SecurityGateway Release Notes

SecurityGateway for Email Servers v8.0 Release Notes

Developed with 20 years of proven email security expertise, SecurityGateway provides affordable email security. It protects against spam, viruses, phishing, spoofing, and other forms of malware that present an ongoing threat to the legitimate email communications of your business.

Click here to learn more about SecurityGateway for Email Servers.

SecurityGateway 8.5.2 - May 17, 2022

SPECIAL CONSIDERATIONS

[25911][25912] Domain administrators, by default, no longer have access to archiving or RMail settings. These permissions may be granted to a domain admin via two new settings added to the "Edit User" and "Edit Administrator" dialogs.
[26003] Changed the default behavior to not query default user verification sources for addresses where the domain is not a local domain. Starting with 8.5.0 all addresses are queried in an attempt to automatically resolve any external aliases. However, this change greatly increased the number of queries made to the default user verification sources in some environments. The default behavior has been restored to that of 8.0.4, where the default user verification sources are only queried if the domain of an unknown address is a local domain. The behavior of the "Enable automatic domain creation" has not changed, and if enabled the default user verification sources will be queried for all unknown addresses. A new user verification source option "Always query default user verification sources for external aliases" has been added to always query the default user verification sources for external aliases, without needing to enable the "Enable automatic domain creation" option.

CHANGES AND NEW FEATURES

[25693] Support for Cyren's threat lookup service has been added to the Cyren AV engine. When the AV engine detects a suspicious file that is not classified by the virus definitions it will generate a hash of the file and query Cyren's threat lookup service. Cyren’s threat lookup service is a 100% cloud-based solution that allows SecurityGateway to conduct a file integrity check and get up-to-moment classification of malware threats based on Cyren’s global threat intelligence.
[25766] Added support for SMTP AUTH PLAIN authentication
[25775] Updated FusionCharts library to version 3.18.0
[25837] Renamed "Unknown - Outbreak Protection" to "Outbreak Protection" in the AntiVirus / Inbound by Name report
[25894] Added sample PowerShell scripts that use XMLRPC API to export and import Sieve scripts. The sample PowerShell scripts may be found in the ..\Docs\API directory.
[25788] Added "send as a secure message (using built-in web portal)" and "send using REQUIRETLS" as potential actions for Data Leak Prevention | Medical Terms
[25956] Added PowerShell API samples; Create SG Domains.ps1, List Methods.ps1, and Get Method Help.ps1
[25998] LetsEncrypt script has been updated to use Acme-PS 1.5.2
[26063] Updated embedded database engine to Firebird 3.0.9
[26079] Updated ClamAV to version 0.104.3

FIXES

[25879] fix to domain selector drop down only displays the page domains (default 50) alphabetically
[25864] fix to matching whitelist/blacklist entry link in the Message Log | Message Information | Transcript view does not switch to the correct page of the list if the matching entry is not on the first page
[25186] fix to the value of the "Only include new messages quarantined since last email was sent" option for the administrative quarantine report is read from the user quarantine report settings
[25869] fix to no result feedback message is displayed when clicking the Spam/Not Spam toolbar buttons
[25887] fix to when replying to a secure message the line breaks are lost and the message received by the recipient is a single line
[25943] fix to Secure Message Recipients may be deleted at midnight
[25867] fix to when using an external Firebird database server, the securitygatgeway.exe process crashes at startup if it is unable to communicate with the Firebird database server on port 3050. The process now exits normally and logs an appropriate error message.
[25955] fix to "Secure Web Message" is missing from the "Result" pulldown on the Message Log search pane
[25968] fix to the "Resend invitation email" link on the Secure Message Recipient edit page uses the wrong template for the email message
[25832] fix to switching between the "Remote Mail Delivery" options loses any saved password for the mail server
[25974] fix to quarantined messages are still displayed in the list after they have been whitelisted or blacklisted
[25744] fix to administrator quarantine schedule set to "On the schedule specified below:" configured to send one report per day sends a report each minute until the top of the next hour
[25988] fix to when the "Day" summary type is selected for a report, drilling down on a summary period may not list the correct messages
[25964] fix to SGSpamD.exe process stops on secondary nodes when processing messages using Bayesian learning
[22348] fix to unable to save port values higher than 32767 for Domain Mail Servers, User Verification Sources, or Remote POP Accounts
[26008] fix to resending a "Secure Web Message" from the Message Log sends the message via SMTP
[26001] fix to Addheader sieve command does not encode non-ANSI characters
[25995] fix to a matching entry in the "Attachment Filtering | Attachments to Quarantine Attachments | Exclude messages sent to email addresses listed below" list does not prevent messages from being quarantined
[26013] fix to no verification occurs when adding an alias or selecting "Merge User" in the user edit dialog. Invalid alias addresses are not added to the user when saved, however, no feedback is displayed to the user. This was introduced in the 8.0.0 release.
[21425] fix to with the "Setup | Mail Configuration | Email Protocol | Check commands and headers for RFC compliance" and the "Security | Anti-Spoofing | DMARC Settings | Refuse to accept messages if 'From' is incompatible with DMARC" options disabled messages with an invalid From header are still rejected
[26024] fix to Secure web messages deleted via the portal are removed from the database. The message should not be removed, but have its state set to "Deleted".
[26023] fix to Secure web messages that are flagged "admin quarantine" are still delivered to the secure web message portal. The message should not be visible in the portal unless an administrator releases it from the quarantine.
[26039] fix to messages collected from a remote pop account are detected as relayed messages and DATA event sieve scripts are not executed

SecurityGateway 8.5.1 - March 8, 2022

FIXES

[25866] fix to XML injection vulnerability that may disclose private data
[25834] fix to Outbreak Protection Anti-Spam configuration options are disabled and cannot be enabled
[25858] fix to changes made to POP mail source are not saved if the "Test" button is used
[25844] fix to custom branding image is not displayed on secure user account setup page
[25833] fix to Installer: Selecting Database Type "External Server" results in error "Cannot find FBCLIENT.DLL or GDS32.DLL"

SecurityGateway 8.5.0 - February 15, 2022

SPECIAL CONSIDERATIONS

[25553] 32bit builds and support for 32bit operating systems has been discontinued. Starting with SecurityGateway 8.5.0 only 64bit builds will be distributed. This allows for us to streamline development and testing and utilize libraries that are only available as 64bit. If you are currently running a 32bit build on a supported 64bit operating system, you can simply download the 64bit build and install on top of the existing installation.

MAJOR NEW FEATURES

[24440] Secure messaging web portal
- Secure messages are stored on the SecurityGateway server and are accessed by the recipient via the browser. End-to-end encryption is maintained between the SecurityGateway server and the recipient via HTTPS encryption.
- A message may be flagged as a secure message via a Content Filter rule, Data Leak Prevention rule, or a sieve script.
  - Added "Send as secure web message" as an available action in the Content Filter and Data Leak Prevention rule editors.
  - Added Sieve action "vnd.mdaemon.securewebmsg". This action can be used in manually created sieve scripts.
- A "Secure Message Recipient" account is created for external users to whom a secure message is sent.
  - May be automatically or manually created.
  - When a secure message is received for an email address, an invitation is sent to the user with a link to create an account to view the message.
  - The admin may also specify a six-digit numeric PIN that the secure message recipient must specify when creating their account. This PIN would be communicated to the recipient out of band i.e. in person, postal mail, etc.
- Secure Message Recipients may optionally compose new secure messages to a pre-defined list of local users.
[24423] User based mail routing
- Configure which domain mail server(s) email should be routed to on a per-user basis.
- Allows for a hybrid deployment where the mailboxes for some local users are hosted in the cloud while others are onsite.
- Use a single domain, and a single SecurityGateway server to route mail to mail servers running at each location of your business.
- A new flag has been added to the domain properties dialog "Do not use this mail server to deliver domain mail, only make avaliable to assign to specific domain users".
- Secure Message Recipients may optionally compose new secure messages to a pre-defined list of local users.
[171] Performance Counters
- Performance counters have been implemented to allow monitoring software to track SecurityGateways's status in real time. There are counters for the number of active sessions, the number of messages in the queues, server active / inactive states, uptime, domain count, user count, and licensing state.

CHANGES AND NEW FEATURES

[24443] Added an option to require strong passwords at Setup/Users | Accounts | User Options. The feature can be disabled per user.
[25370] The dashboard and registration pages will now display if a service provider/private cloud registration key is used.
[25508] Recipient whitelists for attachment filtering. A list of recipient addresses, including support for wildcards, may be defined for both attachment blocking and quarantining that bypass the relevant filtering.
[25631] Lets Encrypt - the script will no longer delete the log file on each run.

FIXES

[25333] fix to black and whitelists for host and IPs exported per domain are missing the domain in the CSV file
[24825] fix to MTASTS report headers contain erroneous trailing '>' character
[25147] fix to DNS Blacklists - enabling the "When rejecting a message return 'SMTP Response' rather than 'user unknown'" option has no effect
[25331] fix to per domain white listed Hosts and IP addresses are not excluded from SMTP Authentication
[25280] fix to Setup | Archiving | Configuration |Automatic Archive Store Creation - the "Save and Close" button does not close the dialog or save changes made
[25380] fix to quarantine report email message may contain lines longer than 998 characters in violation of RFC 2822
[25433] fix to When clicking Disable Two Factor Authentication button without entering password an Access Denied error is returned
[25459] fix to Two Factor Auth may break for users when a domain admin changes a setting on the User Options page
[25501] fix to "form list [ScheduleList] not found" exception when saving My Account | Settings if the user does not have the "Allow users to modify their own quarantine settings" permission
[25542] fix to unable to restore a database backup from the web interface
[21191] fix to embedded images are not displayed when viewing a message in the web interface
[25578] fix to SSL options are not restored when importing a database configuration export only backup
[25585] fix to sgdbtool attempt to restore database backup to an external Firebird Server returns error "Main database file must be specified"
[25645] fix to changes to a Domain Mail Server's domain list are not logged to the change log
[25660] fix to when delivering TLS-RPT reports the REQUIRETLS SMTP command may be issued even if the receiving server did not advertise support for it
[8613] fix to creating an alias with a domain that does not exist in SecurityGateway (external alias) results in the alias's domain being created in SecurityGateway. The newly created domain contains no users but cannot be deleted without removing all aliases of the same domain.

SecurityGateway 8.0.4 - October 26, 2021

FIXES

[25400] fix to extended high CPU usage in securitygateway.exe while verifying a particular DKIM signature
[25445] fix to high CPU time and delay in response to SMTP DATA command due to excessive record count in accounthijack table

SecurityGateway 8.0.3 - September 14, 2021

SPECIAL CONSIDERATIONS

Active Directory user verification sources now default to using Secure Authentication when SSL/LDAPS is not used. Secure Authentication does not support the distingused name format for the verification source user name. Both the DOMAIN\USER and user principal name (user@domain.com) formats are supported.

FIXES

[25281] fix to Active Directory user verification source allows an Exchange distribution list account to authenticate with any password
[25286] fix to Active Directory user verification source password verification fails when the password contains a non-ascii character
[25287] fix to Active Directory user verification source may fail when the user name is in the format of DOMAIN\USER
[25288] fix to whitelist test does not check RFC822 from header
[25300] fix to user real name is corrupted when synchronized from an Active Directory user verification source if it contains non-ANSI characters
[25308] fix to AD/LDAP user verification source error string is garbled in the log if it contains non-ANSI characters
[25309] fix to user can log in with blank password when using an AD or LDAP user verification source if "secure authentication" is disabled
[25311] fix to system generated messages are not DKIM signed

SecurityGateway 8.0.2 - August 24, 2021

CHANGES AND NEW FEATURES

[24780] Updated ClamAV to version 0.103.3
[24781] A footer may be added to messages sent using a trial version of SecurityGateway.
[24831] The Let's Encrypt script has been updated to support ECDSA certificates. Let's Encrypt is currently only supporting ECDSA certificates via their staging system and via an allowed accounts list in production. If you'd like to request an ECDSA certificate from their production system, comment out lines 1072 - 1078 in SecurityGateway\LetsEncrypt\SGLetsEncrypt.ps1. For more information, please see https://community.letsencrypt.org/t/ecdsa-availability-in-production-environment/150679. If you comment out these lines and request an ECDSA certificate without being on the allow list, you will get an RSA certificate. To request an ECDSA certificate add "-ECDSA" to the command line.
[24878] Added support for embedding the SecurityGateway web interface into an iFrame. This can be useful to integrate SecurityGateway into an existing portal/management console. A new option "Allow management interface to be embedded into a frame" has been added to the Setup | System | HTTP Server configuration page. If this option is enabled, the HTTP server will not send the X-Frame-Options: SAMEORIGIN HTTP header and changes the SameSite attribue of the session cookie to "none". HTTPS is required by modern browsers in order to send the session cookie in a third-party context.
[24837] Large messages are no longer excluded from SpamAssassin processing by default. A new option has been added to the Heuristics and Bayesian options page that allows the message size limit exclusion to be re-enabled. The initial size of the exclusion has been reset to a new default value of 2MB.
[25177] Added two new options for Active Directory User Verification Sources that are using SSL.
- Verify SSL certificate - enabled by default, may be disabled to allow an SSL certificate that cannot be verified/trusted, i.e. a self signed certificate
- Check certificate hostname - enabled by default, may be disabled to allow an SSL certificate where the hostname does not match that of the request
[24962] Added setting value to database to specify Minger query timeout and changed default timeout to 10 seconds

FIXES

[8613] fix to creating an alias with a domain that does not exist in SecurityGateway (external alias) results in the alias's domain being created in SecurityGateway. The newly created domain contains no users but cannot be deleted without removing all aliases of the same domain.
[24799] fix to Unable to restore database from within web interface
[24784] fix to securitygateway.exe process may crash after upgrade from version earlier than 6.0
[24815] fix to many instances of "Unable to load string" logged in CTAV update log with non-English installations
[24807] fix to wildcard asterisk (*) match comparator is not setting correct sieve capture variable value
[24832] fix to macros in Microsoft Office documents are still detected by ClamAV after disabling the antivirus option "Flag attachments with documents that contain macros as virus"
[24808] fix to new installations sending blank ehlo/helo command to when delivering mail
[24896] fix to SG 7.0.x English release notes are not in the history.htm file
[24895] fix to Export Archived Messages does not validate that a valid email address is specified
[24893] fix to when creating a new active archive store and the creation fails, the active flag is still cleared for the existing active archive store for the domain. This results in a new archive store being automatically created for the domain.
[24902] fix to Cyren AV updates are failing on Windows Server 2008 R2
[24919] fix to archived messages will not be exported if their hash contains an embedded NULL
[24921] fix to message received by the journal mailbox that is from a local user but to a remote address is not archived
[24959] fix to message sent from a domain alias is not DKIM signed. The DKIM selector must be added for each domain alias in DNS.
[24923] fix to message received by journaling mailbox may be archived to wrong archive store
[24835] fix to unable to delete temp file from temp folder when redirecting a message
[24738] fix to "can't format message -- message file ..\SecurityGateway\App\firebird.msg not found" logged when a Firebird database error occurs
[25109] fix to unable to create ActiveDirectory user verification source using XMLRPC API
[25110] fix to "Security | Anti-Spoofing | Reverse Lookups | Send 501 and close connection if no PTR record exists" option cannot be enabled
[25111] fix to customized quarantine report template custom_quarantine_report.xsl is not used
[25191] fix to quarantine report query may be run for "users" which were not found be the user verification source and a negative cache record was stored. This can only be seen in the system log if debug logging is enabled.
[23820] fix to potential crash in SGAV_CTAPlugin.dll

SecurityGateway 8.0.1 - April 13, 2021

FIXES

[24720] fix to SQLException prevents intial installation when the option to use the embedded database is selected
[24733] fix to UNIQUE KEY constraint violation "INTEG_28" on table "MESSAGES" logged to system log file
[24730] fix to process terminates when a configuration backup occurs if the database has not been converted to Firebird 3 format
[24724] fix to location screening selections are not saved
[24748] fix to quarantine reports are not sent on the "schedule specified" if the schedule string is not saved in English

SecurityGateway 8.0.0 - March 23, 2021

MAJOR NEW FEATURES

[23935] Support for active - active database replication. This functionality requires the purchase of an external replication tool. For additional details, please see: SecurityGateway: Configuring Active-Active Database Replication
[21299] Data Leak Prevention - Search for medical terminology. A list of medical terms may be defined and a score assigned to each. Messages are scanned for matching terms and the sum of the scores for all terms found is calculated. The specified action is performed on messages for which the calculated score exceeds the defined threshold.
[23795] Added ability to run a custom process/script during message processing and select an action based on the result of the script.
- The script must be placed in the "Sieve Executable Path" directory which can be configured from Setup | System | Directories.
- The "execute" sieve keyword has been added which may be used as an action and a test.
- First parameter is the name of the script. At this time, .bat, .exe, and PowerShell are supported.
- The second parameter is arguments that will be passed to the process. The message_filename is populated with the full path to the RFC822 source of the message being currently processed.
- For example... if execute "Test.ps1" "-msg '${message_filename}'" { }
[21918] Added the ability to export all archived messages for a domain.
[24282] Change/Audit logging - Added a new log file which logs changes to the configuration and who made them.
[4665] Added the ability to send user and administrative quarantine reports on a defined schedule.
[545] Added option to only include new (those messages quarantined since the last quarantine report email was sent) quarantined messages in the quarantine report email. A quarantine report will not be generated if there are no messages to include in the report.

CHANGES AND NEW FEATURES

[24305] Updated the "Forgot Password" process to send an email with a link to change the user's password.
[24299] LetsEncrypt - Update script to look for the new Issuer being used by LetsEncrypt.
[24307] Updated DKIM Signing to use SHA256 hash.
[24326] Added GetServerSetting and PutServerSetting methods to XMLRPC API and PowerShell module.
[9344] Added the SMTP connection and protocol timeouts to the Setup | Mail Configuration | Email Protocol page.
[24315] Added the ability to download attachments from the Message Log | Message Information | Message tab.
[24292] Updating the alert, confirm, and prompt message boxes.
[24376] Added several example PowerShell scripts to the docs\API\PowerShell Samples directory for reference.
[24348] The HELO Domain Name value (Setup | Mail Configuration | Email Protocol) is now a per-server setting in clustered environments. The value may be set to a unique value on each server in the cluster.
[4665] Added the ability to send user and administrative quarantine reports on a defined schedule.
[16386] Added the ability to manually execute an SQL statement against the database from the web interface. This feature should only be used on the instruction of technical support and it is recommended that a database backup be performed first.
[24550] Added option to include "Blacklist Domain" link in the quarantine report email.
[24608] Updated Cyren AV engine to version 6.4.0r2.

FIXES

[24253] fix to DKIM verification behavior is opposite that of the "Verifier requires signatures to protect the Subject header" option value
[24298] LetsEncrypt - change the script look at the DnsName instead of subject when looking for old certificates to remove
[24344] LetsEncrypt - update the script to get/set SSLTLS settings from the new location
[24269] fix to Virus Scanning "Exclude messages from whitelisted sender" option has no effect. This was resolved by removing the option as it was added inadvertently.
[24351] fix to XML-RPC API does not let the ordinal (position) of a system generated Sieve script to be changed
[24352] fix to editing a Sieve script moves it to the bottom of the list
[24268] fix to the "Message score" Sieve script runs before domain specific scripts that adjust the score
[24444] fix to unable to copy "custom branding/custom images" settings from a domain to other domains
[24449] fix to if MTA-STS is enabled delivery of certain messages may be delayed
[24383] fix to process crashes when accessing archive store when the location does not exist
[24358] fix to Office 365/AD User verification source removes disabled accounts setup as shared mailboxes
[24511] fix to cannot scroll Log Viewer on the x-axis for desktop sizes
[24512] fix to several minior message viewer display issues
[24582] fix to virus scanning email address exclusion list is not used if the recipient domain has specified its own virus scanning settings
[24313] fix to virus scanning email address exclusion list is only used for the first recipient of the SMTP session
[24599] fix to message sent to a remote domain is not BATV signed if a previous RCPT in the SMTP session is a local user
[24592] fix to web interface does not reload and hangs when saving after changing port values in Setup | Mail Configuration | Email Protocol
[24303] fix to Cyren AV mistakenly detects some PDF files as being password protected

SecurityGateway for Email Servers v7.0 Release Notes

Click here to learn more about SecurityGateway for Email Servers.

SecurityGateway 7.0.1 - October 6, 2020

CHANGES AND NEW FEATURES

[23958] HTML to plain text conversion result is now cached for the duration of message processing. This improves performance when multiple sieve "body" tests are executed against a message.
[24013] Updated ClamAV to version 0.103.0
[23788] Added HTTPS certificate checking to Cyren AV updater

FIXES

[23880] fix to sieve variables "string" test not implemented per rfc-5229
[22742] fix to "Send Administrative Quarantine report every X hours" option sends the report every hour regardless of the value
[23984] fix to RMail - when encrypting, if To header contains carriage returns the comma at the end of each address may be removed
[23954] fix to incomplete SMTP sessions appearing in the message log when the IP is configured to skip logging
[23927] fix to Exchange/AD User verification source detects Exchange shared mailboxes as disabled and returns "user not found"
[24023] fix to Non-Delivery Report (NDR) messages are not sent for permanent delivery failures
[24024] fix to adding an alias to a user that is assigned to a another account reassigns all aliases
[23996] fix to unable to change action take if a virus is found
[24040] fix to quarantine reports and other maintenance tasks are not performed if database is moved to another computer
[24028] fix to Encryption | Select Certificate | Make Default link does not work
[24043] fix to web interface does not load when Russian language is selected from login screen

SecurityGateway 7.0.0 - August 18, 2020

SPECIAL CONSIDERATIONS

Because of changes to and deprecation of many settings in clamd.conf, the installer will now overwrite existing clamd.conf. If you have customized your clamd.conf you may need to review and make changes to clamd.conf after installation.
[17284] The "Create log files based on the day of the week" option has been removed. If this option was selected, it will be changed to "Create a new set of log files each day" by the upgrade process.
[23594] the "Setup|Mail Configuration|Email Protocol|Use ESMTP whenever possible" option has been removed. ESMTP is now always advertised and used whenever possible.
[23593] the "Setup|Mail Configuration|Email Protocol|Hide ESMTP SIZE command parameter" option has been removed. The ESMTP SIZE command is now always advertised.

MAJOR NEW FEATURES

[22550] CLUSTERING

Clustering allows multiple active SecurityGateway instances/servers to share a single database.
A external Firebird version 3 database server must be manually installed and configured.
An option has been added to the installer that allows external Firebird server parameters to be specified during an initial installation. An existing installation may be configured to connect to an external Firebird database server via the sgdbtool.exe command line tool.
Each server in the cluster must have its own unique registration key.
Shared storage is required and shared directories must be set to a UNC path that all servers in the cluster can access. This may require changing the user account for the SecurityGateway Windows Service.
The primary server is responsible for scheduled maintenance tasks.

[17214] TWO FACTOR AUTHENTICATION

Administrators may allow and require two factor authentication (2FA) globally or per domain. If 2FA is required, the user is presented with a Setup 2FA page upon login. Otherwise the user can go to Main -> My Account -> Two Factor Authentication to setup 2FA.

[21602] CHECK FOR COMPROMISED PASSWORDS

SecurityGateway can check a user's password against a compromised password list from a third-party service. It is able to do this without transmitting the password to the service. If a user's password is present on the list it does not mean the account has been hacked. It means that someone somewhere has used the password before and it has appeared in a data breach. Published passwords may be used by hackers in dictionary attacks. Unique passwords that have never been used anywhere else are more secure. See Pwned Passwords for more information.

[21593] REQUIRETLS (RFC 8689)

The RequireTLS effort in IETF is finally finished. Support for this has been implemented. RequireTLS allows you to flag messages which MUST be sent using TLS. If TLS is not possible (or if the parameters of the TLS certificate exchange are unacceptable) messages will be bounced rather than delivered insecurely. For a complete description of RequireTLS see the RFC specification and especially the Abstract, Introduction, and Security Considerations sections.

RequireTLS is enabled by default. You can disable it with a new switch at Setup | System | Encryption. It's fine to leave the service enabled. Only messages specifically flagged by a rule you must create using a new Content Filter action or messages sent to <local-part>+requiretls@domain.tld (for example, arvel+requiretls@mdaemon.com) are subject to the RequireTLS process. All other messages are treated as if the service was disabled. Several requirements must occur before a message will be sent using RequireTLS. If certain of them fail the message will not be sent and will bounce back rather than be sent in the clear. The requirements are:

RequireTLS must be enabled via the switch mentioned above
The message must be flagged as needing the RequireTLS treatment
The MX record of the recipient&s domain must be validated by MTA-STS (see [21594])
The connection to the receiving host must use SSL (STARTTLS)
The SSL certificate of the receiving host must match the MX host name and chain to a trusted CA
The receiving mail server must support REQUIRETLS and say so in the EHLO response
If any of these steps fail the message is not delivered and is bounced back to sender.

[21594] SMTP MTA-STS (RFC 8461) - STRICT TRANSPORT SECURITY

The MTA-STS effort in the IETF has finished. Support for this has been implemented. SMTP MTA Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers (SPs) to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate.

MTA-STS is enabled by default. It can be disabled at Setup | System | Encryption.

[21596] SMTP TLS Reporting (RFC 8460)

TLS Reporting allows domains using MTA-STS to be notified about any failures to retrieve the MTA-STS policy or negotiate a secure channel using STARTTLS. When enabled, each day SecurityGateway will send reports to all STS-enabled domain that it has sent (or attempted to send) mail to that day.

TLS Reporting is disabled by default. It can be enabled at Setup | System | Encryption. Also make sure DKIM signing is enabled (at Security | Anti-Spoofing | DKIM Signing) because TLS Reporting emails should be signed.

[21072] DOMAIN ADMINISTRATORS CAN CREATE NEW DOMAINS

The domain administrator is automatically added as a domain administrator for any domains that they create.
The number of domains that the domain administrator may create can be limited.

[22364] FIREBIRD 3 IS USED FOR NEW INSTALLATIONS

Firebird 2 and 3 runtimes are included and installed
Firebird 2 will continue to be used for upgrades
Upgrading the database so that it is compatible with Firebird 3 requires that it be backed up using the 2.x runtime and restored using the 3.x runtime
Administrator may upgrade an existing database using the sgdbtool.exe command line tool

CHANGES AND NEW FEATURES

[23350] Updated the SecurityGateway GUI with a more modern appearance.
[22989] Updated the FusionCharts graphing component.
[21001] Added ability to exclude specific senders from virus scanning.
[18439] Added option for whitelist to take precedence over blacklist .
[22650] LetsEncrypt will now check the version of PowerShell running on the machine and return an error if the correct version has not been installed.
[22651] LetsEncrypt will now check the PSModulePath environment variable to make sure the SG module path is included, if it is not, it will be added for the session.
[22674] LetsEncrypt will now delete and recreate the account when changing between the staging and live LetsEncrypt systems.
[22689] LetsEncrypt will now retrieve errors from LetsEncrypt when a challenge fails and write the data to the log and to the screen.
[22735] LetsEncrypt has a new -Staging switch that can be passed on the command line. If this switch is passed the script will use the LetsEncrypt staging system to request a certificate.
[23011] Updated JSTree library to version 3.3.8.
[23355] Added ability to specify which user account the SecurityGateway Windows Service runs under
[1490] Added support for SIEVE Variables Extension RFC 5229.
[23412] Added :eval modifier to SIEVE Variables Extension.
[17284] The "Create log files based on the day of the week" option has been removed. If this option was selected, it will be changed to "Create a new set of log files each day" by the upgrade process.
[23402] Added an option to toggle viewing a password when it's being typed. A new access control option added to the User Options page allows this feature to be disabled.
[23436] Changed Cyren AV updater to use TLS when downloading virus definitions.
[23449] Added an option to include the computer name in the log file name. This option is required if the log directory is set to a UNC path and allows multiple servers in a cluster to log to the same location.
[23453] Added option to the installer to specify external Firebird server parameters during initial installation.
[23466] Updated Chilkat library to verson 9.5.0.82.
[23441] Added an option to not log SMTP or HTTP connections from specified IP addresses. Incomplete and rejected SMTP messages from a specified IP address will also not be added to database. If the message is accepted for delivery it will be added to the database.
[17260] Increased the height of the "Aliases" and "Merge Users" boxes in the User Edit dialog
[23812] Added Sieve action "changesender" to allow the SMTP envelope sender that SG will use to deliver the message to be changed/specified
[23484] Updated Cyren AV engine to 6.3.0r2
[23811] Updated ClamAV engine to version 0.102.4

FIXES

[1482] fix to MaxScanSize, MaxFileSize and MaxRecursion settings in clamd.conf ignored by ClamAV.
[16922] fix to Bayesian learning possibly not working.
[23379] fix to SPF policy is truncated if DNS response is larger than 512 bytes.
[23411] fix to DNS Server Failure returned from SPF include mechanism lookup is not logged correctly.
[21081] fix to "Invalid country code" error in system log on clean install.
[23195] fix to excessive time required to convert specific messages with a very large HTML body to plain text. This is required for any scripts that inspect the message body or that are archived.
[23467] fix to user verification source password is trunctated at 24 characters
[23468] fix to certain saved passwords are sent to the browser
[23476] fix to option to re-verify all users may query user verification source with wrong domain and delete users that do in fact exist
[23698] fix to redelivered archived message that cannot be delivered generates non-delivery report (NDR)
[23584] fix to SMTP Call Back Verfication does not use SSL Whitelist
[23483] fix to drill down from bar chart report does not display matching messages if date range is longer than 48 hours
[23506] fix to message with non-ANSI characters is not displayed correctly when viewed from archive search results
[23385] fix to will not uninstall if 8dot3 name creation has been disabled on the installation volume
[23480] fix to uninstall performed on 64bit OS does not delete the HKEY_LOCAL_MACHINE\SOFTWARE\Alt-N Technologies\SecurityGateway registry key
[23526] fix to when the "Process with the message database record..." Data Retention option is selected, the count of SMTP transcripts deleted during nightly database maintance logged to the system.log file is inccorect
[23332] fix to RMail - Track/Prove and E-Sign will not work using trigger word only in subject
[23740] fix to "Hide software version identification in responses and 'Received:' headers" option does not stay checked
[23797] fix to insternal state of HTML list control may become inconsistent after "Select All"
[23808] fix to IPv6 address found in SMTP Failure Cache results in failure to connect to IPv4 address for MX host
[22742] fix to "Send Administrative Quarantine report every X hours" option sends the report every hour regardless of the value
[23859] fix to a:<domain>/<prefix-length> SPF mechanism results in a DNS lookup error and is not evaluated