SecurityGateway for Email Servers v12.0 Release Notes

SecurityGateway 12.0.0rc1

FIXES

• (beta only) [29149] fix to Remote POP Accounts crash when testing or saving a new POP account
• [29099] fix to domain mail server is unable to send mail from other local domains when a domain SMTP AUTH password is used for authentication
• (beta only) [29114] Display Name Protection now correctly handles raw UTF-8 characters in email headers and includes expanded Unicode confusables detection covering Latin Small Capital letters (found in Windows Character Map), Cherokee lookalikes, IPA extensions, and letterlike symbols
• (beta only) [29159] fix to Change Password dialog in dark theme showing greyed out area at top of window due to missing modal overlay

SecurityGateway 12.0.0d

FIXES

• (beta only) [29104] fix to HTTP socket lifetime race condition crash
• (beta only) [29134] fix to archive store query now retries on transient database errors before moving message to archive retry queue

SecurityGateway 12.0.0c

CHANGES AND NEW FEATURES

• [29027] Archive Retained Messages - Added ability to archive messages that are still retained in the database (Setup / Users | Database | Data Retention) but not yet archived. A new "Archive Retained Messages" button on the Archiving Configuration page (Setup / Users | Archiving | Configuration) allows administrators to add retained messages to the archive. This is useful when first enabling archiving to backfill historical messages, or to recover messages that are missing from the archive but still exist in the database.
• [29118] Allowlist/Blocklist log messages now include the actual entry value that matched. For example, instead of showing "Sender is on blocklist (Mail From user : 194443)", the log now shows "Sender is on blocklist (Mail From user : *@spammer.com : 194443)". This makes it clearer which wildcard entry caused the match, especially useful for troubleshooting.
• (beta only) [29114] Display Name Protection enhancements:
  • Nickname and Diminutive Detection - Automatically recognizes common first name variations and nicknames as matches to protected users. For example, "Bob Smith" will match "Robert Smith", "Matt Jones" will match "Matthew Jones", and "Bill Johnson" will match "William Johnson". This catches impersonation attempts that use familiar name forms to appear more legitimate.
  • Unicode Confusables Normalization - Detects and normalizes visually similar Unicode characters used in homograph attacks. Attackers often substitute characters like Cyrillic "а" for Latin "a", or use lookalike characters. The detection engine normalizes these confusable characters before comparison, catching sophisticated impersonation attempts that appear identical but use different Unicode code points.
  • Added a "Personal Emails" column to the Protected User List
  • Fixed enable/disable form field bugs

FIXES

• (beta only) [29124] fix to archive queue retry failing for messages where the original message record was deleted from the database before archiving completed
• (beta only) [29129] fix to Display Name Protection page where the "Free Email Provider Actions" radio buttons were selectable even when the feature was disabled, per-domain custom settings were incorrectly greyed out, and the Protected Users list was missing the "Personal Emails" column
• [28603] fix to "Forgot Password" link on login screen being cut off or overlapped when viewing on mobile devices
• [28801] fix to incoming messages with null return path being incorrectly classified as outbound when the From header contains a local domain address that fails AD/UVS verification
• [28934] fix to Message Log message viewer cutting off headers when "Show All Headers" is clicked and there are more headers than fit in the visible area. The headers section now scrolls to show all content.
• [29088] fix to messages tagged as spam with multi-line MIME-encoded subjects not being fully decoded in message logs, leaving raw encoded text (=?UTF-8?B?...?=) visible instead of the decoded subject
• [29117] fix to service stop command returning before SecurityGateway process fully exits
• [29058] fix to text extraction (FilterHost.exe) returning no text or timing out after 60 seconds when processing certain attachments
• [22296] fix to archive stores being created with whitespace-only paths (e.g., a single space) instead of valid directory paths
• [28967] fix to orphaned lock files in the archive queue preventing messages from being archived. Lock files left behind after a crash or unexpected shutdown are now cleaned up at startup, and the associated messages are moved to the bad archive queue for review.
• [24922] fix to system-generated messages (quarantine summary reports, password reset emails, etc.) not being archived
• (beta only) [29128] fix to SMTP call-forward user verification creating users with blank names. When using SMTP call-forward as the user verification source, newly verified users were being created with empty mailbox names (appearing as "@domain.com" in the Users list).

SecurityGateway 12.0.0b

CHANGES AND NEW FEATURES

• [29039] Archive Failure Queue for messages that fail to be archived. Messages that cannot be archived due to errors (disk full, archive store unavailable, etc.) are now saved to a dedicated archive failure queue. Administrators can view and manage these messages from Setup / Users | Archiving | Failed Messages.
• [29108] User Settings Page Redesign - The user settings page has been reorganized into logical sections (Security, Display Preferences, Email Filtering, Quarantine, Archiving, and Advanced Options) for improved usability. Password changes now open in a dialog, dark mode uses a dropdown selector.

FIXES

• (beta only) [28834] Fixed an issue where SecurityGateway would fail to start when configured to use an external Firebird database server, reporting "Firebird Unknown Version (ODS 0)". The Firebird version check now queries the database server directly instead of reading from the local database file, which is not accessible when using an external server.
• (beta only) [29103] fix to Archive store backups fail as hard coded test path "Z:\invalid" was inadvertently left in code
• (beta only) [29104] fix to HTTP socket lifetime race condition crash

SecurityGateway 12.0.0a

SPECIAL CONSIDERATIONS

• [28204] Updated Operating System Requirements

  SecurityGateway 12.0 no longer supports Windows 7, Windows 8, Windows 8.1, or Windows Server 2008 R2. The minimum supported operating systems are now Windows 10 and Windows Server 2012.

MAJOR NEW FEATURES

• [28631] Display Name Protection to protect against business email compromise (BEC) and impersonation attacks.

  Protect against display name impersonation attacks where threat actors use display names similar to trusted users (such as executives, vendors, or colleagues) to trick recipients into taking actions like transferring money or revealing sensitive information. This feature provides comprehensive protection through multiple layers of defense:

  Core Detection Engine: Uses advanced name similarity detection (Jaro-Winkler algorithm) to identify when an email's display name closely matches a protected user but originates from a different email address. Administrators can configure a similarity threshold (0.0 - 1.0) where 1.0 requires an exact match and lower values enable fuzzy matching to catch variations like "Jon Smith" vs "John Smith".

  Protected User Management: Administrators can designate high-value targets (executives, finance personnel, HR staff) for monitoring. Each protected user can maintain a personal address list of legitimate alternate addresses to prevent false positives when they email from personal accounts.

  Free Email Provider Actions: Apply stricter policies to messages from free email providers (Gmail, Yahoo, Outlook.com, Hotmail, ProtonMail, iCloud, AOL, and many others) where impersonation attacks commonly originate. Configure separate actions specifically for these high-risk sources.

  Flexible Response Actions: Choose from multiple response options including rejecting messages, quarantining for security review, adding warning headers (X-SecurityGateway-DisplayNameSpoofed), tagging subject lines with [SPOOFED], or filing to spam folders. Different actions can be configured for general matches versus matches from free email providers.

  Granular Exclusions: Prevent false positives with multiple exclusion options: allowlisted IP addresses, authenticated sessions, domain email servers, and a configurable sender exclusion list supporting wildcard patterns (*@company.com, user*@domain.com, admin@*.com).

  Sieve Integration: Advanced users can create custom policies using the new vnd.mdaemon.display_name_protection and vnd.mdaemon.sender_is_free_email Sieve tests.

  Configuration is available under Security | Anti-Spoofing | Display Name Protection in the web interface.

• [29012] Database connection pooling for improved performance and reliability under high load.

  Connection pooling reuses existing database connections instead of creating new ones for each operation, includes automatic retry logic with exponential backoff for transient failures, and provides circuit breaker protection to prevent cascade failures during database outages. The pool automatically prunes idle connections to optimize resource usage.

  Dashboard Monitoring: Global administrators can monitor database connection pool health in real-time from the dashboard. Statistics include current pool size, maximum pool size, active connections, idle connections, circuit breaker status, and consecutive failure count. The DB Connection Pool statistics display on the dashboard can be disabled under Main | My Account | Settings.

  Windows Performance Monitor: Database connection pool metrics are exposed as Windows Performance Monitor counters under the SecurityGateway object, enabling integration with external monitoring tools and alerting systems.

• [25124] Administrator IP Restrictions to enhance administrative account security

  Restrict administrator login access to specific IP addresses or IP ranges, providing an additional layer of security for administrative accounts. This feature helps prevent unauthorized access by limiting where administrators can authenticate from.

  Global and Per-Domain Configuration: Configure IP restrictions for global administrators separately from domain administrators. Domain administrators can login from IPs in their domain-specific allow list OR the global allow list, providing flexibility for multi-domain environments while maintaining centralized security policies.

  Flexible IP Matching: Supports individual IP addresses, IP ranges, and CIDR notation. Localhost access (127.0.0.1 and ::1) is always permitted to ensure local access is never blocked.

  Comprehensive Logging: All administrator access attempts (granted and denied) are logged to the HTTP log with IP address and administrator email for security auditing and compliance requirements.

  Configuration is available under Setup / Users | Accounts | Administrators | IP Restriction Option.

CHANGES AND NEW FEATURES

• [29015] Quarantine action confirmations now support action-specific "Do not show this prompt again" preferences. Users can independently configure each action type (release, delete, block, exempt, confirm spam, etc.), enabling them to skip prompts for routine actions while maintaining confirmations for destructive operations. A new "Clear quarantine report confirmation preferences" button in Main | My Account | Settings allows users to restore all confirmation prompts for the current browser.
• [11429] Email alerts for failed scheduled database backups. Administrators can now configure SecurityGateway to send email notifications to all global administrators when scheduled database backups fail. This optional setting (enabled by default) is available on the Setup / Users | Database | Backup page and helps ensure critical backup failures are promptly addressed.
• [4107] Quarantine reports can now be sent on-demand via a "Send Quarantine Report Now" button in Main | My Account | Settings | Quarantine Options. Administrators may send a report for a user for which they have permissions from that user's setting page ("Settings" button of the User List toolbar). This allows immediate delivery of quarantine report emails without waiting for the scheduled report interval.
• [29046] Archive search now includes Sender/Recipient in default search criteria. When searching archived messages, the search will now automatically include sender and recipient fields in addition to subject and message body, making it easier to find messages without manually enabling additional search options.
• [13555] Passwords are no longer included in the user export CSV file
• [26679] Option to exclude external administrators from receiving admin quarantine summary emails. This setting is available under Setup / Users | Mail Configuration | Quarantine Configuration in the Administrative Quarantine section and helps organizations comply with GDPR requirements by preventing quarantine summaries containing user message information from being sent to administrators outside the organization.
• [29079] Updated API Documentation. Reorganized into separate files by category. Added C#/.NET and Python code samples.
• [24065] The SecurityGateway system service is now configured with recovery options to automatically restart the service on the first and second failures. This configuration is applied once during new installations and upgrades. If you modify the recovery settings afterward, your changes will be preserved.

FIXES

• [27718] fix to custom dashboard report drill-down showing blank message list when using $LOCALDOMAIN$ or $REMOTEDOMAIN$ macros
• [28636] fix to Sieve rules created for disclaimers are not read-only when opened from Security | Sieve Scripts
• [28671] fix to attachment filtering patterns R0*, R1*, R2* matching entire filename instead of extension, causing files like R2345694373.png to be incorrectly blocked
• [28742] fix to attachment downloads fail in Chromium browsers when filename contains a comma
• [28992] fix to From Header Screening "Put email address before name" option corrupting From header when display name contains accented characters (RFC 2047 encoded words)
• [29044] fix to archive store backup reporting success even when individual store backups failed
• [29049] fix to debug performance timing interval logged in scientific notation
• [29068] fix to unresponsive OK button when overriding blocklist/allowlist conflicts due to JavaScript error
• [29025] fix to BayesianLearning.log not being archived, causing the file to grow indefinitely
• [13989] fix to aliases from user verification sources (Minger, AD/Exchange) being created as new users instead of being added as aliases to existing accounts
• [29050] fix to session expiration logging out users even when "Remember Me" is enabled. Users with valid remember-me cookies will now be automatically re-authenticated when their session expires.