SecurityGateway for Email Servers v8.0 Release Notes

Developed with 20 years of proven email security expertise, SecurityGateway provides affordable email security. It protects against spam, viruses, phishing, spoofing, and other forms of malware that present an ongoing threat to the legitimate email communications of your business.

Click here to learn more about SecurityGateway for Email Servers.

SecurityGateway 8.0.0 - March 23, 2021

MAJOR NEW FEATURES

• [23935] Support for active - active database replication.  This functionality requires the purchase of an external replication tool.  For additional details, please see: SecurityGateway: Configuring Active-Active Database Replication
• [21299] Data Leak Prevention - Search for medical terminology. A list of medical terms may be defined and a score assigned to each. Messages are scanned for matching terms and the sum of the scores for all terms found is calculated. The specified action is performed on messages for which the calculated score exceeds the defined threshold.
• [23795] Added ability to run a custom process/script during message processing and select an action based on the result of the script.
  • The script must be placed in the "Sieve Executable Path" directory which can be configured from Setup | System | Directories. 
  • The "execute" sieve keyword has been added which may be used as an action and a test.
  • First parameter is the name of the script.  At this time, .bat, .exe, and PowerShell are supported.
  • The second parameter is arguments that will be passed to the process.  The message_filename is populated with the full path to the RFC822 source of the message being currently processed.
  • For example... if execute "Test.ps1" "-msg '${message_filename}'" { }
• [21918] Added the ability to export all archived messages for a domain.
• [24282] Change/Audit logging - Added a new log file which logs changes to the configuration and who made them.
• [4665] Added the ability to send user and administrative quarantine reports on a defined schedule.
• [545] Added option to only include new (those messages quarantined since the last quarantine report email was sent) quarantined messages in the quarantine report email.  A quarantine report will not be generated if there are no messages to include in the report.

CHANGES AND NEW FEATURES

• [24305] Updated the "Forgot Password" process to send an email with a link to change the user's password.
• [24299] LetsEncrypt - Update script to look for the new Issuer being used by LetsEncrypt.
• [24307] Updated DKIM Signing to use SHA256 hash.
• [24326] Added GetServerSetting and PutServerSetting methods to XMLRPC API and PowerShell module.
• [9344] Added the SMTP connection and protocol timeouts to the Setup | Mail Configuration | Email Protocol page.
• [24315] Added the ability to download attachments from the Message Log | Message Information | Message tab.
• [24292] Updating the alert, confirm, and prompt message boxes.
• [24376] Added several example PowerShell scripts to the docs\API\PowerShell Samples directory for reference.
• [24348] The HELO Domain Name value (Setup | Mail Configuration | Email Protocol) is now a per-server setting in clustered environments.  The value may be set to a unique value on each server in the cluster.
• [4665] Added the ability to send user and administrative quarantine reports on a defined schedule.
• [16386] Added the ability to manually execute an SQL statement against the database from the web interface.  This feature should only be used on the instruction of technical support and it is recommended that a database backup be performed first.
• [24550] Added option to include "Blacklist Domain" link in the quarantine report email.
• [24608] Updated Cyren AV engine to version 6.4.0r2.

FIXES

• [24253] fix to DKIM verification behavior is opposite that of the "Verifier requires signatures to protect the Subject header" option value
• [24298] LetsEncrypt - change the script look at the DnsName instead of subject when looking for old certificates to remove
• [24344] LetsEncrypt - update the script to get/set SSLTLS settings from the new location
• [24269] fix to Virus Scanning "Exclude messages from whitelisted sender" option has no effect.  This was resolved by removing the option as it was added inadvertently.
• [24351] fix to XML-RPC API does not let the ordinal (position) of a system generated Sieve script to be changed
• [24352] fix to editing a Sieve script moves it to the bottom of the list
• [24268] fix to the "Message score" Sieve script runs before domain specific scripts that adjust the score
• [24444] fix to unable to copy "custom branding/custom images" settings from a domain to other domains
• [24449] fix to if MTA-STS is enabled delivery of certain messages may be delayed
• [24383] fix to process crashes when accessing archive store when the location does not exist
• [24358] fix to Office 365/AD User verification source removes disabled accounts setup as shared mailboxes
• [24511] fix to cannot scroll Log Viewer on the x-axis for desktop sizes
• [24512] fix to several minior message viewer display issues
• [24582] fix to virus scanning email address exclusion list is not used if the recipient domain has specified its own virus scanning settings
• [24313] fix to virus scanning email address exclusion list is only used for the first recipient of the SMTP session
• [24599] fix to message sent to a remote domain is not BATV signed if a previous RCPT in the SMTP session is a local user
• [24592] fix to web interface does not reload and hangs when saving after changing port values in Setup | Mail Configuration | Email Protocol
• [24303] fix to Cyren AV mistakenly detects some PDF files as being password protected

SecurityGateway for Email Servers v7.0 Release Notes

Developed with 20 years of proven email security expertise, SecurityGateway provides affordable email security. It protects against spam, viruses, phishing, spoofing, and other forms of malware that present an ongoing threat to the legitimate email communications of your business.

Click here to learn more about SecurityGateway for Email Servers.

SecurityGateway 7.0.1 - October 6, 2020

CHANGES AND NEW FEATURES

• [23958] HTML to plain text conversion result is now cached for the duration of message processing. This improves performance when multiple sieve "body" tests are executed against a message.
• [24013] Updated ClamAV to version 0.103.0
• [23788] Added HTTPS certificate checking to Cyren AV updater

FIXES

• [23880] fix to sieve variables "string" test not implemented per rfc-5229
• [22742] fix to "Send Administrative Quarantine report every X hours" option sends the report every hour regardless of the value
• [23984] fix to RMail - when encrypting, if To header contains carriage returns the comma at the end of each address may be removed
• [23954] fix to incomplete SMTP sessions appearing in the message log when the IP is configured to skip logging
• [23927] fix to Exchange/AD User verification source detects Exchange shared mailboxes as disabled and returns "user not found"
• [24023] fix to Non-Delivery Report (NDR) messages are not sent for permanent delivery failures
• [24024] fix to adding an alias to a user that is assigned to a another account reassigns all aliases
• [23996] fix to unable to change action take if a virus is found
• [24040] fix to quarantine reports and other maintenance tasks are not performed if database is moved to another computer
• [24028] fix to Encryption | Select Certificate | Make Default link does not work
• [24043] fix to web interface does not load when Russian language is selected from login screen

SecurityGateway 7.0.0 - August 18, 2020

SPECIAL CONSIDERATIONS

• Because of changes to and deprecation of many settings in clamd.conf, the installer will now overwrite existing clamd.conf.  If you have customized your clamd.conf you may need to review and make changes to clamd.conf after installation.
• [17284] The "Create log files based on the day of the week" option has been removed.  If this option was selected, it will be changed to "Create a new set of log files each day" by the upgrade process.
• [23594] the "Setup|Mail Configuration|Email Protocol|Use ESMTP whenever possible" option has been removed.  ESMTP is now always advertised and used whenever possible.
• [23593] the "Setup|Mail Configuration|Email Protocol|Hide ESMTP SIZE command parameter" option has been removed.  The ESMTP SIZE command is now always advertised.

MAJOR NEW FEATURES

[22550] CLUSTERING

• Clustering allows multiple active SecurityGateway instances/servers to share a single database.
• A external Firebird version 3 database server must be manually installed and configured.
• An option has been added to the installer that allows external Firebird server parameters to be specified during an initial installation. An existing installation may be configured to connect to an external Firebird database server via the sgdbtool.exe command line tool.
• Each server in the cluster must have its own unique registration key.
• Shared storage is required and shared directories must be set to a UNC path that all servers in the cluster can access. This may require changing the user account for the SecurityGateway Windows Service.
• The primary server is responsible for scheduled maintenance tasks.

[17214] TWO FACTOR AUTHENTICATION

Administrators may allow and require two factor authentication (2FA) globally or per domain. If 2FA is required, the user is presented with a Setup 2FA page upon login. Otherwise the user can go to Main -> My Account -> Two Factor Authentication to setup 2FA.

[21602] CHECK FOR COMPROMISED PASSWORDS

SecurityGateway can check a user's password against a compromised password list from a third-party service. It is able to do this without transmitting the password to the service. If a user's password is present on the list it does not mean the account has been hacked. It means that someone somewhere has used the password before and it has appeared in a data breach. Published passwords may be used by hackers in dictionary attacks. Unique passwords that have never been used anywhere else are more secure. See Pwned Passwords for more information.

[21593] REQUIRETLS (RFC 8689)

The RequireTLS effort in IETF is finally finished. Support for this has been implemented. RequireTLS allows you to flag messages which MUST be sent using TLS. If TLS is not possible (or if the parameters of the TLS certificate exchange are unacceptable) messages will be bounced rather than delivered insecurely. For a complete description of RequireTLS see the RFC specification and especially the Abstract, Introduction, and Security Considerations sections.

RequireTLS is enabled by default. You can disable it with a new switch at Setup | System | Encryption. It's fine to leave the service enabled. Only messages specifically flagged by a rule you must create using a new Content Filter action or messages sent to <local-part>+requiretls@domain.tld (for example, arvel+requiretls@mdaemon.com) are subject to the RequireTLS process. All other messages are treated as if the service was disabled. Several requirements must occur before a message will be sent using RequireTLS. If certain of them fail the message will not be sent and will bounce back rather than be sent in the clear. The requirements are:

• RequireTLS must be enabled via the switch mentioned above
• The message must be flagged as needing the RequireTLS treatment
• The MX record of the recipient&s domain must be validated by MTA-STS (see [21594])
• The connection to the receiving host must use SSL (STARTTLS)
• The SSL certificate of the receiving host must match the MX host name and chain to a trusted CA
• The receiving mail server must support REQUIRETLS and say so in the EHLO response
• If any of these steps fail the message is not delivered and is bounced back to sender.

[21594] SMTP MTA-STS (RFC 8461) - STRICT TRANSPORT SECURITY

The MTA-STS effort in the IETF has finished. Support for this has been implemented. SMTP MTA Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers (SPs) to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate.

MTA-STS is enabled by default. It can be disabled at Setup | System | Encryption.

[21596] SMTP TLS Reporting (RFC 8460)

TLS Reporting allows domains using MTA-STS to be notified about any failures to retrieve the MTA-STS policy or negotiate a secure channel using STARTTLS. When enabled, each day SecurityGateway will send reports to all STS-enabled domain that it has sent (or attempted to send) mail to that day.

TLS Reporting is disabled by default. It can be enabled at Setup | System | Encryption. Also make sure DKIM signing is enabled (at Security | Anti-Spoofing | DKIM Signing) because TLS Reporting emails should be signed.

[21072] DOMAIN ADMINISTRATORS CAN CREATE NEW DOMAINS

• The domain administrator is automatically added as a domain administrator for any domains that they create.
• The number of domains that the domain administrator may create can be limited.

[22364] FIREBIRD 3 IS USED FOR NEW INSTALLATIONS

• Firebird 2 and 3 runtimes are included and installed
• Firebird 2 will continue to be used for upgrades
• Upgrading the database so that it is compatible with Firebird 3 requires that it be backed up using the 2.x runtime and restored using the 3.x runtime
• Administrator may upgrade an existing database using the sgdbtool.exe command line tool

CHANGES AND NEW FEATURES

• [23350] Updated the SecurityGateway GUI with a more modern appearance.
• [22989] Updated the FusionCharts graphing component.
• [21001] Added ability to exclude specific senders from virus scanning.
• [18439] Added option for whitelist to take precedence over blacklist .
• [22650] LetsEncrypt will now check the version of PowerShell running on the machine and return an error if the correct version has not been installed.
• [22651] LetsEncrypt will now check the PSModulePath environment variable to make sure the SG module path is included, if it is not, it will be added for the session.
• [22674] LetsEncrypt will now delete and recreate the account when changing between the staging and live LetsEncrypt systems.
• [22689] LetsEncrypt will now retrieve errors from LetsEncrypt when a challenge fails and write the data to the log and to the screen.
• [22735] LetsEncrypt has a new -Staging switch that can be passed on the command line.  If this switch is passed the script will use the LetsEncrypt staging system to request a certificate.
• [23011] Updated JSTree library to version 3.3.8.
• [23355] Added ability to specify which user account the SecurityGateway Windows Service runs under
• [1490] Added support for SIEVE Variables Extension RFC 5229.
• [23412] Added :eval modifier to SIEVE Variables Extension.
• [17284] The "Create log files based on the day of the week" option has been removed.  If this option was selected, it will be changed to "Create a new set of log files each day" by the upgrade process.
• [23402] Added an option to toggle viewing a password when it's being typed. A new access control option added to the User Options page allows this feature to be disabled.
• [23436] Changed Cyren AV updater to use TLS when downloading virus definitions.
• [23449] Added an option to include the computer name in the log file name.  This option is required if the log directory is set to a UNC path and allows multiple servers in a cluster to log to the same location.
• [23453] Added option to the installer to specify external Firebird server parameters during initial installation.
• [23466] Updated Chilkat library to verson 9.5.0.82.
• [23441] Added an option to not log SMTP or HTTP connections from specified IP addresses. Incomplete and rejected SMTP messages from a specified IP address will also not be added to database. If the message is accepted for delivery it will be added to the database.
• [17260] Increased the height of the "Aliases" and "Merge Users" boxes in the User Edit dialog
• [23812] Added Sieve action "changesender" to allow the SMTP envelope sender that SG will use to deliver the message to be changed/specified
• [23484] Updated Cyren AV engine to 6.3.0r2
• [23811] Updated ClamAV engine to version 0.102.4

FIXES

• [1482] fix to MaxScanSize, MaxFileSize and MaxRecursion settings in clamd.conf ignored by ClamAV.
• [16922] fix to Bayesian learning possibly not working.
• [23379] fix to SPF policy is truncated if DNS response is larger than 512 bytes.
• [23411] fix to DNS Server Failure returned from SPF include mechanism lookup is not logged correctly.
• [21081] fix to "Invalid country code" error in system log on clean install.
• [23195] fix to excessive time required to convert specific messages with a very large HTML body to plain text. This is required for any scripts that inspect the message body or that are archived.
• [23467] fix to user verification source password is trunctated at 24 characters
• [23468] fix to certain saved passwords are sent to the browser
• [23476] fix to option to re-verify all users may query user verification source with wrong domain and delete users that do in fact exist
• [23698] fix to redelivered archived message that cannot be delivered generates non-delivery report (NDR)
• [23584] fix to SMTP Call Back Verfication does not use SSL Whitelist
• [23483] fix to drill down from bar chart report does not display matching messages if date range is longer than 48 hours
• [23506] fix to message with non-ANSI characters is not displayed correctly when viewed from archive search results
• [23385] fix to will not uninstall if 8dot3 name creation has been disabled on the installation volume
• [23480] fix to uninstall performed on 64bit OS does not delete the HKEY_LOCAL_MACHINE\SOFTWARE\Alt-N Technologies\SecurityGateway registry key
• [23526] fix to when the "Process with the message database record..." Data Retention option is selected, the count of SMTP transcripts deleted during nightly database maintance logged to the system.log file is inccorect
• [23332] fix to RMail - Track/Prove and E-Sign will not work using trigger word only in subject
• [23740] fix to "Hide software version identification in responses and 'Received:' headers" option does not stay checked
• [23797] fix to insternal state of HTML list control may become inconsistent after "Select All"
• [23808] fix to IPv6 address found in SMTP Failure Cache results in failure to connect to IPv4 address for MX host
• [22742] fix to "Send Administrative Quarantine report every X hours" option sends the report every hour regardless of the value
• [23859] fix to a:<domain>/<prefix-length> SPF mechanism results in a DNS lookup error and is not evaluated