HTTP responses
• [16275] The Free Disk Space Monitoring page has been changed to display values in MB instead of KB.  The default "low disk space value" (the value below which SecurityGateway believes the disk is running low and starts complaining about it) was changed from 10MB to 1000MB.  Likewise, the "auto-shutoff value" (the value below which SecurityGateway will disable mail services due to critically low disk space) was changed from 1MB to 100MB.  Please check and change the values at Setup|System|Disk Space if they present a problem for you.
• [137] Added description for system service, when viewed from the services manager
• [16582] The "... unless message is TO a local account" exclusion for the "Only domain mail servers can send local mail" Relay Control option is now disabled by default
• [1692] Added the ability to filter the message log by sender IP using CIDR notation, simply enter the CIDR pattern as the IP address in the filter dialog
• [15606] Removed the "Blacklist" link from the quarantine report email by default.  Added a "Confirm as Spam" link that will learn the message as spam if Bayesian learning is disabled and delete the messages from the user's quarantine.  The "Blacklist" link can be restored via an option in Setup | Mail Configuration | Quarantine Options.

FIXES

• [15697] fix to Host, Addresses Blacklist and Address Whitelist dialogs are cut off at bottom when using Firefox
• [16125] fix to outbound SMTP session hangs if server returns that it supports AUTH but lists no AUTH methods
• [16248] fix to message that contains embedded NULL characters is corrupted
• [16305] fix to message collected from remote POP accounts may be discarded if case does not match
• [16364] fix to if quarantine_report.xsl is found custom_admin_quarantine_report.xsl is also assumed to exist
• [16041] fix to cannot change a local admin to an external admin
• [16042] fix to cannot edit an external administrator
• [15605] fix to DKIM will not sign messages if the sender's domain name specified in the SMTP session contains upper case letters
• [15732] fix to Message Log "Subject Starts With" search condition returns no results when using "NOT"
• [16279] fix to Security->Anti-Spam->Greylisting unable to click "Exclude messages from domain mail servers"
• [16910] fix to Unable to "Delete All" quarantined messages when using a filter with a date range set
• [16986] fix to subject tag based upon the message's score is not added if the message is also quarantined due to its score
• [17047] fix to no result feedback message is displayed after using the Spam/Not Spam toolbar buttons from the Quarantined (Admin) view.
• [17048] fix to the sending of Administrative Quarantine reports are not logged to system log
• [17115] fix to mouse cursor is not changed to a pointer when hovering over enabled paging bar icons that can be clicked
• [17121] fix to no VBR certifiers are trusted when multiple values are specified for "Host name(s) of certification services that I trust"
• [11789] SPF verifier ignoring CIDR pattern for A and MX policies
• [17041] fix to Outbreak Protection queries may fail with "Unable to comply with the request because you are not licensed for the antispam or VOD service" after registration key is updated until SecurityGateway service is restarted

SecurityGateway 3.0.3

CHANGES AND NEW FEATURES

• [8481] Compressed archive files (.zip and .rar) are now scanned for restricted attachments.  Archive files are recursively scanned up to a depth of 16 levels.
• [13435] Added "STARTTLS Whitelist" and "STARTTLS Required List" options to Setup | Encryption.  STARTTLS will never be used when sending to IP addresses, hosts, or domains on the STARTTLS whitelist.  STARTTLS will never be advertised to connecting hosts/IPs on the STARTTLS whitelist.  SMTP connections to hosts/IPs on the STARTTLS Required list MUST use STARTTLS. If STARTTLS is not available or fails, the message will not be sent.
• [13657] Added option to Setup | Encryption which allows you to temporarily white list hosts which encounter an SSL error during an SMTP session.  The white list is reset every hour.
• [13803] SecurityGateway now supports TLS 1.1 and 1.2. Requires Windows 7 / Server 2008 R2 or newer.
• [13974] Added an option for a global administrator to export all whitelists and blacklists to a CSV file.  This includes the global, domain, and user lists.
• [14400] Update Outbreak Protection SDK to version 8.0.110
• [15124] SecurityGateway trial keys are now sent via email and must be entered into the installer to continue. The trial period is 30 days.
• [12688] Updated charting component to eliminate dependency of Adobe Flash
• [13869] Added an option to Setup / Users | User Options | Configuration to "Send an alert to global administrators when a new user is created"
• [15534] Added a "Delete All" button to Bad Messages queue view.  Clicking the "Delete" dropdown menu will allow the user to delete the selected messages or to delete all messages.
• [15171] Updated SpamAssassin to version 3.4.1
• [15432] Added option to My Account | My Settings and Setup | Mail Configuration | Quarantine Configuration to control how the quarantine report email is sorted.  By default the quarantine report will continue to be sorted by date received, however it can now be sorted by sender or subject.
• [15553] Updated Cyren Antivirus to version 5.4.6-r1
• [14326] Updated to latest version of libdkim library

FIXES

• [616] fix to SQL error "Execute(execute procedure update_user(?,?,?,?,?,?,?,?)) ... update conflicts with concurrent update" logged to system log
• [13970] fix to "Maximum Bayesian Database Tokens" field in web interface should allow 6 digits
• [13994] fix to the height of the tab pane on the new/edit remote POP account dialog may be too small
• [13996] fix to System log may contain database error "Deadlock... Context: Statement::Execute(delete from failedauth where ip=?)"
• [13997] fix to the "verify from" Sieve condition may fail in custom Sieve scripts even if the message is from a local user
• [13998] fix to searching message log by sender or subject may return no records, "invalid token" database exception logged to System log file
• [14011] fix to installer still contains old domain cap logic. This may prevent installation in specific scenarios.
• [14059] fix to Transient Delivery Failure messages are no longer being generated on delivery problems
• [14333] fix to message log entries for which "no mail was sent" are not removed by the nightly maintenance process
• [15383] fix to domain aliases are not included in configuration only backup
• [15789] fix to after enabling the "... unless message is from a whitelisted IP address or host" option for SMTP Authentication, the option is not checked when returning to the page
• [15846] fix to bandwidth Throttling speed logged to SMTP session transcript is incorrect
• [15884] fix to recipient parsed from mail collected via a POP account is rejected if the Recipient's address is for a cross domain alias
• [16014] fix to new virus definitions may not be used until the Cryen AV engine is reloaded

SecurityGateway for Email Servers v3.0 Release Notes

Developed with over 10 years of proven email security expertise, SecurityGateway provides affordable email security. It protects against spam, viruses, phishing, spoofing, and other forms of malware that present an ongoing threat to the legitimate email communications of your business.

SecurityGateway 3.0.2 - September 9, 2014

CHANGES AND NEW FEATURES

• [10328] Added an option to exempt specific file names from the "Quarantine messages that cannot be scanned" feature.  This allows SecurityGateway to receive password protected files with a known file name.
• [13477] Support for RFC 3848 (SMTP and LMTP Transmission Type Registration) has been added. This governs the value of the "WITH" clause in Received headers. This means you'll see "ESMTP" for unauthenticated non-SSL sessions, "ESMTPA" for authenticated sessions, "ESMTPS" for SSL sessions, or "ESMTPSA" for authenticated & SSL sessions.
• [13564] Added "unless message is from a whitelisted IP address or host" exemption option for SMTP Authentication

FIXES

• [13457] fix to reports contain no result for custom date range where start and end dates are the same
• [13486] fix to message transcript data orphaned in database if the data retention option to not log incomplete messages to the database is enabled
• [13487] fix to can only use number pad negative sign for "Add to message score" action
• [13500] fix to a rejected message, for which the message data was received and retained, that is selected for redelivery is not delivered becomes stuck in the delivery queue
• [13509] fix to in the system log file, the time required to complete database maintenance is incorrect if the process take an extremely long time
• [13559] fix to Cyren AV engine reports messages with quoted printable encoding that does not strictly follow the standard as corrupt.  This causes the message to be placed into the "Administrative Quarantine" if the option to "Quarantine messages that cannot be scanned" is enabled.
• [13406] fix to empty SMTP AUTH password may cause process to terminate
• [13382] fix to warning string in license file causes dashboard view to not load
• [13321] fix to time logged for database maintenance process to delete old messages is incorrect
• [13422] fix to domain administrator cannot release an item from the Administrative Quarantine
• [13425] fix to failed CRAM-MD5 AUTH attempt followed by successful AUTH LOGIN for same user still counts towards failed auth dynamic screening threshold
• [13672] fix to incorrect port logged for connections received on dedicated SSL port

SecurityGateway 3.0.1 -  June 17, 2014

FIXES

• [13227] fix to certain viruses may not be detected by the CyrenAV engine when the "Attempt to clean infected messages" option is enabled
• [13240] fix to unable to login when French language is selected
• [13246] fix to database exception during nightly maintenance causes process to crash.  The exception is now handled and logged to the system log file.
• [13255] fix to the translated text for the "Russian" language selection on the logon page language menu is "English" and not "Russian"
• [13278] fix to unable to use domain's SMTP AUTH password to authenticate
• [13276] fix to unable to perform a new installation using the Japanese language installer because the Next button is not enabled after completing the Customer Information dialog
• [13295] fix to login page may "jump" while loading the logo image
• [13296] fix to when delivering mail additional MX records are not attempted if the TCP connection is successful, but the connection terminates without an SMTP protocol error occurring. Examples of this include an SMTP session that times out or is closed by the other side.

SecurityGateway 3.0.0 - May 27, 2014

SPECIAL CONSIDERATIONS

• [12243] Outbreak Protection and CYREN AntiVirus are now included in SecurityGateway!
  • The ProtectionPlus add-on is no longer needed to add an additional layer of antivirus and spam protection to SecurityGateway and has been discontinued. When upgrading to v.3.0 the installer will inform the user that it must automatically uninstall ProtectionPlus before proceeding. Please note that if upgrading from within the web interface, there is no opportunity for a prompt and that ProtectionPlus will be automatically uninstalled.
  • Kaspersky AV integration, which was previously provided via the ProtectionPlus add-on, has been replaced with CYREN AntiVirus built in to SecurityGateway.
• [12957] Active Software License Renewal coverage is required for Cyren Outbreak Protection, Cyren AntiVirus, ClamAV updates, SpamAssassin updates, and Bayesian Learning.
• [12958] The trial period has been changed. A hassle free 14 day trial period is now offered without the need to provide any contact information. Simply install the product and a trial license will be automatically downloaded. The trial period may be extended to 30 days by providing valid contact information.

CHANGES AND NEW FEATURESS

• [1444] Dynamic screening for failed SMTP authentication attempts now works across sessions over time. Previously, the failed authentication attempts had to occur within a single session. The failed authentication count for an IP is reset at midnight, or when it is blocked and added to the dynamic screening list.
• [1485] Added "User Verification Source Options" page with options that allow response caching and user re-verification to be configured.
• [3597] Added "Released" as a reason when filtering the message log
• [3618] Added the ability to exclude whitelisted senders, authenticated sessions, and domain mail servers from attachment filtering
• [11386] Restart clamd.exe immediately if "unable to allocate memory" or "cannot create thread" error occurs
• [11702] SecurityGateway.exe is now Large Address Aware, allowing it to use up to 4 GB of RAM on a 64-bit OS.
• [11703] Added "Spam" and "Not Spam" buttons for Bayesian Learning to the quarantine views
• [12367] Updated Firebird database engine to version 2.1.5
• [12368] Updated ClamAV to version 0.98
• [12456] Updated Chilkat library to 9.4.1
• [12542] Improved whitelisting or blacklisting a sender directly from the message log or quarantine
  • Added "Whitelist" and "Blacklist" button to the domain and global views
  • Domain administrators may add the sender to the recipient domain's list
  • Global administrators may add the sender to the global list
  • Allow the sender's domain to be added, as a wildcard entry
• [12817] Updated product logos
• [12936] Added support for using the hostname returned by PTR lookup as a condition in SIEVE scripts
• [13031] Added option to automatically redirect HTTP requests for the web interface to HTTPS

FIXES

• [9051] fix to the Bayesian learning process fails if the Bayesian DB path in SpamAssassin's local.cf file contains a parenthesis. The impacts most installations on a 64bit OS as the default install location is "Program Files (x86)"
• [10118] fix to when delivering remote mail, other MX records are not tried when the TCP connection is successful but a SMTP protocol timeout occurs
• [10126] fix to unable to disable "Close SMTP session after banning IP" setting under Dynamic Screening
• [10961] fix to Account Hijack detection does not kill current session when account is disabled
• [11049] fix to Notepad does not detect logs as UTF-8 encoded
• [11146] fix to unable to disable "... include original message when informing the sender" option under "Mail Delivery"
• [11219] fix to SSL negotiation error 0x80090308 when sending to certain SMTP servers
• [11240] fix to Bayesian auto-learning does not occur if message is rejected
• [11300] fix to when searching the message log, a search string that contains a single quote results in an SQL error and no results are returned
• [11308] fix to dashboard displays negative days remaining in trial after trial license has expired
• [11428] fix to "Save" button may not be enabled on "Quarantine Options" page
• [11442] fix to Administrative Quarantine Report interval still displayed as "Daily" after being changed to another value
• [11639] fix to installer unable to validate license when system does not have a MAC address
• [12013] fix to redelivering a message needs to change the MessageID, or Exchange will believe it is a duplicate and not deliver it
• [12188] fix to unable to change just license name or company while leaving registration key the same
• [12256] fix to disabled user can still authenticate if the user is enabled on the user verification source
• [12312] fix to cannot access login page when installed on Windows Server 2012 R2
• [12353] fix to unable to verify SPF record that contains "ip6" mechanism
• [12378] fix to if a sender's name contains non-ASCII characters separated by a comma, it may be rejected by the RFC compliance test
• [12387] fix to possible installer crash seen on Windows Server 2012 64bit
• [12397] fix to script error after adding DNSBL response that contains an ampersand character
• [12411] fix to message with a subject containing UTF8 line break (0xE2 0x80 0xA8) character will prevent the mesage log from being displayed
• [12439] fix to "Configuration Only" backup may fail with "violation of FOREIGN KEY constraint 'FK_DOMAINUSERS_USER' on table 'DOMAINUSERS'"
• [12469] fix to potential database deadlock "update conflicts with concurrent update" when updating dynamic screening record for an IP address
• [13023] fix to if the license file contains a warning, it is logged to the system log every minute
• [13028] fix to no entry logged to system log for update check that runs as part of the midnight maintenance process
• [13064] fix to installer may download license file to wrong location
• [13086] fix to the global IP address and Host blacklists are not checked until the RCPT event. This allows a blacklisted IP or Host to attempt to authenticate using the AUTH command.
• [13135] fix to unable to verify license file if serial number in the database is in lower case