SecurityGateway for Email Servers v6.0 Release Notes
Developed with 20 years of proven email security expertise, SecurityGateway provides
affordable email security. It protects against spam, viruses, phishing, spoofing,
and other forms of malware that present an ongoing threat to the legitimate email
communications of your business.
Click here to learn more about SecurityGateway for Email Servers.
SecurityGateway 6.5.0 - November 5, 2019
SPECIAL CONSIDERATIONS
- [22445] The LetsEncrypt functionality has been updated to use ACME v2. This update is required because LetsEncrypt is discontinuing support for ACME v1. PowerShell 5.1 and .Net Framework 4.7.2 are now required in order to use LetsEncrypt.
CHANGES AND NEW FEATURES
- [21300] Added support to host the database on a standalone external Firebird server. A "-setdbconnect" parameter has been added to sgdbtool.exe to specify the IP address, database path/alias, username, and password to use when connecting to the database.
- [22033] Added XML API functions to manage Sieve scripts
- [22125] Added XML API functions to enable archiving and manage archive stores
- [21519] All settings related to DKIM ADSP have been deprecated and removed
- [22451] Updated ClamAV to version 0.102.0
- [22370] Added support to scan RAR archives for attachment filtering.
- [16384] Added ability to scan TNEF (winmail.dat) files for restricted attachments
- [22129] Messages from a domain mail server are DKIM signed (if enabled) even if SMTP session has not authenticated
- [20906] Added option to detect macros in documents during virus scanning
- [21814] Updated Cyren AV engine to version 6.2.2-rc2.
- [21315] Added support to send a journaling report with a copy of all accepted messages to a specified email address
- [20223] Added the ability to remove the subject tag used to trigger RMail processing
- [22025] Added the ability to exclude calendar invitation messages from RMail processing
- [22231] Disabled registry reflection, the "64bit Windows Registry" is always used even with the 32bit build running on a 64bit operating system. Existing registry keys and values that may exist in the Wow6432bit node are copied to the non-reflected location HKEY_LOCAL_MACHINE\SOFTWARE\ALT-N Technologies\SecurityGateway.
- [4616] The "Include "Blacklist" link in quarantine email" option has been renamed to "Include "Blacklist" option in quarantine list and email" and also applies to the user's quarantine list view in the web interface
FIXES
- [22315] fix to saving a content filter rule resets its order in the Sieve script listipt list
- [21454] fix to SMTP Call Forward verification may attempt to use CRAM-MD5 even when the receiving server does not advertise support for it
- [16384] fix to possible file name problem with special characters
- [22354] fix to DNSBL "Open Resolver" and "Excessive Queries" response codes are not correctly parsed
- [22380] fix to Remote POP Accounts - The "until they are this many days old" option does not work
- [22026] fix to RMail read receipts are routed back to the RMail service
- [22302] fix to user is not asked to confirm if the archive directories/database should be deleted when deleting an archive store
- [22120] fix to unable to change sort order of quarantined message list in web interface
- [22021] fix to Call Forward Verification may attempt to verify the wrong address
- [22159] fix to Office 365 User Verification Source does not match distribution lists
- [21670] fix to Location Screening is missing from Anti-abuse menu for domain administrators
- [22162] Messages containing non-ASCII characters are corrupted if a disclaimer is added
- [22301] fix to the Security "Landing Page" displayed to domain administrators contains links to options which they do not have permission to view or edit
- [22445] LetsEncrypt: The script has been updated to use a new version of the protocol to communicate with LetsEncrypt
- [22455] fix to SMTP call forward verification may erroneously return user not found when the SMTP server returns 250 Recipient OK
SecurityGateway 6.1.0 - July 30, 2019
MAJOR NEW FEATURES
Archiving Compliance
- [21294] Delete messages from the archive. A new user permission "Allow users to delete archived messages addressed to or from their account" has been added to grant this ability to domain administrators and users.
- [21872] Delete all archived messages for a local user. Added an option to the User Settings page that allows all archived messages received or sent by the local user to be deleted from the archive.
- [21717] "Forget Contact". This feature deletes all messages addressed to or from a specific email address from the email archive. An email confirmation message may optionally be sent to the requests, the contact, or a specified email address.
- [21822] Legal Hold. If the Legal Hold function has been enabled, no emails can be deleted from the archive, regardless of all other possible configurations of user privileges and retention periods.
- [21823] Minimum archive retention period. Archived messages cannot be deleted until they reach the specified age.
- [21824] Automatically delete archived messages. Archived messages older than a specified cutoff are deleted from all active archive stores.
[21724] Office 365/Azure AD User Verification
Added a User Verification Server type for Office 365/Azure Active Directory. This allows SecurityGateway to query Office 365 (Azure Active Directory) directly to verify users, obtain associated aliases, and verify user passwords. Permission must first be granted following the steps outlined here https://www.altn.com/Support/KnowledgeBase/KnowledgeBaseResults/?Number=1229.
CHANGES AND NEW FEATURES
- [16034] Added the ability to search white and black lists
- [21947] Added the ability to sort the quarantine report by score. The messages with the lowest spam score, and more likely to be false positives, will appear at the top of the report.
- [21885] LetsEncrypt now includes an option to delete certificates that were issued by
LetsEncrypt, have a subject the same as the FQDN in SecurityGateway and with an expiration date
over 30 days ago. To use this option pass -RemoveOldCertificates as a command line paramter.
- [21969] LetsEncrypt: By default Powershell only supports SSLv3 and TLS1.0. Code was added to enable TLS1.0,1.1, and 1.2 for the active session. PowerShell also honors the operating system settings for client SSL/TLS protocol support, so if you disable support for TLS 1.0 as a client protocol in the operating sytem, PowerShell will not attempt to use it.
- [21894] Updated Chilkat library to verson 9.5.0.78
FIXES
- [21851] fix to when the Automatic Archive Store Creation option "Use different directories.." is enabled, the $DOMAIN$ macro is not replaced with the domain name when creating the content or index directories for an automatically created archive store.
- [21892] fix to with a very large database, sending of outbound messages may become very slow
- [21556] fix to non breaking space characters in quarantine summer email are displayed as 'Â' in mail client
- [21914] fix to system service crashes if archive store firebird database cannot be created
- [21935] fix to potential hang on shutdown attempting to shutdown sgspamd.exe
- [21941] fix to editing an existing archive store and changing the directories to a new location does not move the existing files. New files (data, database, full text index) are created when the next message is archived to the store. This results in the archive store's existing data to be orphaned and not returned in search results.
- [21915] fix to messages routed to SG from Office 365 via a mail connector are not detected as being from the domain mail server if the SMTP return path is NULL. This is the case for auto-responder messages sent by Office 365.
- [21964] fix to Office 365 user verification source failure (HTTP 400)
- [21965] fix to duplicate accounts may be created when logging in using a domain alias
- [5425] fix to when delivering mail if an MX host has multiple IP addresses (A DNS records) a connection is only attempted to the first IP address
SecurityGateway 6.0.3 - June 25, 2019
FIXES
- [21731] more for fix possible crash in SecurityGateway.exe
- [21776] fix to SecurityGateway.exe crashes when an incorrectly formatted sieve script is used
- [21779] fix to clicking a point on a report line graph does not display the corresponding messages. The messages (if any) displayed are for the wrong time period. The time period is that of the selected time plus the UTC offset of the server's time zone.
- [21790] fix to .rpost.biz appended to recipient address when the recipient address already ends with rpost.biz
- [21791] fix to messages flagged for RPost processing are not routed to the RPost mail gateway if they are destined for a local domain
- [21801] fix to crash in 32bit version with HTML disclaimer when message with empty html body is received
- [21832] fix to CTAV engine will not start after installing 64bit Japanese language installer
- [21833] fix to no results returned when drilling down from bar chart report if the item selected contains a hyphen for example user@company-mail.com
SecurityGateway 6.0.3 - June 25, 2019
FIXES
- [21731] more for fix possible crash in SecurityGateway.exe
- [21776] fix to SecurityGateway.exe crashes when an incorrectly formatted sieve script is used
- [21779] fix to clicking a point on a report line graph does not display the corresponding messages. The messages (if any) displayed are for the wrong time period. The time period is that of the selected time plus the UTC offset of the server's time zone.
- [21790] fix to .rpost.biz appended to recipient address when the recipient address already ends with rpost.biz
- [21791] fix to messages flagged for RPost processing are not routed to the RPost mail gateway if they are destined for a local domain
- [21801] fix to crash in 32bit version with HTML disclaimer when message with empty html body is received
- [21832] fix to CTAV engine will not start after installing 64bit Japanese language installer
- [21833] fix to no results returned when drilling down from bar chart report if the item selected contains a hyphen for example user@company-mail.com
SecurityGateway 6.0.2 - June 7, 2019
FIXES
- [21731] fix possible crash in SecurityGateway.exe
SecurityGateway 6.0.1 - May 21, 2019
CHANGES AND NEW FEATURES
- [21435] Added methods to view and manage IP Shielding entries to XMLRPC API
- [21436] Added methods to view and manage DKIM Selectors to XMLRPC API
- [21504] Added a PowerShell module to simplify interaction with SecurityGateway's XMLRPC API.
The module includes support for all methods available in the API. The PowerShell Command Add-On
can be used to see the name of each method as well as the parameters that are accepted and
required for each. This module requires a third party XmlRpc module that is included in the installer.
- [21628] Added an "Exclude connections if PTR record matches from punitive actions" option for HELO/EHLO lookups
FIXES
- [21373] fix to Cyren AV is unable to scan specific attachments. The Cyren AV engine reports that the attachment is corrupted, when in fact it is not. The CyrenAV engine has been rolled back to version 5.4.30 as it is able to scan these attachments without issue. Cyren plans to fix this in a future version of the Cyren AV engine, and this version will be incorporated in SecurityGateway when it is available.
- [21397] fix to system service may terminate immediately after starting it
- [21447] fix to retrying to deliver a messages results in the loss of the outbound portion of the message transcript
- [21489] fix to the "tagheader" Sieve action does not match any header if the header name parameter contains upper case letters
- [21490] fix to the "removeheader" Sieve action does not match any header if the header name parameter contains upper case letters
- [21491] fix to message data that should be removed, according to the data retention settings, is not removed from the "Messages" directory until the associated records are purged from the database
- [21429] fix to GetGlobalWhiteList and GetDomainWhitelist XMLRPC API methods return all entries when type is set to "Host"
- [21548] fix to system service will not start after installing 64bit Chinese or Russian versions
- [21454] fix to SMTP Call Forward verification may attempt to use CRAM-MD5 even when the receiving server does not advertise support for it
- [21633] fix to SMTP Call Forward verification unable to connect to user verification source due to "Error -2146893048 returned from DECRYPTMESSAGE"
- [21606] fix to when encypting messages with RMail the .rpost.biz suffix is not added to email addresses found on wrapped lines of the To: or Cc: header
- [21607] fix to RMail - E-Sign - when choosing to sign messages only "when the message subject or body contains", all messages are signed regardless of the subject
SecurityGateway 6.0.0 - February 12, 2019
SPECIAL CONSIDERATIONS
MAJOR NEW FEATURES
[9809] Message Archiving
- Added support for long term email archiving. Archived messages are fully searchable. The archived messages are stored in configurable archive stores.
[17480] 64bit Version
- A 64-bit version of SecurityGateway is now avaliable for installation on 64-bit operating systems. The 64-bit version can handle a higher number of active sessions before running out of memory.
[18560] Improved Data Leakage Prevention
- Over sixty additional data leakage prevention rule templates are now avaliable.
CHANGES AND NEW FEATURES
- [20782] Improved support for Google G Suite. If a domain mail server is configured to deliver mail to Google G Suite (aspmx.l.google.com), connections from any Google G Suite mail server will be treated as from a domain mail server. This facilitates in SecurityGateway being used as an outbound mail gateway with Google G Suite.
- [20946] The options to refuse messages that are not RFC compliant or incompatible with DMARC do additional checks for invalid syntax in the From header
- [21065] Updated inbound/outbound icons in the message log view
- [21119] Added support for TLS Server Name Indication (SNI) which allows a different certificate to be used for each domain without requiring them to be on different IP addresses. Multiple certificates can be active, and SG will use whichever one has the requested host name in its Subject Alternative Name field.
- [21124] Self-signed certificates can now be created with larger key sizes, use SHA2 instead of SHA1, and automatically include the main host name in the Subject Alternative Name field.
- [21060] Updated Cyren AV engine to version 6.2.0r2. This version fixes a few reported scanning errors.
- [21074] SMTP Callback Verification now supports encrypted connections utilizing STARTTLS
- [21194] Updated ClamAV to version 0.101.1
FIXES
- [20619] fix to possible memory corruption when sending DMARC aggregate reports
- [20867] fix to IPv6 Connection from Domain Mail Server is not recognized
- [20903] fix to DMARC aggregate reports generating invalid "policy_evaluated/disposition" value
- [21055] fix to standard email headers may not be displayed when viewing a message from the message log
- [21077] fix to attempt is made to bind to ::1 even when IPv6 is not enabled in the operating system. This results in an error being logged to the system.log file.
- [21013] fix to several sub options on the Security | Anti-Spoofing | Reverse Lookups page are not properely indented
- [20938] [20939] fix to correct domain branding images may not be displayed
- [20351] fix to maliciously formed HTML message may cause the sieve "body" test to hang
- [21142] fix to when viewing an HTML message the content is not placed in an iframe
- [21158] LetsEncrypt: updated the script to properly handle situations when a certificate has never been enabled
- [21259] fix to DLP rule editor always displays action as "administrative quarantine"
- [21260] fix to unable to enable custom DLP rule from rule editor pop-up window
SecurityGateway 5.5.0 - May 8, 2018
MAJOR NEW FEATURES
[17479] IPV6 SUPPORT
Support for IPv6 has been added. SecurityGateway will detect the level of
IPv6 capability that your OS supports and dual-stack where possible; otherwise,
SecurityGateway will monitor both networks independently. If enabled, outbound
SMTP connections will prefer IPv6 over IPv4 whenever possible.
A few options related to use of IPv6 can be found at Setup | System | IPv6.
CHANGES AND NEW FEATURES
- [20332] Updated Cyren AV engine to AVSDK 5.4.30.7. This fixes some possible
scanning error issues.
- [20333] Updated ClamAV to version 0.99.4
FIXES
- [14919] fix to values less than seven characters in length cannot be added to the
IP Whitelist and Blacklist, this prevents certain valid wildcard entries from being
entered
- [20308] fix to unable to load Content Filter Rule editor dialog in German language
- [20282] Updated to version 3.12.2 of the FusionChart libraryy
SecurityGateway 5.0.1 - February 20, 2018
CHANGES AND NEW FEATURES
- [11945] Added the ability to define which DNS servers to SecurityGateway should
query. By default the DNS servers defined in the operating system are queried.
- [20189] Updated ClamAV to version 0.99.3
- [20013] Renamed Alt-N Technologies to MDaemon Technologies
- [19927] The suffix domain "rpost.biz" is now appened to the To and CC
fields of email messages that are sent via RMail. This is necessary for certain
RMail reports to display properly.
- [20167] Custom branding now also uses domain IP binding to determine if a domain
specific branding images should be used
FIXES
- [19826] fix to logon via the XMLRPC API requires accepting terms of use
- [19869] fix to when an "Office 365" domain mail server is configured,
connections from any Office 365 mail server are considered to be from the domain
mail server. This can cause relay and anti-spam checks to be skipped for mail
received from other Office 365 domains. The logic has been improved to also
verify that the message is from a local domain before considering an Office 365
mail server to be a domain mail server.
- [19989] fix to Mailsploit address spoofing
issues
- [20053] fix to matching text is not logged when Content Filter rule matches text
in a message header
- [20165] fix to per domain branding images are not shown if HTTP request specifies
a port number
- [20197] fix to domain may be added to SSL white list when it was not attempting
an SSL negotiation
SecurityGateway 5.0.0
MAJOR NEW FEATURES
[18924] LOCATION SCREENING
A geographically based blocking system has been developed which allows you to block
incoming SMTP and Remote Administration connections being attempted from unauthorized
regions of the world. A new screen has been added at Security|Anti-Abuse|Location
Screening to configure this.
CHANGES AND NEW FEATURES
- [19501] In order to assist administrators with compliance to laws such as the General
Data Protection Regulation in the EU we are adding the ability (Setup
| User Options | Terms of User) for an administrator to add a terms of service statement
which must be accepted by the users each time they login. The user can accept
the statement by checking a box.
- [18094] Added hyperlinks to the message details view to find the matching list entry
for whitelist and blacklist matches.
- [19685] Improved support for Office 365. If a domain mail server is configured
to deliver mail to Office 365 (mail.protection.outlook.com), connections from an
Office 365 mail connector will be treated as from a domain mail server.
- [18420] Added a button, to the Message Log | Message Source view to download a message
in EML format. This option is only available when the message's content is still
available in the SecurityGateway database.
- [19537] LetsEncrypt logging will now include additional details that will make it
easier to troubleshoot. The log will include a URL to LetsEncrypt.com that will
help explain why challenges fail.
- [19284] When a message is released from the Administrative Quarantine the username
of the administrator performing the action is now logged.
FIXES
- [19556] LetsEncrypt: fix to error handling when running certutil.exe
- [18883] fix to SPF resolver does not resolve returned CNAME records when performing
lookup for TXT policy record
- [18904] fix to DMARC reports sent with wrong "mail from" address
- [18934] fix to Unable to delete item from IP black/whist list using XMLRPC API
- [19680] fix to the "RPost | Use specific relay host" option is not honored
when the "Mail Delivery | Always send every outbound email to the server specified"
option is enabled
- [19712] fix to the LetsEncrypt script does not work if the option to redirect HTTP
requests to HTTPS is enabled
- [18935] fix to DMARC reports may specify wrong SMTP return path value until the
service is restarted
- (beta only) [19780] fix to "Data Leak Prevention" section appears twice
on Security landing page
SecurityGateway 4.5.1 - May 9, 2017
MAJOR NEW FEATURES
[15657] SecurityGateway now integrates with the RMail™
service from RPost®
RMail™ is intuitive to use and there’s no requirement for your recipients to have
any special software whatsoever. RMail™ empowers email usage for consumers and businesses
of all sizes, across all industries and departments.
The RMail™ service is powered by RPost's Registered Email® technology, the global
standard for email delivery proof. The RMail™ service extends your email platform,
providing:
- Track your important emails and know precisely when they’re delivered and opened.
- Proof of Delivery, Time, and Exact Content.
- Easily encrypt sensitive emails and attachments for security or legal compliance.
- RMail™ makes it easy for all parties to e-sign and complete a transaction. delivered
and opened.
Using a free RPost account, each user is limited to sending/receiving 10 encrypted
messages per month. Additional messages can be purchased through RPost. Click here for information on plans/pricing
for increased message limits.
The RMail™ service may be enabled from the Security | RMail™ page or as an action
of a message content filter rule.
CHANGES AND NEW FEATURES
- [18524] Updated Firebird database components to version 2.1.7
FIXES
- [18602] fix to messages over 10KB in size with invalid MIME structure are not
delivered
- [18605] fix to potential crash in logic that converts HTML to text when
searching message bodies
- [18644] fix to SPF mechanisms after an "include" mechanism may not be evaluated
correctly
- [17294] fix to header is not added to quarantined messages when the "Allow mail
server or client to filter quarantined messages" and "...add header" quarantine
options are selected
- [18516] fix to scheduled database maintenance may occur in the minute before the
scheduled time
- [18517] fix to automatic database backup does not run more than once in the same
day even if the backup type or time has been changed
- [18692] fix to unable to delete message from bad message queue
SecurityGateway 4.5.0 - April 4, 2017
SPECIAL CONSIDERATIONS
[18161] The option "Honor CRAM-MD5 authentication method" found at Setup
/ Users | Mail Configuration | Email Protocol has changed to disabled by default
for security and technical reasons. Using TLS is the preferred way to avoid transmission
of passwords in the clear.
CHANGES AND NEW FEATURES
- [17644] Added a set of built-in "Data Leak Prevention" rules. These
rules can be used to assist in detecting if sensitive information is being sent
outside of the organization.
- [18447] Added the ability to compare the message body or subject in a content filter
rule condition
- [18473] Added a "MAIL and RCPT" item in the "Rule Condition Editor"
for Message Content Filter and Data Leak Prevention rules. Comparators for
this item are Inbound, Outbound, and Internal along with a negative option for each.
- Inbound - Message is to a local user and is not from a local user of the same domain
- Outbound - Message is from a local user and is not to a local user of the same domain
- Internal - Message is to and from a local user of the same domain
- [1894] Added "contains word" and "does not contain word" comparators
for message content filter and data leak prevention rule conditions. These
are similar to the "contains" and "does not contain" comparators
but will only match if there is a
word boundary anchor proceeding and following the string. This avoids
the need to manually create a regular expression in the format of \b(word1|word2|word3)\b.
- [18491] Added the ability to edit a "Currently defined string" for a content
filter or data leak prevention rule condition by double clicking it.
- [17875] Integration with Let's Encrypt via PowerShell script
Let's Encrypt is a certificate authority that provides free certificates for
Transport Layer Security (TLS) encryption via an automated process designed to eliminate
the current complex process of manual creation, validation, signing, installation,
and renewal of certificates for secure websites.
A PowerShell script that supports LetsEncrypt is now installed to the SecurityGateway\LetsEncrypt
directory. A dependency of the script, the ACMESharp module,
requires PowerShell 3.0. This means this script will not work on Windows
2003.
The SecurityGateway HTTP service must be listening on port 80 or the HTTP challenge
cannot be completed and the script will not work. You will need to correctly set
the execution policy for PowerShell before it will allow you to run this script.
Running the script will set everything up for LetsEncrypt, including putting the
necessary files in the SecurityGateway HTTP (templates) directory to complete the
http-01 challenge. It uses the FQDN configured in SecurityGateway for the default
domain as the domain for the certificate, retrieves the certificate, imports it
into Windows, and configures SecurityGateway to use the certificate using SecurityGateway's
XMLRPC API.
The script creates a log file in the SecurityGateway\Logs\ directory called LetsEncrypt.log.
This log file is removed and recreated each time the script runs. The log includes
the starting date/time of the script but it does not include a date/time stamp for
each action. Notification emails can be sent when an error occurs.
If you have an FQDN setup for your default domain that does not point to the SecurityGateway
server, this script will not work. If you want to setup alternate host names in
the certificate you can do so. You need to pass the alternate host names on the
command line.
Example usage: .\SGLetsEncrypt.ps1 -UserName admin@domain.com -Password Password1
-AlternateHostNames mail.domain.com,imap.domain.com,wc.domain.com -EmailErrorsTo
admin@domain.com
You do not need to include the FQDN for the default domain in this list. For example,
our default domain, altn.com, is configured with an FQDN of mail1.altn.com. We use
an alternate host name of mail.altn.com. When I run the script, I only pass mail.altn.com
as an alternate host name. If you pass alternate host names, an HTTP challenge will
need to be completed for each them. If the challenges are not all completed the
process will not complete correctly.
If you do not need to pass in alternate host names then do not include the –AlternateHostNames
parameter in the command line. If you do not want to have email notifications sent
when an error occurs do not include the –EmailErrorsTo parameter in the command
line.
- [17670] Updated Cyren Anti-Virus engine to version 5.4.28-r1
- [18271] Updated to version 8.00.0125 of the Cyren Outbreak Protection SDK
- [17657] Changed the write mode for the Firebird database from asynchronous to synchronous
as this should resolve some instances of database corruption. However, this
change does come with a performance cost. This will not be an issue for most installations.
A new screen has been added at Setup | Database | Configuration to specify the database
write mode. Asynchronous write mode is only recommended when the performance
of synchronous write mode is not sufficient. It is critical that the system be protected
by a reliable UPS and that database backups are maintained.
- [15753] Replaced built in crash memory dump generation code with code that creates
registry entries for Windows Error Reporting. This functionality requires
Windows Server 2008/Windows Vista or later. A memory dump file should be created
in the "CrashDumps" folder if the securitygateway.exe process crashes.
The location of this folder may be changed from Setup/Users | System | Directories.
- [16730] Added "Result" column to the Queued for Delivery view
- [17746] Implemented Sieve extension "proximity" tag for "allof"
test. This allows for scripts where multiple search terms must exist within
a proximity of a specified number of characters of each other.
- [17792] Added GetSetting and PutSetting methods to the XML-RPC API
- [10223] Added option to Setup | Mail Configuration | Email Protocol to "Hide
software version identification in responses and 'Received:' headers".
This option is disabled by default.
- [17866] SecurityGateway may report the version of the OS version that it is running
on when it requests an updated license file from Alt-N. This information is helpful
as we make decisions about which OSes to support. To not report such information,
disable the "Include optional usage and environment data in license request"
option on the Setup | Registration page in the web interface.
- [13464] Added options to Security|Anti-Spam|Backscatter Protection to specify IP
addresses and domain names of sites that are exempt from Backscatter Protection
return-path signing
- [17924] Updated SpamAssassin engine (SGSpamD.exe) to include Encode module for charset
conversion and normalization
- [11776] Added a per-domain option for the maximum acceptable SMTP message size
- [18485] SecurityGateway starts warning about impending license deactivation 7 days
in advance (up from 5 days).
- [18362] Improved logging in DMARC processing when SPF lookup was not performed due
to a NULL SMTP return path
FIXES
- [17452] fix to it is possible to add a content filter condition when an empty criteria
string
- [16163] fix to updating a Message Content Filter Rule may result in the truncation
of the last character of the condition string
- [17753] fix to usage key returned by activation server is not saved when "Click
here to request an updated license file" link is manually clicked
- [17765] fix to the "Exclude the files listed below" virus scanning options
only apply to the "Quarantine messages that cannot be scanned" option
and need to be indented
- [17860] fix to "Account Hijack Detection" is not activated if sender authenticates
as a user account alias address
- [17934] fix to DMARC failure reports (RUF) are not DKIM signed
- [16922] fix to Bayesian learning process fails when SecurityGateway is installed
under the Program Files (x86) directory and support for NTFS short file names is
not enabled on the volume. This is the default configuration for new volumes
created by Windows Server 2012.
- [18023] fix to Sieve "envelope" test "domain" tag does not match
as expected
- [18155] fix to the DNS parser adds an additional space character between the lines
of multi-line TXT DNS records. This may result in erroneous SPF and DMARC policy
failures when a single policy element spans multiple lines.
- [18167] fix to the message count contained in the administrative quarantine report
may be incorrect for domain administrators
- [18054] fix to unable to disable DKIM signing for a domain
- [18189] fix to browser may autofill other password fields with saved logon password
- [18251] fix to SPF test may errantly return pass result if SPF policy contains the
"include" directive
- [18298] fix to regular expression for detecting blank subjects not working
- [17035] fix to unable to edit a condition in a Message Content Filter rule while
that rule is disabled
- [18417] fix to the Whitelist/Blacklist list view may display characters in an entry's
comments encoded as HTML entities
- [18361] fix to incorrect DMARC / DKIM / SPF lookups occurring for some domains
- [18573] fix to a corrupted .zip file may cause securitygateway.exe process to consume
all system memory and crash
- [18021] fix to under specific conditions, a message may be accepted but not delivered
to the domain email server. In the outbound log, the session for the message
will contain SIZE=0 and delivery will fail.
SecurityGateway 4.0.0 - June 14, 2016
MAJOR NEW FEATURES
[15999] Web Interface Updated to use a Mobile First Responsive Design
The web interface has been updated to use a mobile first responsive design.
Browser support is limited to IE10+, the latest Chrome, the latest Firefox, and
the latest Safari on Mac and iOS. Android stock browsers have been known to
have issues with scrolling, but Chrome on Android devices works well.
This design is based entirely on the size of the window being used. Whether
the user is on a phone, tablet, or PC, the appearance is the same for the same window
size. The most important change here is the menu. From 1024 pixels width
on down the menu is hidden on the left side of the browser. There are two
methods that can be used to display the menu. If a touch device is in use,
swiping to the right will show the secondary menu. Whether or not a touch
device is in use, there is also a "menu" button in the top left corner
that will display the secondary menu. Tapping or clicking the menu title with
the left arrow next to it at the top of the menu will display the primary menu.
The help, about, and sign out menu in the top right corner changes based on the
width of the screen as well. From 768 pixels up shows the words Help, About,
and Sign Out, from 481 pixels to 767 pixels only displays the icons, and 480 pixels
or less displays a "gear" icon which when clicked or tapped will display
a drop down menu with the Help, About, Sign Out options. List views with more
than one column have column on/off buttons.
[11232] DMARC
Support for DMARC (Domain-based Message Authentication, Reporting, and Conformance)
has been added. DMARC defines a scalable mechanism by which a mail sending organization
can express, using the Domain Name System, domain level policies and preferences
for message validation, disposition, and reporting, and a mail receiving organization
can use those policies and preferences to improve mail handling. The DMARC specification
and full details about what it does and how it works can be found here:
http://www.dmarc.org/.
DMARC allows domain owners to express their wishes concerning the handling of messages
purporting to be from their domain(s) but which were not sent by them. Possible
message handling policy options are "none" in which case SecurityGateway
takes no action, "reject" in which case SecurityGateway refuses to accept
the message during the SMTP session itself, and "quarantine" in which
case SecurityGateway places the following header into each message for easy filtering
into your user's Junk E-mail folder: "X-SGDMARC-Fail-policy: quarantine".
This header is only added when the result of the DMARC check is "fail"
and the resulting DMARC policy is something other than "none." It
is possible to configure SecurityGateway to accept messages even though DMARC requests
that they be rejected. In fact, this is the default operational mode.
In these cases SecurityGateway will place an "X-SGDMARC-Fail-policy: reject"
header into the message in case you want to filter more seriously on that.
DMARC supersedes ADSP and the message disposition features of SPF. However,
you can still use all of them together with DMARC. ADSP and SPF message
rejection now takes place after DMARC processing if DMARC verification is enabled.
DMARC depends in part upon the use of a "Public Suffix List." A "Public
Suffix" is one under which Internet users can directly register names. Some
examples of public suffixes are .com, .co.uk and pvt.k12.ma.us. A "Public Suffix
List" is a list of all known public suffixes. SecurityGateway uses the one
maintained for the community by the Mozilla Foundation that is found here: https://publicsuffix.org/.
A copy of this list is installed into your \App\ folder as effective_tld_names.dat.
There is currently no comprehensive or single authoritative source for such a list
which is an issue the Internet community should address. Over time this file will
grow obsolete and must be replaced by downloading it afresh from https://publicsuffix.org/list/effective_tld_names.dat
and saving it to your \App\ folder. SecurityGateway will periodically and automatically
download and install this file as part of the daily maintenance event approximately
once every two weeks. Various controls to govern this can be found on the
new DMARC configuration screens. The DMARC log and the new DMARC window within
the Security tab inside the main UI will contain the results of the update and all
other DMARC processing operations. You can set a different file download URL
if needed but the data downloaded must conform to the format specified by Mozilla
for their file. You can read about this at the URL mentioned above. SecurityGateway
strictly follows the parsing algorithm specified by Mozilla. Create a (possibly
empty) file called "PUBLICSUFFIX.SEM" and place it in SecurityGateway's
\App\ folder if you replace or edit the effective_tld_names.dat file yourself and
need SecurityGateway to reload it without a reboot.
To use DMARC as a mail sender you must publish a DMARC TXT record within your domain's
DNS setup. Information on how this record is defined and structured can be
found at http://www.dmarc.org. When you publish
a DMARC record to your DNS you may begin receiving DMARC reports from many different
sources via email. These reports are provided as a compressed XML file whose format
is governed by the DMARC specification. Consuming these reports is outside the scope
of SecurityGateway's DMARC implementation. However, the data within these reports
can provide important insight into a domain's mail flow, improper domain use,
DKIM signing integrity, and SPF message path accuracy/completeness. The addresses
to which these reports are sent is configured by you when you create your DMARC
record.
When setting up a DMARC record for one or more of your domains take care with use
of p=reject. Take particular care if your domain provides email accounts for
general use by human users. If such users have signed up for any mailing lists,
make use of a mail forwarding service, or expect to use common things like "share
this article with a friend" you should know now that a DMARC p=reject policy
could make those things entirely impossible and if so you'll hear about it.
DMARC p=reject is perfectly appropriate and useful but only when it is applied to
domains that control how their email accounts are used (for example, transactional
mail, automated (i.e. non-human) accounts, or to enforce corporate policies against
use of the account outside organizational boundaries).
In order to support DMARC aggregate reporting SecurityGateway will store data which
it will need later in order to generate aggregate reports according to the DMARC
specification. SecurityGateway ignores the DMARC "ri="; tag and only produces
DMARC aggregate reports that cover from 00:00:00 UTC to 23:59:59 UTC for a given
day. At midnight UTC (which is not necessarily midnight local time) SecurityGateway
consumes this stored data to generate the reports. SecurityGateway needs to be running
at this time or the stored data could grow and grow and never be consumed. Therefore,
if you do not run your SecurityGateway 24/7 you should not enable DMARC aggregate
reporting. DMARC aggregate reporting is disabled by default.
In order to support DMARC failure reporting RFC 5965 "An Extensible Format
for Email Feedback Reports", RFC 6591 "Authentication Failure Reporting
Using the Abuse Reporting Format", RFC 6652 "Sender Policy Framework (SPF)
Authentication Failure Reporting Using the Abuse Reporting Format", RFC 6651
"Extensions to DomainKeys Identified Mail (DKIM) for Failure Reporting",
and RFC 6692 "Source Ports in Abuse Reporting Format (ARF) Reports" have
been fully implemented. Failure reports are created in real-time as the incidents
which trigger them occur. SecurityGateway implements DMARC AFRF type failure
reports and not IODEF type reports. Therefore, only values of "afrf"
in the DMARC "rf=" tag are honored. See the DMARC specification
for complete details. Multiple failure reports can be generated from a single
message depending upon the number of recipients in the DMARC record's "ruf="
tag and upon the value of the "fo=" tag times the number of independent
authentication failures which were encountered by the message during processing.
When the DMARC "fo=" tag requests reporting of SPF related failures SecurityGateway
sends SPF failure reports according to RFC 6522. Therefore, that specification's
extensions must be present in the domain's SPF record. SPF failure reports
are not sent independent of DMARC processing or in the absence of RFC 6522 extensions.
When the DMARC "fo=" tag requests reporting of DKIM related failures SecurityGateway
sends DKIM and ADSP failure reports according to RFC 6651. Therefore, that
specification's extensions must be present in the DKIM-Signature header field
and the domain must publish a valid DKIM reporting TXT record in DNS and/or valid
ADSP extensions in the ADSP TXT record. DKIM and ADSP failure reports are
not sent independent of DMARC processing or in the absence of RFC 6651 extensions.
See the various specifications referenced herein for complete details. DMARC
failure reporting is disabled by default.
Important Note: A DMARC record can specify that reports should be sent to
an intermediary operating on behalf of the domain owner. This is done when the domain
owner contracts with an entity to monitor mail streams for abuse and performance
issues. Receipt by third parties of such data may or may not be permitted by your
privacy policy, terms of use, or other similar governing document. You should
review and understand if your own internal policies constrain the use and transmission
of DMARC reporting and if so you should disable DMARC reporting as appropriate.
DMARC requires use of STARTTLS whenever it is offered by report receivers however
there's no way to predict or police this. However, you should enable STARTTLS
if you haven't already (see Setup | System | Encryption).
The Authentication-Results header has been extended to include DMARC processing
results. Note that Authentication-Results includes some data in comments for debugging
purposes including the DMARC policy requested by the domain owner which is not necessarily
the action taken on the message. For example, when the result of a DMARC check is
"pass" it does not matter what the DMARC policy states as policy is only
applied to DMARC checks which "fail". Similarly, when the result of a
DMARC check is "fail" and the policy is "reject" the message
may be accepted anyway for local policy reasons. Use of this header for filtering
should take all this into account. Alternatively, filter for "X-SGDMARC-Fail-policy:
quarantine" or "X-SGDMARC-Fail-policy: reject" to filter these messages
into spam folders or whatever you want to do. SecurityGateway strips out the
"X-SGDMARC-Fail-policy:" header from every incoming message.
Messages must conform to DMARC section 15.1 with respect to the RFC 5322 From header
or they are not processed which basically means that the absence of a single (one
and only one) properly formed (according to RFC specifications) RFC5322 From field
renders the message invalid generally and therefore invalid for DMARC processing.
Several new screens have been added at Security | Anti-Spoofing where you can set
various options related to DMARC use.
DMARC requires SPF and/or DKIM verification to be enabled as it is based upon the
verified identities that those two mechanisms provide. You can't make
productive use of DMARC for inbound mail without one or both of those technologies
enabled. The UI will try to enforce this.
[3961] Bind Domain to an IP address
For servers that have multiple IP addresses assigned, each domain may be bound
to a specific IP address. Mail from the domain will be sent from this IP address.
A SMTP Hostname may also be specified for the domain. This value is the Fully Qualified
Domain Name (FQDN) that will be used in the SMTP HELO/EHLO instruction when sending
mail for the domain. For incoming connections, this value will be used unless multiple
domains are bound to the IP address, in which case the FQDN used will be the one
that is associated with the domain that is first in alphabetical order.
CHANGES AND NEW FEATURESS
- [16701] Updated ClamAV engine to version 0.99.2
- [16263] Updated to version 8.00.0122 of the Cyren Outbreak Protection SDK
- [16594] All support for the original DomainKeys message authentication system has
been removed. DomainKeys is obsolete and has been replaced by the acceptance
and adoption of DKIM which SecurityGateway continues to support. Some web
interface dialogs related to DomainKeys and DKIM found within Security | Anti-Spoofing
have been reorganized as a result and options related to DomainKeys removed and
the remaining options better consolidated. The install process will remove
DomainKeys.dll.
- [16983] All support for Sender-ID has been removed. This technology never
caught on and is obsolete.
- [16338] All references to "company.mail" have been changed to "company.test"
to comply with RFC 6761
- [15573] Updated the look of the quarantine report emails to match the new SG GUI
update
- [15568] Added check boxes to lists that allow the selecting of multiple list items
- [16424] Added an option to decide when to display the charts on the Main and My
Account landing pages to Main -> My Account -> Settings and to Setup / Users
-> Account -> User Options. The 4 choices are "Automatic" (default),
"Always", "Manual", and "Never".
- [16365] Added X-Frame-Options: SAMEORIGIN header to HTTP responses
- [16425] Added X-XSS-Protection: 1 header to HTTP responses
- [16275] The Free Disk Space Monitoring page has been changed to display values in
MB instead of KB. The default "low disk space value" (the value
below which SecurityGateway believes the disk is running low and starts complaining
about it) was changed from 10MB to 1000MB. Likewise, the "auto-shutoff
value" (the value below which SecurityGateway will disable mail services due
to critically low disk space) was changed from 1MB to 100MB. Please check
and change the values at Setup|System|Disk Space if they present a problem for you.
- [137] Added description for system service, when viewed from the services manager
- [16582] The "... unless message is TO a local account" exclusion for the
"Only domain mail servers can send local mail" Relay Control option is
now disabled by default
- [1692] Added the ability to filter the message log by sender IP using
CIDR notation, simply enter the CIDR pattern as the IP address in the filter
dialog
- [15606] Removed the "Blacklist" link from the quarantine report email
by default. Added a "Confirm as Spam" link that will learn the message
as spam if Bayesian learning is disabled and delete the messages from the user's
quarantine. The "Blacklist" link can be restored via an option in
Setup | Mail Configuration | Quarantine Options.
FIXES
- [15697] fix to Host, Addresses Blacklist and Address Whitelist dialogs are cut off
at bottom when using Firefox
- [16125] fix to outbound SMTP session hangs if server returns that it supports AUTH
but lists no AUTH methods
- [16248] fix to message that contains embedded NULL characters is corrupted
- [16305] fix to message collected from remote POP accounts may be discarded if case
does not match
- [16364] fix to if quarantine_report.xsl is found custom_admin_quarantine_report.xsl
is also assumed to exist
- [16041] fix to cannot change a local admin to an external admin
- [16042] fix to cannot edit an external administrator
- [15605] fix to DKIM will not sign messages if the sender's domain name specified
in the SMTP session contains upper case letters
- [15732] fix to Message Log "Subject Starts With" search condition returns
no results when using "NOT"
- [16279] fix to Security->Anti-Spam->Greylisting unable to click "Exclude
messages from domain mail servers"
- [16910] fix to Unable to "Delete All" quarantined messages when using
a filter with a date range set
- [16986] fix to subject tag based upon the message's score is not added if the
message is also quarantined due to its score
- [17047] fix to no result feedback message is displayed after using the Spam/Not
Spam toolbar buttons from the Quarantined (Admin) view.
- [17048] fix to the sending of Administrative Quarantine reports are not logged to
system log
- [17115] fix to mouse cursor is not changed to a pointer when hovering over enabled
paging bar icons that can be clicked
- [17121] fix to no VBR certifiers are trusted when multiple values are specified
for "Host name(s) of certification services that I trust"
- [11789] SPF verifier ignoring CIDR pattern for A and MX policies
- [17041] fix to Outbreak Protection queries may fail with "Unable to comply
with the request because you are not licensed for the antispam or VOD service"
after registration key is updated until SecurityGateway service is restarted
SecurityGateway 3.0.3
CHANGES AND NEW FEATURES
- [8481] Compressed archive files (.zip and .rar) are now scanned for restricted attachments.
Archive files are recursively scanned up to a depth of 16 levels.
- [13435] Added "STARTTLS Whitelist" and "STARTTLS Required List"
options to Setup | Encryption. STARTTLS will never be used when sending to
IP addresses, hosts, or domains on the STARTTLS whitelist. STARTTLS will never
be advertised to connecting hosts/IPs on the STARTTLS whitelist. SMTP connections
to hosts/IPs on the STARTTLS Required list MUST use STARTTLS. If STARTTLS is not
available or fails, the message will not be sent.
- [13657] Added option to Setup | Encryption which allows you to temporarily white
list hosts which encounter an SSL error during an SMTP session. The white
list is reset every hour.
- [13803] SecurityGateway now supports TLS 1.1 and 1.2. Requires Windows 7 / Server
2008 R2 or newer.
- [13974] Added an option for a global administrator to export all whitelists and
blacklists to a CSV file. This includes the global, domain, and user lists.
- [14400] Update Outbreak Protection SDK to version 8.0.110
- [15124] SecurityGateway trial keys are now sent via email and must be entered into
the installer to continue. The trial period is 30 days.
- [12688] Updated charting component to eliminate dependency of Adobe Flash
- [13869] Added an option to Setup / Users | User Options | Configuration to "Send
an alert to global administrators when a new user is created"
- [15534] Added a "Delete All" button to Bad Messages queue view.
Clicking the "Delete" dropdown menu will allow the user to delete the
selected messages or to delete all messages.
- [15171] Updated SpamAssassin to version 3.4.1
- [15432] Added option to My Account | My Settings and Setup | Mail Configuration
| Quarantine Configuration to control how the quarantine report email is sorted.
By default the quarantine report will continue to be sorted by date received, however
it can now be sorted by sender or subject.
- [15553] Updated Cyren Antivirus to version 5.4.6-r1
- [14326] Updated to latest version of libdkim library
FIXES
- [616] fix to SQL error "Execute(execute procedure update_user(?,?,?,?,?,?,?,?))
... update conflicts with concurrent update" logged to system log
- [13970] fix to "Maximum Bayesian Database Tokens" field in web interface
should allow 6 digits
- [13994] fix to the height of the tab pane on the new/edit remote POP account dialog
may be too small
- [13996] fix to System log may contain database error "Deadlock... Context:
Statement::Execute(delete from failedauth where ip=?)"
- [13997] fix to the "verify from" Sieve condition may fail in custom Sieve
scripts even if the message is from a local user
- [13998] fix to searching message log by sender or subject may return no records,
"invalid token" database exception logged to System log file
- [14011] fix to installer still contains old domain cap logic. This may prevent installation
in specific scenarios.
- [14059] fix to Transient Delivery Failure messages are no longer being generated
on delivery problems
- [14333] fix to message log entries for which "no mail was sent" are not
removed by the nightly maintenance process
- [15383] fix to domain aliases are not included in configuration only backup
- [15789] fix to after enabling the "... unless message is from a whitelisted
IP address or host" option for SMTP Authentication, the option is not checked
when returning to the page
- [15846] fix to bandwidth Throttling speed logged to SMTP session transcript is incorrect
- [15884] fix to recipient parsed from mail collected via a POP account is rejected
if the Recipient's address is for a cross domain alias
- [16014] fix to new virus definitions may not be used until the Cryen AV engine is
reloaded
SecurityGateway for Email Servers v3.0 Release Notes
Developed with over 10 years of proven email security expertise, SecurityGateway
provides affordable email security. It protects against spam, viruses, phishing,
spoofing, and other forms of malware that present an ongoing threat to the legitimate
email communications of your business.
SecurityGateway 3.0.2 -
September 9, 2014
CHANGES AND NEW FEATURES
- [10328] Added an option to exempt specific file names from the "Quarantine
messages that cannot be scanned" feature. This allows SecurityGateway to
receive password protected files with a known file name.
- [13477] Support for RFC 3848 (SMTP and LMTP Transmission Type Registration) has
been added. This governs the value of the "WITH" clause in Received headers.
This means you'll see "ESMTP" for unauthenticated non-SSL sessions,
"ESMTPA" for authenticated sessions, "ESMTPS" for SSL sessions,
or "ESMTPSA" for authenticated & SSL sessions.
- [13564] Added "unless message is from a whitelisted IP address or host"
exemption option for SMTP Authentication
FIXES
- [13457] fix to reports contain no result for custom date range where start and end
dates are the same
- [13486] fix to message transcript data orphaned in database if the data
retention option to not log incomplete messages to the database is enabled
- [13487] fix to can only use number pad negative sign for "Add to message score"
action
- [13500] fix to a rejected message, for which the message data was received and retained,
that is selected for redelivery is not delivered becomes stuck in the delivery queue
- [13509] fix to in the system log file, the time required to complete database maintenance
is incorrect if the process take an extremely long time
- [13559] fix to Cyren AV engine reports messages with quoted printable encoding that
does not strictly follow the standard as corrupt. This causes the message
to be placed into the "Administrative Quarantine" if the option to "Quarantine
messages that cannot be scanned" is enabled.
- [13406] fix to empty SMTP AUTH password may cause process to terminate
- [13382] fix to warning string in license file causes dashboard view to not load
- [13321] fix to time logged for database maintenance process to delete old messages
is incorrect
- [13422] fix to domain administrator cannot release an item from the Administrative
Quarantine
- [13425] fix to failed CRAM-MD5 AUTH attempt followed by successful AUTH LOGIN for
same user still counts towards failed auth dynamic screening threshold
- [13672] fix to incorrect port logged for connections received on dedicated SSL
port
SecurityGateway 3.0.1 - June 17, 2014
FIXES
- [13227] fix to certain viruses may not be detected by the CyrenAV engine when the
"Attempt to clean infected messages" option is enabled
- [13240] fix to unable to login when French language is selected
- [13246] fix to database exception during nightly maintenance causes process to crash.
The exception is now handled and logged to the system log file.
- [13255] fix to the translated text for the "Russian" language selection
on the logon page language menu is "English" and not "Russian"
- [13278] fix to unable to use domain's SMTP AUTH password to authenticate
- [13276] fix to unable to perform a new installation using the Japanese language
installer because the Next button is not enabled after completing the Customer Information
dialog
- [13295] fix to login page may "jump" while loading the logo image
- [13296] fix to when delivering mail additional MX records are not attempted
if the TCP connection is successful, but the connection terminates without an SMTP
protocol error occurring. Examples of this include an SMTP session that times out
or is closed by the other side.
SecurityGateway 3.0.0 - May 27, 2014
SPECIAL CONSIDERATIONS
- [12243] Outbreak Protection and CYREN AntiVirus are now included in SecurityGateway!
- The ProtectionPlus add-on is no longer needed to add an additional layer of antivirus
and spam protection to SecurityGateway and has been discontinued. When upgrading
to v.3.0 the installer will inform the user that it must automatically uninstall
ProtectionPlus before proceeding. Please note that if upgrading from within the
web interface, there is no opportunity for a prompt and that ProtectionPlus will
be automatically uninstalled.
- Kaspersky AV integration, which was previously provided via the ProtectionPlus add-on,
has been replaced with CYREN AntiVirus built in to SecurityGateway.
- [12957] Active Software License Renewal coverage is required for Cyren Outbreak
Protection, Cyren AntiVirus, ClamAV updates, SpamAssassin updates, and Bayesian
Learning.
- [12958] The trial period has been changed. A hassle free 14 day trial period is
now offered without the need to provide any contact information. Simply install
the product and a trial license will be automatically downloaded. The trial period
may be extended to 30 days by providing valid contact information.
CHANGES AND NEW FEATURESS
- [1444] Dynamic screening for failed SMTP authentication attempts now works across
sessions over time. Previously, the failed authentication attempts had to occur
within a single session. The failed authentication count for an IP is reset at midnight,
or when it is blocked and added to the dynamic screening list.
- [1485] Added "User Verification Source Options" page with options that
allow response caching and user re-verification to be configured.
- [3597] Added "Released" as a reason when filtering the message log
- [3618] Added the ability to exclude whitelisted senders, authenticated sessions,
and domain mail servers from attachment filtering
- [11386] Restart clamd.exe immediately if "unable to allocate memory" or
"cannot create thread" error occurs
- [11702] SecurityGateway.exe is now Large Address Aware, allowing it to use up to
4 GB of RAM on a 64-bit OS.
- [11703] Added "Spam" and "Not Spam" buttons for Bayesian Learning
to the quarantine views
- [12367] Updated Firebird database engine to version 2.1.5
- [12368] Updated ClamAV to version 0.98
- [12456] Updated Chilkat library to 9.4.1
- [12542] Improved whitelisting or blacklisting a sender directly from the message
log or quarantine
- Added "Whitelist" and "Blacklist" button to the domain and global
views
- Domain administrators may add the sender to the recipient domain's list
- Global administrators may add the sender to the global list
- Allow the sender's domain to be added, as a wildcard entry
- [12817] Updated product logos
- [12936] Added support for using the hostname returned by PTR lookup as a condition
in SIEVE scripts
- [13031] Added option to automatically redirect HTTP requests for the web interface
to HTTPS
FIXES
- [9051] fix to the Bayesian learning process fails if the Bayesian DB path in SpamAssassin's
local.cf file contains a parenthesis. The impacts most installations on a 64bit
OS as the default install location is "Program Files (x86)"
- [10118] fix to when delivering remote mail, other MX records are not tried when
the TCP connection is successful but a SMTP protocol timeout occurs
- [10126] fix to unable to disable "Close SMTP session after banning IP"
setting under Dynamic Screening
- [10961] fix to Account Hijack detection does not kill current session when account
is disabled
- [11049] fix to Notepad does not detect logs as UTF-8 encoded
- [11146] fix to unable to disable "... include original message when informing
the sender" option under "Mail Delivery"
- [11219] fix to SSL negotiation error 0x80090308 when sending to certain SMTP servers
- [11240] fix to Bayesian auto-learning does not occur if message is rejected
- [11300] fix to when searching the message log, a search string that contains a single
quote results in an SQL error and no results are returned
- [11308] fix to dashboard displays negative days remaining in trial after trial license
has expired
- [11428] fix to "Save" button may not be enabled on "Quarantine Options"
page
- [11442] fix to Administrative Quarantine Report interval still displayed as "Daily"
after being changed to another value
- [11639] fix to installer unable to validate license when system does not have a
MAC address
- [12013] fix to redelivering a message needs to change the MessageID, or Exchange
will believe it is a duplicate and not deliver it
- [12188] fix to unable to change just license name or company while leaving registration
key the same
- [12256] fix to disabled user can still authenticate if the user is enabled on the
user verification source
- [12312] fix to cannot access login page when installed on Windows Server 2012 R2
- [12353] fix to unable to verify SPF record that contains "ip6" mechanism
- [12378] fix to if a sender's name contains non-ASCII characters separated by a comma,
it may be rejected by the RFC compliance test
- [12387] fix to possible installer crash seen on Windows Server 2012 64bit
- [12397] fix to script error after adding DNSBL response that contains an ampersand
character
- [12411] fix to message with a subject containing UTF8 line break (0xE2 0x80 0xA8)
character will prevent the mesage log from being displayed
- [12439] fix to "Configuration Only" backup may fail with "violation
of FOREIGN KEY constraint 'FK_DOMAINUSERS_USER' on table 'DOMAINUSERS'"
- [12469] fix to potential database deadlock "update conflicts with concurrent
update" when updating dynamic screening record for an IP address
- [13023] fix to if the license file contains a warning, it is logged to the system
log every minute
- [13028] fix to no entry logged to system log for update check that runs as part
of the midnight maintenance process
- [13064] fix to installer may download license file to wrong location
- [13086] fix to the global IP address and Host blacklists are not checked until the
RCPT event. This allows a blacklisted IP or Host to attempt to authenticate using
the AUTH command.
- [13135] fix to unable to verify license file if serial number in the database is
in lower case