MDaemon Server Release Notes

MDaemon 23.5.3 - March 7, 2024



MDaemon 23.5.2 - January 30, 2024





MDaemon 23.5.1 - November 29, 2023





MDaemon 23.5.0 - September 26, 2023








MDaemon 23.0.2 - June 27, 2023


[26982] Outbreak Protection has been restored. Please review your Outbreak Protection settings, as they may have been reset to their default values.








MDaemon 23.0.1 - April 18, 2023


[26765] Cyren Anti-Virus has been replaced with IKARUS Anti-Virus. Cyren recently announced its plans to discontinue operations with little warning. This necessitated the need for us to find a new anti-virus partner. After a thorough evaluation, IKARUS stood out for its excellent detection rate and speed. The IKARUS Anti-Virus automatically updates its definitions every 10 minutes. Scanning with IKARUS is disabled if your AntiVirus license is expired.

[26802] Cyren Outbreak Protection been removed. Cyren recently announced its plans to discontinue operations with little warning. We are actively researching and considering viable antispam technologies as suitable additions to the existing antispam mechanisms found in our software products.

[26778] IMAP keyword flags support can now be enabled or disabled via the setting [Special] IMAPKeywordFlags=Yes/No in \MDaemon\App\MDaemon.ini. IMAP keyword flags are disabled by default when updating MDaemon from a version before 23, to avoid the potential loss of message tags in Thunderbird mail clients. When Thunderbird connects to an IMAP server that supports keyword flags, it overwrites its local message tags with tags read from the server, which are initially blank. IMAP keyword flags are enabled by default for new installs and when updating from version 23.0.0.





MDaemon 23.0.0 - February 8, 2023









MDaemon 22.0.3 - August 30, 2022


MDaemon 22.0.2 - July 26, 2022


MDaemon 22.0.1 - July 5, 2022



MDaemon 22.0.0 - May 17, 2022


[25771] 32-bit MDaemon has been discontinued. MDaemon 22.0 and newer will only be available in 64-bit. If you are currently running a 32-bit version on a supported 64-bit operation system, you can simply install the 64-bit version on top of the existing installation.

[23752] The minimum length for strong passwords must now be at least 8 characters. If your minimum length was set to fewer than 8 characters before updating to MDaemon 22, it will be changed to 8. The default minimum length for strong passwords on new installs is now 10.

[25215] MDaemon is moving away from using the terms "whitelist" and "blacklist". In many cases, they are now "allow list" and "block list". Features that had a "white list" to exempt IPs, addresses, etc., now have an "exempt list". The per-user spam filter contacts folders are now named "Allowed Senders" and "Blocked Senders". The folders for all accounts will be renamed when MDaemon 22 starts up for the first time.








MDaemon 21.5.2 - February 8, 2022



MDaemon 21.5.1 - December 14, 2021



MDaemon 21.5.0 - November 9, 2021


[24475] The 'X-MDOrigin-Country' header, which Location Screening can add to messages, now has the two-letter ISO 3166 country and continent codes instead of full country and continent names. Be sure to update any filters you may have that look for particular values in this header.

[24943] With the renaming of the Webmail Mobile theme to Pro, there is a possible side effect for users that are using the Mobile theme and have remember me enabled. These users may find that they cannot open attachments. To work around this, the user must simply log out and log back in.



App passwords are long randomly generated passwords that clients can be configured to log in with instead of a user's account password. When used along with Two-Factor Authentication, which is supported by MDaemon Webmail and Remote Administration, they can help protect an account from unauthorized access. App passwords are supported by MDaemon's SMTP, POP, IMAP, ActiveSync, WebDAV, and XMPP servers.

App passwords are enabled by default. They can be disabled at Accounts | Account Settings | Other | Passwords. Two-Factor Auth can optionally be required for users to set up app passwords (enabled by default). The Web Services screen in the account editor and account templates has an "edit app passwords" permission, enabled by default. The Settings screen in the account editor and account templates has an option for whether an app password must be used to log in to the account using one of the supported protocols, disabled by default.

Users can manage app passwords in Webmail, at Options | Security, or Remote Administration, at My Account | App Passwords. The UI displays a list of the user's app passwords, with their name, creation timestamp, last used timestamp, and last used IP address. App passwords can be created, renamed, and deleted (revoked). An app password is displayed only once, when it is generated. If a password is lost, delete it and generate a new one. A different app password should be generated for each of a user's clients. If the user stops using a client or loses a device, any app passwords for them should be deleted. As a security measure, all of an account's app passwords are deleted when the account's password is changed.






MDaemon 21.0.3 - August 3, 2021


MDaemon 21.0.2 - May 18, 2021


[24757] The settings at Setup|Preferences|Miscellaenous to copy all system generated postmaster notifications to global admins and domain admins now apply to more notifications, such as Account Freeze and Disable, No Such User, Disk Error, Low Disk Space, and Beta and AV expiration. If you do not feel it appropriate for your administrators to receive these notifications you must disable these settings.



MDaemon 21.0.1 - March 16, 2021



MDaemon 21.0.0 - February 9, 2021



MDaemon's XMPP server now supports persistent chat rooms, which do not need to be recreated every time all users leave the room. Configure them at Setup | Web & IM Services | XMPP.


When on the Quarantine, Bad, or Spam Trap queue screens in the MDaemon GUI, a right-click popup menu option was added to report messages to as false positives or false negatives. Similar options have also been added to MDaemon Remote Administration. The messages will be analyzed and passed along to third-party vendors for corrective action.


A GUI has been created to assist in running ASMC (ASMCUI). It allows you to store your options and recall them at a later time.

















MDaemon 20.0.4 - January 12, 2021


MDaemon 20.0.3 - October 20, 2020



MDaemon 20.0.2 - September 22, 2020


MDaemon 20.0.1 - August 18, 2020


[16827] The network resource access settings at Setup | Preferences | Windows Service now configure the MDaemon service (and the Remote Administration and XMPP Server services) to run as the specified account, instead of MDaemon running as SYSTEM and then it running specific processes and threads as that account. The installer will update the services to run as the specified account when updating to this version.

[23399] Because of changes to and deprecation of many settings in clamd.conf, the installer will now overwrite existing clamd.conf.  If you have customized your clamd.conf you may need to review and make changes to clamd.conf after installation.



MDaemon 20.0.0 - June 16, 2020


[8930] Please carefully read the section in the full release notes labeled as task [8930] as it involves changes to the Active Directory integration system and you may find things that were broken in the past now starting to work. Please be aware of all changes made in that area and carefully read that section of these release notes.

[22733] MDaemon 20.0 requires Windows 7, Server 2008 R2, or newer.

[12190] Setup|Preferences|Miscellaneous has two new checkboxes that control whether system generated notification emails periodically sent to the Postmaster alias should also be sent to Global and Domain level administrators. By default, these options are both enabled. Domain administrators are restricted to receiving only those emails which are for their domain and the Release Notes. Global administrators receive everything including the Queue Summary report, Statistics report, Release Notes, 'No Such User' found (for all domains), Disk Error notifications, Account Freeze and Disable notifications for all domains (which, like Domain admins, they can unfreeze and re-enable), warnings about licenses and beta test versions about to expire, Spam Summary reports, and perhaps others as well. If you do not feel it appropriate for your administrators to receive these notifications you must disable these settings.

[22604] How autoresponders are stored has changed. The text for an accounts autoresponder is now stored as OOF.MRK within the account's DATA folder which is a new sub-folder inside the account's root mail folder. Autoresponder script files are no longer kept in the APP folder and they are not shared between accounts. When MDaemon starts for the first time it will migrate all existing autoresponder files and settings to the correct places for every account. The AUTORESP.DAT file is obsolete and will be deleted along with every account specific .RSP file (OutOfOffice.RSP and non-account specific files will remain for reference and sample purposes). If you wish to quickly assign a single autoresponder configuration to multiple accounts you can use the new Publish button found at Account Editor|Account Settings|Autoresponder. This button will copy the existing autoresponder script text and all settings for the current account to other accounts that you select. There is also a button at Accounts|Account Settings|Autoresponders|Settings that lets you edit the default autoresponder script (OutOfOffice.rsp). This default is copied into an accounts OOF.MRK if the OOF.MRK is missing or empty.

[22738] How account signature files are stored has changed. Signature files are now stored as SIGNATURE.MRK within the account's DATA folder which is a new sub-folder inside the account's root mail folder. When MDaemon starts for the first time it will migrate all existing signature files to the correct places for every account. The root MDaemon Signatures folder will no longer contain account specific signature files however it remains in place as it may still contain items needed by WebAdmin and the Content Filter. The original Signatures folder was backed up to \Backup\20.0.0a\Signatures\ prior to migration. Finally, every account's ADMINNOTES.MRK has been moved from the account's root mail folder to the new DATA sub-folder.

[8014] Security|Spam Filter|White List (automatic) has had the default value changed to disabled for the option '...only whitelist addresses that authenticate using DKIM'. Having this enabled turns out to be a little restrictive for many and prevents address book whitelisting from working for MultiPOP and DomainPOP mail. Re-enable the setting if this is not to your liking.

[22512] Setup|Preferences|UI 'Center all UI dialogs' has been reset to a default of 'enabled' for everybody. If you prefer otherwise you can disable it. This prevents screens from being created partially out of frame (which is better IMO) but it also makes multiple overlapping screens harder to select at times.

[22515] Security|Security Manager|Screening|Location Screening - The default for this feature has been changed from disabled to enabled. When Location Screening is enabled the connecting country/region will always be logged (if known) even when the particular country/region is not being actively blocked. So, even if you do not wish to block any country you can still enable Location Screening (without selecting any countries to block) so that country/region can be shown and logged. Since the default setting for this has changed upgraders should take a look at their Location Screening configuration for correctness. MDaemon will insert the header 'X-MDOrigin-Country' that lists the country and region for content filtering or other purposes.

[19910] The hard-coded fixed size limit of 2 MB for spam filter scans has been removed. There is now no theoretical limit to the size of a message that can be spam scanned. It is still possible to configure your own limit in case this is a problem but configuring 0 (zero) now means no limit. Additionally, the size limit has been converted from KB to MB and your existing value has been automatically converted or set to zero. You should check it at Security|Spam Filter|Settings and make sure this value is set how you want.

[21527] Added 'Sender Domain' and 'Recipient Domain' columns to the Queues screens in the main UI. As a result of this a one-time reset of saved column widths had to be done. Once you set the column widths to your liking they will be remembered.

[18617] By default now the Host Screen is applied to MSA connections. You can disable this at Security|Security Manager|Screening|Host Screen if you like.

[2356] By default MDaemon IMAP, WebMail, and ActiveSync servers no longer provide access to the shared folders of disabled accounts. You can change this with a new settings at Setup|Server Settings|Public & Shared Folders.


[14587] Clustering

MDaemon's new Cluster Service is designed to share your configuration between two or more MDaemon servers on your network. This makes it possible for you to use load balancing hardware or software to distribute your email load across multiple MDaemon servers, which can improve speed and efficiency by reducing network congestion and overload and by maximizing your email resources. It also helps to ensure redundancy in your email systems should one of your servers suffer a hardware or software failure. More information on setting up MDaemon in a cluster can be found in the MDaemon Help file.

[17087] REQUIRETLS (RFC 8689)

The RequireTLS effort in IETF is finally finished. Support for this has been implemented. RequireTLS allows you to flag messages which MUST be sent using TLS. If TLS is not possible (or if the parameters of the TLS certificate exchange are unacceptable) messages will be bounced rather than delivered insecurely. For a complete description of RequireTLS see the RFC specification and especially the Abstract, Introduction, and Security Considerations sections.

RequireTLS is enabled by default. You can disable it with a new switch at Security|Security Manager|SSL & TLS|SMTP Extensions. It's fine to leave the service enabled. Only messages specifically flagged by a rule you must create using a new Content Filter action or messages sent to <local-part>+requiretls@domain.tld (for example, are subject to the RequireTLS process. All other messages are treated as if the service was disabled. Several requirements must occur before a message will be sent using RequireTLS. If certain of them fail the message will not be sent and will bounce back rather than be sent in the clear. The requirements are:

RequireTLS requires DNSSEC lookups of MX record hosts, or the MX must be validated by MTA-STS. You can configure DNSSEC at Security|Security Manager|SSL & TLS|DNSSEC by specifying criteria whereby lookups will request DNSSEC service. DNSSEC requires appropriately configured DNS servers which is your responsibility. MDaemon's IP Cache and MX Hosts files have been updated to accept DNSSEC assertions. There's a new checkbox at Setup|Server Settings|DNS & IPs|IP Cache and you'll find fresh instructions at the top of the MX Hosts file for how to take advantage of this.

RequireTLS is an important advance against several possible attacks on email security and we are proud to have been a participant in this effort. Hopefully in the coming year all mail systems will deploy this.


MDPGP now supports encrypting messages between domains using a single encryption key for all users. For example, suppose 'Domain-a' and 'Domain-b' wish to encrypt all emails sent between them but do not wish to setup and police individual encryption keys for every user account within the domain. This can now be done as follows:

'Domain-a' and 'Domain-b' each provide the other with a public encryption key via any method they like. For example, they can email the keys to one another by right-clicking on an existing public key in the MDPGP UI and selecting 'Export & Email Key.' If they wish to create new keys dedicated for this purpose they can click the 'Create keys for a specific user' button and choose the '_Domain Key (domain.tld)_ <anybody@domain.tld>' item which has been put there for this purpose (although any key will work). Once each side has received the other's key they click the 'Import Domain's Key' button on the MDPGP UI and enter the domain name to which all emails will be encrypted using the provided key. The system does not create a key in the dropdown list for every one of your domains. You can use the key that is provided for all your domains or you can create domain specific keys yourself if you wish.

If either side already has a public key they wish to use and it is already on the key-ring they can right-click on the key in the MDPGP UI and select 'Set as a Domain's Key'.

Do not use a key for which you also have the corresponding private key. If you do, MDPGP will encrypt a message and then immediately see that the decryption key is known and promptly decrypt that very same message.

At this point MDPGP creates a Content Filter rule called 'Encrypt all mail to <domain>' which will invoke the encryption operation on every email sent to that domain. Using the Content Filter means that you can control this process by enabling or disabling the Content Filter rule. You can also tweak the rule to fine-tune the criteria you wish to employ before messages are encrypted (for example, maybe you want to do this same thing but for two domains or for only certain recipients within the domain). The Content Filter provides the flexibility to achieve this.


MDPGP has a new checkbox and setup button where you can map IP addresses to specific encryption keys. Any outbound SMTP session delivering a message to one of these IPs will first encrypt the message using the associated key just prior to transmission. If the message is already encrypted by some other key no work is done. This is useful (for example) in situations where you want to make sure all messages sent to certain key partners, suppliers, affiliates, etc are always encrypted.


The Mailing List Editor|Routing screen has some new options which will allow for macros to be used within the message body of list posts. This will allow you (for example) to personalize each list message. Macros have been supported for a long time in list mail header and footer files but never the message body until now. Since the macros are related to individual list members this option is only compatible with lists that are configured to "Deliver list mail to each member individually." That's why these options are on the Routing screen. For security purposes (probably you don't want all list members to be able to use this) you can select a checkbox which requires that the list's password be provided or no macros will be expanded. The list password is an old setting and can be found on the Moderation screen. If you don't provide a password that means any list member with "Write" privileges will be able to submit a post with macros so I recommend using a password /or/ enabling this feature for lists that have all "Read-only" members but who knows, it's up to you really. Here are the current macros available for use:

The list member name parsing code can handle "First Last" and "Last, First" formats OK.


Security|Security Manager|Screening|Hijack Detection has been improved. There are some new controls which will cause MDaemon to count the number of times that an authenticated user tries to send an email to an invalid recipient. An invalid recipient is defined as a 5xx error code in response to a RCPT command when trying to send the user's mail. If too many of these errors occur within too short a time frame you can have MDaemon freeze the account (the postmaster will get an email about this and they can respond to re-enable the account). This is a powerful measure to protect against accounts who have had their passwords stolen and are blasting out spams. I'm assuming that most of the attempted spams will result in a "5xx User Unknown" error fairly often. This should help prevent hijacked accounts from doing too much damage.

As part of this work the From Header Modification controls had to be moved to their own screen to make room for the new hijack detection controls. The From Header Screening settings can now be found at Security|Security Manager|Screening|From Header Modification.


MDaemon now has a dedicated queue for deferred messages. Messages are deferred as part of the Message Recall and Deferred-Delivery header support. Previously, the INBOUND queue was clogged up with deferred messages slowing down the system from delivering non-deferred mail. You can see there is a Deferred queue listed with the other queues in the tool window now and there's a Deferred sub-tab of the Queues root-tab so you can inspect the content of the DEFERRED queue. Messages in the DEFERRED queue are placed there by the system and have the date they are set to leave the queue encoded into the file name. MDaemon checks the DEFERRED queue once per minute and when it's time for messages to leave the queue they are moved to the INBOUND queue and subject to normal message processing/delivery. Activity is logged to the Routing tab/log file.

The Message Recall system no longer requires any delay or time spent in the DEFERRED queue. So, you can set the delay time to 0 if you want. However, this risks the strong possibility of the message you want to recall being delivered so a delay of at least 1 or 2 minutes is recommended. Otherwise you give your users very little time to realize they want to recall, send the recall request, and have time left over for MDaemon to process the request. But, also consider that since the recall system is now able to remove recalled messages from the remote queue(s) where there might already be a delay it didn't seem necessary to force a second delivery delay by making you use the DEFERRED queue needlessly. However, if you have your MDaemon setup to immediately deliver everything that gets into the remote queue(s) the instant it arrives there then you should consider using a delay value (something besides 0); otherwise recall won't have time to remove mail from the remote queue(s).

MDaemon now tracks the Message-IDs of the most recent email sent by each authenticated local user. This means users can recall the last message they sent (but only the last message they sent) simply by putting RECALL (alone by itself) as the Subject in a message sent to the mdaemon@ system account. There is no need to find and paste the Message-ID of the message you want to recall when it is the last message sent that needs to be recalled. Recalling any other message still requires the Message-ID be included in the Subject text or the original message from the users SENT folder attached to the recall request.

In addition to remembering the most recent email sent by each authenticated user MDaemon also remembers the locations and Message-IDs of the last 1000 emails sent by all authenticated users. This completely eliminates any need to ever iterate across mail folder content which would be a prohibitive performance drain. There's a new control at Setup|Server Settings|Message Recall that will allow you to increase this 1000 value if you want (if you have a busy server). Recall attempts will fail if the message being recalled isn't within the last 1000 emails sent (or whatever value you set). This has made it possible to recall messages right out of user mailboxes even after they've been delivered. So, messages will disappear from user mail clients and phones if they are recalled.

Messages sent to multiple recipients will ALL be recalled by a single request. The Message Recall system does not work without the X-Authenticated-Sender header to provide security and keep others from recalling messages they did not originate. Therefore, the option to disable this header (found at Setup|Preferences|Headers) will be overridden if Message Recall is enabled.


The Security root-tab has a new sub-tab called 'Auth Failures' and there is a corresponding new log file. This tab/log will contain a single line with details on every SMTP, IMAP, and POP logon attempt that fails. The information includes the Protocol used, the SessionID so you can search other logs, the IP of the offender, the raw Logon value they tried to use (sometimes this is an alias), and the Account that matches the logon (or 'none' if no account matches).

You can right-click on a line in this tab and have the IP address of the offender added to the blacklist(s).


Several places in the code that forward messages have had authentication capability added. This means that several files in the \APP\ folder including forward.dat, gateways.dat, MDaemon.ini, all Mailing List .grp files, and possibly others now have the potential to contain obfuscated logon and password data in a very weakly encrypted state. The encryption is strong enough to defeat an over-the-shoulder glance but it is not strong enough to defeat hackers. As we always warn you, use the operating system tools at your command and any other measures to secure the MDaemon machine and directory structure from unauthorized access.

[4915] The Setup|Server Settings|Servers & Delivery|Unknown Mail screen has had new options added which let you specify an AUTH logon and password for use with the host value specified on that screen. Also, the screen has been laid out differently and some text labels updated to better explain what some of these options do.

[9333] The Mailing List Editor|Routing screen has had new controls added which let you specify an AUTH logon and password for use with the host value specified on that screen.

[22385] The Gateway Manager|Forwarding screen has had new options added which let you specify an AUTH logon and password for use when forwarding a message to another domain/host. Also, the screen has been laid out differently and some text labels updated to better explain what some of these options do.

[22413] The Gateway Manager|Dequeueing screen has had new options added which let you specify an AUTH logon and password for use when dequeueing mail to a remote domain/host/IP. Also, the screen has been laid out differently and some text labels updated to better explain what some of these options do.

[22427] The Account Editor|Account Settings|Forwarding screen has had new options added which let you specify an AUTH logon and password for use when forwarding mail to a remote domain/host/IP. Also, the screen has been laid out differently and some text labels updated to better explain what some of these options do.


Setup|Server Settings|Host Authentication is a new screen where you can configure port, logon, and password values for any host. When MDaemon sends SMTP mail to that host the associated credentials found here will be used. Please note that these credentials are a fallback and are only used when other more task specific credentials are unavailable. For example, if you configure a logon and password using the new Account Editor forwarding controls (see task 22427 above) or the new Gateway Manager|Dequeueing controls (see task 22413 above) or any of the many other task specific settings then those credentials are used and they supersede what is configured here. This feature works with host names only (not IPs). I was able to easily code for one or the other (for now) so host names are more user friendly. Also please note that the UI for this is simple and doesn't (please Lord) need complication.

Many years ago I added logon and password capability to the MXCACHE.DAT file as a quick-fix for customers with immediate needs. This remains in place however the logon and passwords in that file are unencrypted. You now have the same functionality with this new Host Authentication feature so you no longer need to hack the MXCACHE.DAT file. Host Authentication uses HostAuth.dat where logon and password data is encrypted (however weakly) and it has a UI so it's better than MXCACHE.DAT hacks. If you want you can manually edit HostAuth.dat with notepad and enter plain-text logon and password values (which MDaemon will encrypt for you). See the instructions at the top of HostAuth.dat for how to do it.


Queues|Mail Queues|Custom Queues has been improved. You can now specify a host, logon, password, SMTP return-path, and port for any remote queue. If provided, all messages in the queue are delivered using these new settings. However, it still remains possible in some circumstances that individual messages within the queue might have their own unique delivery data and if so then that data takes priority over these new settings. This is by design and is not a mistake.

Now, the UI for this leaves something to be desired but it can't be improved right now. The UI does not (and will not) show logon and password data in the list-view. The UI cannot edit an existing entry (you must delete and recreate an entry to change it). The UI Add and Remove buttons do their work instantly - there is no pressing CANCEL to undo changes. If you make changes they are done. Please don't ask for a better UI because I can't do it. But these limitations are minor compared to the functionality gained. You can now setup as many remote queues as you want, filter mail into them using the Content Filter based on whatever criteria you choose, give to each queue its own delivery schedule, and have completely different routing take place based on your wishes.


[16798] For some time Domain Sharing has performed lookups on SMTP MAIL sender values as needed. However, messages were often refused with 'Authentication Required' and yet there is no way authentication can be performed when the sender account resides on a different server. This has been addressed and MDaemon can accept mail from accounts that are found to exist on other servers without requiring authentication. This can be disabled with a new checkbox at Security|Security Manager|Sender Authentication|SMTP Authentication. If you would rather not perform Domain Sharing lookups on the SMTP MAIL sender at all you can completely disable that with a new checkbox at Setup|Server Settings|Domain Sharing. These checkboxes are enabled by default.

[8504] Setup|Server Settings|Domain Sharing has a new checkbox that enables sharing of mailing lists. When a message arrives for a mailing list a copy is created for each Domain Sharing host that also keeps a version of that list (a query is made to check). When these hosts receive their copies they will make delivery to all the members of that list which they serve. In this way mailing lists can be split across multiple servers with no loss in functionality. For this to work each Domain Sharing host must include the other hosts IPs in their Trusted IP configuration (Security|Security Manager|Security Settings|Trusted IPs). Otherwise list messages might be refused with a 'Sender is not a member of the list' type error.

[8723] Setup|Server Settings|Domain Sharing has a new Advanced button which opens a file where you can configure domain names that are allowed to use Domain Sharing. When nothing is in this file (the default condition) then all your domains can use Domain Sharing. See the instructions at the top of the file for more information.


[12628] Setup|Preferences|Miscellaneous has a new checkbox that allows administrators to prevent account mail forwarding from sending emails outside the domain. If a user configures mail forwarding for their account to send to a foreign domain the message will be moved to the Bad Message queue. This setting only applies to messages that are forwarded using the mail forwarding options for the account.

[12791] The Account Editor|Forwarding tab has a new 'Schedule' button that will let accounts configure a schedule for when forwarding starts and stops. Also, this is included in the Account Templates as well. These settings configure the date and time forwarding starts and the date and time that it stops but forwarding will only happen on the days of the week you select.

[12927] The Forwarding Address field in the New Account Template now works with account macros. The only macros with data at the point of new account creation however are those related to the account user's full name, domain, mailbox, and password values. So (for example) if you want every new account to forward to the same email address but at a different domain you can put this in the Forwarding Address field: $MAILBOX$ Macros also work in the Send As, AUTH Logon, and AUTH Password fields (these are new) in case that is useful for you.

[12455] Forwarding a message now updates the forwarding account's last access time (ie the LastAccess=date gets updated in the account's hiwater.mrk file). This means that accounts which do nothing else but forward mail are no longer potentially deleted for inactivity. Note that forwarding must actually occur and not be defeated by other configuration options such as restrictions on where the forwarder can send mail or being 'off-schedule' (see 12791 in this document), etc. Just having a forwarding address configured will not automatically flag the account as active - the forwarding needs to actually happen.


[15076] & [15265] Security|Security Manager|Sender Authentication|SMTP Authentication has had two new options added. 'Do not allow authentication on the SMTP port' will completely disable AUTH support over the SMTP port. AUTH will not be offered in the EHLO response and will be treated as an unknown command if provided by the SMTP client. Also, '...add their IP to the Dynamic Screen if they attempt it anyway' will add the IP address of any client that attempts to AUTH when AUTH is disabled to the Dynamic Screen. The connection will also be immediately terminated. These settings are useful in configurations where all legitimate accounts are using the MSA or other port to submit authenticated mail. In such configurations the assumption is that any attempt to authenticate on the SMTP port must be from an attacker.


[10458] The Account Manager has been improved. You can now select accounts that are enabled, or are using MultiPOP, or are near quota (70%), or are near quota (90%), or are not forwarding. You can also search the account description field for any text you want and select accounts based on that.

[14105] The Account Manager right-click menu has had new options added which let you add or remove all the selected accounts from or to mailing lists and groups.

[23083] The Account Manager right-click menu has a new option which lets you copy an existing account when creating a new account. All settings of the existing account are copied to the new account except Full Name, Mailbox, Password, and Mail Folder.

[11427] The Account Editor|Account Settings|IMAP Filters has a new button called Publish that adds the new rule to the account being edited and to every other account in that account's domain. This should save some time when a rule is needed for everybody. Also fixed a problem with the rule editor which was allowing duplicate rules to be added.


[9921] The Domain Manager|Host Name & IP screen has a new settings that lets you enable "Do Not Disturb" for a domain. When active the domain will refuse all connections from all users for all services but still accept messages from the outside world. You can schedule when 'Do Not Disturb' starts and stops. For example, if you configure April 1, 2020 to May 31, 2020 from 5:00pm to 7:00am, Monday thru Friday then this means that no mail services will be available for that domain's users on those days of the week beginning at 5:00pm and resuming at 7:01am so long as the current date falls between April 1 and May 31, 2020. Erasing the scheduled start date deactivates the schedule (and has the effect of putting the domain on 'Do Not Disturb' forever).


MDaemon's simple message archiving system has been changed to be more efficient and consistent. Setup|Server Settings|Archiving now does its work as follows: When a message is delivered from the Local Queue(s) to a user's mail folder an archive copy will be created at that time (in the 'IN' folder of the recipient if so configured). When a message is picked up from the Remote Queue(s) for SMTP delivery (whether delivery succeeds or not) an archive copy will be created at that time (in the 'OUT' folder of the sender if so configured). You will see lines like "ARCHIVE message: pgp5001000000172.msg" in the Routing log or you might see lines like "* Archived: (archives)\company.test\in\frank@company.test\arc5001000000023.msg" in the Routing log when Local and Remote mail is processed.

Mailing list traffic is never archived. Spam is never archived (the option to do so has been deprecated and removed from Setup|Server Settings|Archiving). Messages with viruses are never archived. System level messages are never archived and finally autoresponders are never archived.

A 'ToArchive' queue now exists as a system queue (not exposed in the UI). This queue is checked at regular intervals for messages which have been dropped there (manually, or by a plugin, or otherwise). When messages are found here they are immediately archived and deleted. If messages are found which are not eligible for archiving then they are simply deleted. The name of the queue is \MDaemon\Queues\ToArchive\. The Routing screen/log will show details whenever a message is successfully archived.

[20579] Archiving of encrypted messages is now handled more consistently. By default unencrypted copies of encrypted messages are stored in the archive. If a message can't be decrypted then the encrypted form will be stored instead (because what other choice is there?) If you would rather have encrypted versions stored then you can check a new checkbox at Setup|Server Settings|Archiving.

[22693] Setup|Server Settings|Archiving has an option to archive messages sent to public folder submission addresses. This is especially needed now that submissions addresses are not required to be an actual account on the server (see 12311 below). This option is enabled by default.


[15960] Setup|Server Settings|Logging|Settings screen ran out of room so some of the items had to be moved to a new screen called (drum roll please) Setup|Server Settings|Logging|More Settings. This was necessary as part of the task to prevent the creation of log files for items which have logging disabled. For example, if you disable 'Log SMTP activity' then there is no reason to create an empty SMTP log file. MDaemon no longer creates empty log files. When items are disabled on this screen their associated log file will not be created at all on startup. Log files that may already exist when an item is disabled are left in place (not removed). If a log file is missing when an item is enabled then the required log file will be created instantly. For example, if you have not been logging POP activity there will be no POP log file. If you then enable POP logging the required log file appears. From now on we do not carry around empty log files for services we don't use (or services we do use but don't care about logging). This change applies to all log files that the core MDaemon engine manages (which is most of them). Log files for Dynamic Screening, Instant Messaging, XMPP, WDaemon, and WebMail run external to MDaemon and haven't been updated so they behave as before. But, we are getting closer to perfecting the logging system. As a result of this work if you change the logging 'mode' option at Setup|Server Settings|Logging|Log Mode MDaemon must be restarted.

[22480] Several logging related changes such as making ATRN session logs look correct; making all logs consistent in colors and how they log Session and Child IDs; the MultiPOP server no longer tears-up and tears-down sessions for accounts that are already over quota and therefore there is no longer wasteful logging in these cases.

Also, the Router log was only logging INBOUND and LOCAL queue message parsing. It now also logs REMOTE queue parsing when delivery attempts are made. This way you don't have to search the Router log and the SMTP(out) logs to see when a message was processed.


[8930] Use of Active Directory groups with MDaemon has been debugged and now works as expected. When you add someone to an Active Directory group they will be added to MDaemon. When you remove someone from an AD group their MDaemon account will be disabled (but not outright deleted - I'm relunctant to do that in a automated way as it results in the complete loss of account folders and mail data which I feel is something best left to an admin to do directly).

Within Active Directory adding a user to a group or adding a group to a user (either way) is not considered a change to the user (which MDaemon is looking for and needs) but it is considered a change to the group only. This fact caused me a lot of headaches. To solve this issue (in addition to a lot of new code) MDaemon needs a search filter that looks for changes to the group AND changes to users who are members of the group. The query for the group change is needed because MDaemon now tracks the 'members' attributes that are returned. The query for users who are members of the group is needed because that's where the user's data comes from. The group query doesn't return that.

So, to setup a proper search filter for a group called 'MyGroup' this will work:

(|(&(ObjectClass=group)(cn=MyGroup)) (&(objectClass=user)(objectCategory=person)(memberof=cn=MyGroup,ou=me,dc=domain,dc=com)))

Replace the 'ou=' and 'dc=' bits with something appropriate to your network.

There is still some room for improvement here during the v20 series but this is finally working correctly now (let's hope).

[12696] When you configure 'Alias=%proxyAddresses%' in ActiveDS.dat MDaemon will create an alias for every value returned by that attribute so long as it's an SMTP type address (X500 and other types are ignored).

[16403] Accounts|Account Settings|Active Directory|Authentication has a new control that lets you specify a separate (different) search filter for contact searches. Previously, contact searching was done using the user search filter. There's also a separate test button for the contact search filter. AD searches have been optimized so that when the search filters are identical a single query updates all data. When they are different two separate queries are necessary. The layout and labels on some of the controls on this screen had to be modified to make things fit. Also, the Page Size control was removed. It can still be manually altered if more than 1000 is needed.

[20853] The following fields have been added to the ActiveDS.dat file templates so that they are included in contact records when Active Directory monitoring creates/updates address books: abTitle=%personalTitle%, abMiddleName=%middleName%, abSuffix=%generationQualifier%, abBusPager=%pager%, abBusIPPhone=%ipPhone%, abBusFax=%FacsimileTelephoneNumber%. If these create problems for you or you don't want them included when contacts are created you can comment out these templates in ActiveDS.dat using notepad.

[6444] The ActiveDS.dat file [CharacterConvert] processing has been improved to allow single characters to be replaced with two characters (for example, ß will be converted to SS). Open ActiveDS.dat with notepad to see the default conversions that will be made. Also, conversion will take place on the Alias values (if any) as well as the Mailbox value by default.

[11729] Public folder contacts will now be deleted when the associated account is deleted from Active Directory. The contact is only deleted if it was created by the Active Directory integration feature. A new setting at Accounts|Account Settings| Active Directory|Monitoring lets you disable this if you wish.

[22617] When Active Directory monitoring system creates or updates an account and finds a mailbox value that is too long to fit in MDaemon's limited space for the mailbox value it will truncate the mailbox value as before but now it will also create an alias using the full size mailbox value. Also when accounts and aliases are created the accounts Administrator Notes data will be updated for auditing purposes.

[22578] List Manager|Active Directory 'Test these settings' button result text was setup for localization. The results will also display the Base DN used for the test.

[22661] List Manager|Active Directory now allows you to enter an AD attribute for the full name field of list members. You can still specify only an email address AD attribute if you wish but to also fetch full name values for list members setup the AD attribute like this: 'displayName, Email' rather than just 'Email'. The first attribute specified should point to the AD attribute where the full name resides (usually that will be 'displayName'). The second is the email attribute.

[22589] Text which appears in the Active Directory screen/log is now setup for localization and colors added.

[22657] MDaemon no longer creates an account for an AD group object. Previously, when a search filter included an AD group MDaemon would create an account for that group. But what's really in mind here is to create accounts for members of an AD group and not for the AD group object itself - which lacks several properties necessary for a proper MDaemon account anyway.

[23019] Changes to account properties in Active Directory can trigger the recreation of that same account within MDaemon even when the account had previously been deleted using the MDaemon GUI (or web administration). To keep accounts from being recreated in this way a new checkbox has been added to Accounts|Account Settings|Active Directory|Monitoring. The checkbox is enabled by default (don't recreate accounts deleted using the GUI).


[22613] 'From Header Modification' has been renamed 'From Header Screening' and some new features have been added. Security|Security Manager|Screening|From Header Screening has a new checkbox that will check 'From' header display-names for anything that looks like an email address. If one is found and it does not match the actual email address then it is replaced with the actual email address. For example, if the 'From:' header looks like this: From: "Frank Thomas <>" <> then it will get changed to this: From: "Frank Thomas <>" <>. This option is disabled by default. Also, there's a new checkbox to apply all the settings on this screen to non-authenticated mail only. As before, only messages to local users are eligible for these settings.


MDaemon can check a user's password against a compromised password list from a third-party service. It is able to do this without transmitting the password to the service. If a user's password is present on the list it does not mean the account has been hacked. It means that someone somewhere has used the password before and it has appeared in a data breach. Published passwords may be used by hackers in dictionary attacks. Unique passwords that have never been used anywhere else are more secure. See Pwned Passwords for more information.

At Accounts | Account Settings | Other | Passwords, MDaemon has an option to not allow an account's password to be set to one that is found in the list. It can also check a user's password every so many days when they log in, and if it is found, send a warning email to the user and postmaster. The warning emails can be customized by editing message template files in the \MDaemon\App folder. Since instructions for how a user should change their password may depend on whether the account is using a password stored in MDaemon or using Active Directory authentication, there are two template files, CompromisedPasswordMD.dat and CompromisedPasswordAD.dat. Macros can be used to personalize the message, change the subject, change the recipients, etc.


The MTA-STS effort in the IETF has finished. Support for this has been implemented. SMTP MTA Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers (SPs) to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate.

MTA-STS is enabled by default. It can be disabled at Security|Security Manager|SSL & TLS|SMTP Extensions.

To set up MTA-STS for your own domain, you will need a MTA-STS policy file that can be downloaded via HTTPS from the URL https://mta-sts.domain.tld/.well-known/mta-sts.txt, where "domain.tld" is your domain name. The policy text file should contain lines in the following format:

version: STSv1
mode: testing
mx: mail.domain.tld
max_age: 86400

Mode can be "none", "testing", or "enforce". There should be an "mx" line for each of your MX hostnames. A wildcard can be used for subdomains, such as "*.domain.tld". Max age is in seconds. Common values are 86400 (1 day) and 604800 (1 week).

Also needed is a DNS TXT record at _mta-sts.domain.tld, where "domain.tld" is your domain name. It must have a value in the format:

v=STSv1; id=20200206T010101;

The value for "id" must be changed every time the policy file is changed. It is common to use a timestamp for the id.

[21595] SMTP TLS Reporting (RFC 8460)

TLS Reporting allows domains using MTA-STS to be notified about any failures to retrieve the MTA-STS policy or negotiate a secure channel using STARTTLS. When enabled, MDaemon will send a report daily to each STS-enabled domain that it has sent (or attempted to send) mail to that day.

TLS Reporting is disabled by default. It can be enabled at Security|Security Manager|SSL & TLS|SMTP Extensions. Also make sure DKIM signing is enabled (at Security|Security Manager|Sender Authentication|DKIM signing) because TLS Reporting emails are supposed to be signed.

To set up TLS Reporting for your domain, you must create a DNS TXT record at _smtp._tls.domain.tld, where "domain.tld" is your domain name, with a value in the format:

v=TLSRPTv1; rua=mailto:mailbox@domain.tld

Where mailbox@domain.tld is the email address you want reports for your domain to be sent.


















MDaemon 19.5.5 - March 23, 2020


MDaemon 19.5.4 - February 4, 2020


MDaemon 19.5.3 - December 12, 2019


MDaemon 19.5.2 - December 10, 2019


[17138] The "Max RSET commands allowed" options at F2|Server Settings|Servers have been removed since they are essentially less flexible duplicates of the same functionality found at Ctrl+S|Screening|SMTP Screen. The SMTP Screen version is part of the Dynamic Screening system which takes into account more factors (ie..has a white list, considers authentication status, etc). Your old values from the F2|Server Settings|Servers settings have been moved to the SMTP Screen. Please check Ctrl+S|Screening|SMTP Screen to make sure the values there are as you expect. Correct defaults (and recommended) are 20 for the RSET maximum and "Close SMTP session after blocking IP" should be checked/enabled.



MDaemon 19.5.1 - November 4, 2019


[22444] The LetsEncrypt functionality has been updated to use ACME v2. This update is required because LetsEncrypt is discontinuing support for ACME v1. PowerShell 5.1 and .Net Framework 4.7.2 are now required in order to use LetsEncrypt.


MDaemon 19.5.0 - October 15, 2019


[21908] Some settings, such as the registration keys, have been moved from \MDaemon\App\MDaemon.ini to \MDaemon\LocalData\LocalData.ini. If you need to revert to a previous version, they will not find the settings at their new locations, so their installers will ask you to enter a registration key. This can be avoided by copying the settings back to MDaemon.ini, or restoring a backup of MDaemon.ini, first.


[21228] New Webmail Mobile theme

Webmail's Mobile theme has been replaced with a more modern GUI with more features. Message list features now include personalized categories, message snooze, sort by flagged/unread/snoozed, sort columns, and message recall. Calendar features now include Import/Export events as csv or ics files, add external calendars, private access links, publish calendar, and view multiple calendars at one time. Compose features now include deferred delivery, multiple signatures, text/html messages, and email templates. Other features include drag and drop email filters, multiple signatures editor, more folder management options, notifications, drag and drop column management, drag and drop categories management, and more. If running Webmail in IIS, additional configuration steps are needed. See KB article 1236 for more information.

[7402] Client signature management

Added the ability to configure a signature that is pushed to supported mail clients (Webmail and MDaemon Connector). A default client signature can be set at Setup | Server Settings | Client Signatures or it can be set per domain on the Domain Manager's "Client Signatures" screen. Use macros such as $CONTACTFULLNAME$, $CONTACTEMAILADDRESS$, to personalize the signature with data pulled from the user's contact in the domain's Public Contacts folder. Use the $ATTACH_INLINE:filename$ macro for inline images in the HTML signature. After entering signature text, it will appear in Webmail as the "System" signature, and will become the user's default signature. It can be enabled/disabled by default at Setup | Web & IM Services | Webmail | Settings or per domain on the Domain Manager's "Webmail" screen. For MDaemon Connector, the signature's name and related settings can be configured at Setup | MDaemon Connector | MC Client Settings | Signature. Requires MDaemon Connector 6.5.0 or newer, and "Push client settings to MC users" to be enabled. The $CLIENTSIGNATURE$ macro can be used in other mail clients to have the server add the client signature to messages.



MDaemon 19.0.3 - July 16, 2019


MDaemon 19.0.2 - June 13, 2019



MDaemon 19.0.1 - May 14, 2019


[21641] To simplify IIS configuration, the ISAPI DLLs MDMgmtWS.dll and MDDP.dll have been moved out of the \MDaemon\App directory and into \MDaemon\ISAPI\MDMgmtWS and \MDaemon\ISAPI\MDDP. If you had already set up IIS to reference these DLLs you will need to reconfigure IIS to access them from their new locations.



MDaemon 19.0.0 - April 16, 2019


[8811] MDaemon's disk space calculations were being made inconsistently in several places (for example, sometimes using 1000, sometimes using 1024 bytes for a kilobyte computation). This has been fixed to use 1024 consistently. As a result your users' disk space quota values may be slightly different than in previous versions. Please check and make whatever adjustments (if any) you feel are required.

[20595] The "Start MDaemon" Start Menu shortcut on new installs now defaults to opening a browser to MDaemon Remote Administration rather than opening an MDaemon Configuration Session. To change this, edit \MDaemon\App\MDaemon.ini and set [MDLaunch] OpenConfigSession=Yes/No and OpenRemoteAdmin=Yes/No, or use the "Open MDaemon Configuration Session" or "Open MDaemon Remote Administration" shortcuts instead of "Start MDaemon". Set the "Remote Administration URL" at Setup | Web & IM Services | Remote Administration | Web Server if the auto-generated URL does not work or if Remote Administration runs in an external web server. If a working URL cannot be determined, a Configuration Session will be opened instead.

[21263] The option "Only send antivirus update notification on failure" is now enabled by default, and when updating to MDaemon 19, it will be enabled the first time MDaemon starts up.

[19471] SyncML has been deprecated and removed.


[21118] TLS Server Name Indication (SNI) support

SNI allows a different certificate to be used for each of your server's hostnames. MDaemon will look at the active certificates and choose the one that has the requested hostname in its Subject Alternative Names field. If the client does not request a hostname, or no matching certificate is found, then the default certificate is used.

[19427] XML-API for Folder and Item Management

The XML-API has been expanded to include the ability to manage mailbox folders and items in the folders. Folders can be created, deleted, renamed, and moved using the API. Item operations support email, calendar, contacts, tasks, and notes. Items can be created, deleted and moved using the API. Full documentation can be found in the MDaemon\Docs\API\XML-API\ directory.



MDaemon 18.5.3 - March 15, 2019



MDaemon 18.5.2 - February 12, 2019



MDaemon 18.5.1 - November 13, 2018



MDaemon 18.5.0 - September 25, 2018


[18211] BlackBerry Internet Service feature integration has been deprecated and removed. The BIS service (if it still exists) will now interact with MDaemon as it would any other SMTP/IMAP server.

[20768] WAB functionality has been deprecated and removed from Ctrl+U|Other.


[19813] MDaemon Instant Messaging in Webmail

The WorldClient and LookOut themes now feature a browser-based XMPP client that lets users instant message without needing to run the MDaemon Instant Messenger desktop application or some other XMPP client application. Users can enable it from Webmail's Options | Personalize screen, "Enable MDaemon's Instant Messaging feature in browser". Admins can enable or disable instant messaging per domain using the Domain Manager, per account using the Account Editor, or per group using the Group Manager. It operates on ports 7070 (HTTP) and 7443 (HTTPS).

[19962] Exempt Webmail from Location Screening

Added a user option in Webmail to exempt Two Factor Authentication logins from Location Screening. If a user has BypassLocationScreeningTFA=Yes in the [User] section of their User.ini file, and Two Factor Auth is enabled for the user, Location Screening is bypassed. This allows users to login to Webmail in countries that would normally be blocked by Location Screening.

[20395] Improved AD Integration

Users whose accounts are set to use AD authentication can now change their AD password in Webmail if the "AllowADPasswordChange" setting is enabled in \MDaemon\WorldClient\Domains.ini. It is disabled by default.

[12576] Signature Macros

MDaemon signatures now support macros that insert contact information from the sender's contact in its domain's Public Contacts folder. This allows default and domain signatures to be personalized with the sender's information. $CONTACTFULLNAME$, for example, inserts the sender's full name, and $CONTACTEMAILADDRESS$ inserts the sender's email address. Use Webmail, MDaemon Connector, or ActiveSync to edit the public contacts. Blank values are used if no contact exists for the sender. See the documentation for a full list of supported macros.

The placement of MDaemon signatures can now also be controlled, if the sender wants them somewhere other than the bottom of the message. Use $SYSTEMSIGNATURE$ to place the default/domain signature, and $ACCOUNTSIGNATURE$ to place the account signature.



MDaemon 18.0.2 - June 12, 2018



MDaemon 18.0.1 - May 15, 2018



MDaemon 18.0.0 - April 17, 2018


[20008] Alt-N Technologies has changed its name to MDaemon Technologies. WorldClient is now MDaemon Webmail, WorldClient Instant Messenger is now MDaemon Instant Messenger, SecurityPlus is now MDaemon Antivirus, and Outlook Connector is now MDaemon Connector.

[19546] The MDaemon installer now includes MDaemon AntiVirus and MDaemon Connector, which are licensed separately.

[19512] The "From Header Modification" feature has changed. It operates as before however the format of the final modified From data has changed from this format: "Email -- Name" <Email> to this format: "Name (Email)" <Email>. This new format is more readable/usable/sortable etc. If you would rather keep the old format (your users may be used to it already) you can check a box at Ctrl+S|Screening|Hijack Detection|From Header Modification.

[19577] A past installer reset the option "Ctrl+S|Sender Authentication|SMTP Authentication|Authentication is always required when mail is sent from local IPs" to disabled for upgraders.  The installer has been changed to ignore this setting.  You must manually check that this option is set to your desire.  The default is for it to be checked (enabled) but you should check to be sure it is set how you want.

[19703] The following settings have had default values changed.  Existing installations should check to be sure the following settings are as desired: Ctrl+S|Security Settings|SSL & TLS|MDaemon: Enable the dedicated SSL ports... and SMTP server requires STARTTLS... options have had defaults changed from disabled to enabled. Ctrl+S|Security Settings|Sender Authentication|DMARC verification|Honor p=reject... has changed from disabled to enabled. Ctrl+S| Security Settings|Sender Authentication|SPF Verification|User local address in SMTP envelope...has changed from disabled to enabled. Ctrl+S|Security Settings| Screening|IP Screen|Apply IP Screen to MSA connections has changed from disabled to enabled. Ctrl+S|Security Settings|Screening|Host Screen|Drop connection after EHLO has changed from disabled to enabled.

[19612] Catalog functionality has been deprecated and removed from the UI.

[20220] All Virtru related support has been removed from MDaemon Webmail. Old encrypted messages can still be viewed in the Virtru Secure Reader.

[20339] Previously when a message was sent to an alias, MDPGP would encrypt it using the key for the actual email address. Now that same message won't be encrypted. To encrypt it now requires a key for the alias.


[19571] DNSSEC

Ctrl+S|SSL&TLS|DNSSEC allows you to request DNSSEC service from your DNS server(s). When enabled, MDaemon sets the AD bit when making DNS queries and checks for it in the answers. This may not work with all DNS server(s) (not sure) so you'll have to try with yours. DNSSEC service is only applied to messages that meet your selection criteria. DNSSEC service can be "requested" or "required" on a per-message basis. If "required" and DNS results fail to include authenticated data then the message is bounced back to sender. If "requested" then DNSSEC service is attempted but nothing happens if it fails.

Mail session logs will include a line at the top if DNSSEC service was used and "DNSSEC" will appear next to secure data in the logs.

IMPORTANT: MDaemon is a non-validating stub-resolver. This means that it will request authenticated data from DNS server(s) but it has no way to independently verify that the data it gets from them is secure. However, if you know/trust your connection to your DNS server(s) (for example, it runs on localhost or within a secure LAN or workplace) then you should use this as it will boost security.

DNSSEC lookups take more time and resource and I think less then 7% of domains have currently deployed it. That is why this is not configured to apply to every message delivery by default. However, if you want that, you can force every email sent to use DNSSEC by adding one line like "To *" into the configuration file (see Ctrl+S|SSL&TLS|DNSSEC).

[15288] Email Snooze

MDaemon Webmail was updated to allow a user to snooze an email. When a message is snoozed it will be hidden from the user for a designated period of time. To snooze a message, right click on it and choose the "Snooze for..." option in the context menu. Then choose how long you wish to snooze the message for. The "Choose a date and time" option is only available for browsers that support the date and time inputs. Hidden messages can be viewed in LookOut theme by clicking the "View Snoozed Messages" icon in the toolbar and WorldClient theme by choosing "view snoozed" from the view drop down menu in the toolbar. This feature is on by default. To turn off the feature, go to Options | Personalize, and find the Inbox Settings. Uncheck the "Enable Message Snooze" box. There are no snooze controls in Lite and Mobile theme, but snoozed messages are still hidden.

[1520] Public Calendars

In MDaemon Webmail users can publish a calendar to a publicly accessible link. Users have the option to password protect the calendar. To disable this globally, change the value of [Default:Settings] EnablePublicCalendars to No. To disable it on a per user basis, add CanPublishCalendars=No to a user's User.ini file. To publish a calendar, in LookOut or WorldClient theme, go to Options | Folders and click the "Share Folder" button next to the calendar you wish to publish. In the dialog, open the Public Access tab and if desired, fill in the display name or require a password, then click the "Publish Calendar" button. A confirm dialog will show up to tell the user what is about to happen. After clicking OK, an alert will display the new URL where the calendar is available. There will also be a link displayed on the page once the calendar has been published. To unpublish the calendar, click the "Unpublish Calendar" button. To change the password or the display name, click the "Update" button.

[10886] Remember Me

A "Remember Me" option has been added to the logon page of MDaemon Webmail. This feature is disabled by default. The default expiration is 30 days, and the maximum expiration setting is 365 days. It can be enabled in the MDRA GUI under Main->Webmail Settings->Settings. Users can check the "Remember Me" option on the logon page to be remembered on a specific device. Then if they have a bookmark with any of three View URL variables set (View=Main, View=Logon, or View=List) (or no View URL variable set), the user will be automatically logged in. Two Factor Authentication (2FA) is separate and will still be required when the 2FA remember me token expires.

[19865] "Remember Me" was also added to the Remote Administration logon page. This feature is disabled by default. The default expiration is 30 days, and the maximum expiration setting is 365 days. It can be enabled in the MDRA GUI under Main->Remote Admin Settings->Settings. Users can check the "Remember Me" option on the logon page to be remembered on a specific device. Two Factor Authentication (2FA) is separate and will still be required when the 2FA remember me token expires.

[19738] Exempt Known ActiveSync Devices from Location Screening

An option has been added to allow a previously known ActiveSync device to bypass location screening. Administrators can enable this option to allow users to continue to access their account via ActiveSync from a location that is configured to block authentication attempts. In order to exempt the device it must have connected and authenticated using ActiveSync within the time frame configured to remove inactive clients. To exempt a device go to Setup / Mobile Device Management / Clients, select the client and click Settings, then check the box for Exempt from Location Screening.

You can also choose to Whitelist the address the client is connecting from. This can be used to allow other clients that might be connecting from the same IP address to also bypass location screening.



MDaemon 17.5.3 - March 20, 2018


MDaemon 17.5.2 - December 19, 2017



MDaemon 17.5.1 - October 24, 2017


[19710] The Dynamic Screening option to freeze accounts after a number of authentication failures is now off by default. It will be turned off when updating to version 17.5.1. If you want to turn it back on, go to Security | Dynamic Screening | Auth Failure Tracking.



MDaemon 17.5.0 - September 26, 2017


[18481] BlackBerry Enterprise Server (BES) for MDaemon is not compatible with MDaemon 17.5 or newer. There will not be a new version of BES for MDaemon that is compatible. MDaemon's installer will disable BES if it is detected. Uninstall BES to not be prompted about it. Screens about BES have been removed from the MDaemon UI.

[10327] Added quarantine exclusion lists to allow password-protected files from or to configured senders and recipients. At Security | AntiVirus, enable "Allow password-protected files in exclusion list..." and click the "Configure Exclusions" button. Note that as of SecurityPlus 5.1.0, the ClamAV Plugin may quarantine password-protected files before the main AV engine can scan them. An option is to disable the ClamAV Plugin.



A geographically based blocking system has been developed which allows you to block incoming SMTP, POP, IMAP, WorldClient, ActiveSync, AutoDiscovery, XML API, Remote Administration, CalDAV/CardDAV, XMPP, and Minger connections being attempted from unauthorized regions of the world. A new screen has been added at Ctrl+S|Screening|Location Screening to configure this.

When the connecting IP is from a blocked country an entry can be logged in the Dyanmic Screening Log.


MDaemon's dynamic screening has been expanded to operate with SMTP, POP, IMAP, WorldClient, ActiveSync, AutoDiscovery, XML API, Remote Administration, CalDAV/CardDAV, XMPP, and Minger. Authentication failures are tracked across all of these services and IPs can be blocked for all of them. Settings are in the UI at Security | Dynamic Screening. The log is on the Plug-ins | Dynamic Screen tab. WorldClient's separate Dynamic Screening system has been removed.


PIM (calendar, contact, tasks, notes) items now support attachments.  Attachments may be added to a PIM item via WorldClient, Outlook Connector, or CalDAV/CardDAV.  When scheduling a meeting, any attachments will be sent to the meeting attendees.

LookOut and WorldClient themes - Implemented PIM attachments for Calendars. A new tab was added in the Calendar Edit view that allows users to add file attachments to an event/meeting. As long as a user has read access to an event, the attached files can be downloaded by the user. Only users with edit access can upload or remove attachments from a given event/meeting. Other themes will not be able to edit the attachments, but the attachments will not be lost when an event/meeting is edited.


A new checkbox on the MDPGP GUI enables/disables automatic transaction of public keys as part of the SMTP message delivery process. If enabled, MDaemon's SMTP server will honor an SMTP command called RKEY.

When sending an email to a server that supports RKEY MDaemon will offer to transmit the sender's then current and preferred public-key to the other host. That host will respond indicating that it either already has that key and thus no further work need be done ("250 2.7.0 Key already known") or that it needs that key in which case the key is immediately transferred in ASCII armored form right then and there ("354 Enter key, end with CRLF.CRLF") just like an email message. Keys that are expired or revoked are never transmitted. If MDaemon has multiple keys for the sender it will always offer up the key that is currently marked as preferred. If no key is preferred then the first one found is offered. If no valid keys are available then no work is done. Only public-keys that belong to local users are offered.

Public-key transfers take place as part of the SMTP mail session that delivers the message from the user. In order for the public-keys transmitted in this way to be accepted the public-key must arrive along with a message that has been DKIM signed by the domain of the key owner with the i= set to the address of the key owner which also must exactly match the From: header address of which there can be only one. The "key owner" is taken from within the key itself. Also, the message must arrive from a host in the sender's SPF path. Finally, the key owner (or his entire domain via use of wildcards) must be authorized for RKEY by adding an appropriate entry to the MDPGP rules file (instructions are in the rules file for this) indicating that the domain can be trusted for key exchange. All this checking is done automatically for you but you must have DKIM and SPF verification enabled or no work can be done.

The MDPGP log will show the results and details of all keys imported or deleted and the SMTP session log will also track this activity. When it works right your SMTP session logs will show details of key transactions and the MDPGP log file will fill with details.

This process tracks the deletion of existing keys and the selection of new preferred keys and updates all participating servers it sends mail to when these things change.



MDaemon 17.0.3 - August 29, 2017


MDaemon 17.0.2 - May 19, 2017


MDaemon 17.0.1 - May 16, 2017



MDaemon 17.0.0 - March 21, 2017


[17978] The option "Enable APOP & CRAM-MD5" found at F2|Server Settings|Servers has changed to disabled by default for security and technical reasons. Using TLS is the preferred way to avoid transmission of passwords in the clear.

[17977] The "Global AUTH Password" setting at Ctrl+S|Sender Authentication|SMTP Authentication has been deprecated and removed.

[18067] All settings related to ADSP found at Ctrl+S|Sender Authentication|DKIM Verification and a single option related to the use of the RS= tag found at Ctrl+S|Sender Authentication|DKIM Settings have been deprecated and removed.

[17337] In-browser WorldClient Instant Messenger (WCIM) has been removed from the LookOut and WorldClient themes due to incompatibility with the new XMPP WCIM server.

[8314] The option "Store mailbox passwords using non-reversible encryption" (see below) is disabled by default for existing installs to avoid breaking anything for anyone who depends on incompatible features, but for security reasons we recommend enabling it if you can.

[17122] WorldClient Instant Messenger (WCIM) now uses the XMPP protocol for instant messaging, which is not compatible with the old chat protocol. Users who do not update to the new version will not be able to instant message with users who have updated. Address book synchronization with Outlook has been removed from WCIM.


[17122] XMPP support for WorldClient Instant Messenger (WCIM)

WCIM now uses the XMPP protocol for instant messaging instead of WorldClient's proprietary protocol. This allows the WCIM desktop client to communicate not only with other WCIM clients, but any third-party XMPP clients (including mobile clients) connected to your MDaemon's XMPP server.

WCIM now has two types of connections, "WCMailCheck" which connects to WorldClient for new mail notifications and message counts, and "WCIMXMPP" which connects to the XMPP server for instant messaging. When updating to version 17, WCIM will automatically migrate IM contacts from the old system to XMPP and create a WCIMXMPP account.


A new screen has been added to Ctrl+W|WorldClient (web mail)|Dropbox. Here you will find controls where you can enter your Dropbox "app key", "app secret", and privacy policy text. All are needed in order to enable the integrated service and they are all obtained when you register your WorldClientas a Dropbox "app" by visiting the Dropbox website. We cannot do this for you but it only needsdoing once. Please see Knowledge Base article 1166 for complete instructions on how to register your WorldClient as an app with Dropbox.

Once the "app key" and "app secret" are configured WorldClient will be able to connect their accounts to a Dropbox account. The first time a user logs into WorldClient theme or LookOut theme, the user will be presented with a dropdown at the top of the page. The user has three options, view the dropdown on next login, never show it again, or go to the new Options | Cloud Apps view. On the Options | Cloud Apps view, the user can click the Setup Dropbox button. Doing so will open an OAuth 2.0 popup. The popup details what the user is connecting to, and what authorizations WorldClient is requesting. There is also a link to the privacy policy, and "Connect to Dropbox" button. Once the user clicks the "Connect to Dropbox" button, the page will navigate to Dropbox. If the user is not logged into Dropbox, Dropbox will present a site for them to either login or create an account. Once this step is completed, the user will be presented with another Dropbox page that asks if the user would like to allow WorldClient to have full access to his/her account. Clicking "Allow", will take the user back to WorldClient and tell the user whether or not the authorization was a success. This authorization is good for one week after which time the same screen is presented again and another access token is obtained and used for a subsequent week. Once authorization is completed, the user will be presented with a Dropbox icon next to each message attachment. Clicking the icon will result in the attachment being saved to the user's Dropbox account under the /WorldClient_Attachments folder.

In the Compose view for WorldClient and LookOut themes, users will be able to choose files from their Dropbox accounts by clicking the Dropbox icon in the HTML editor's toolbar (top left). This feature does not require the users to setup access to their accounts via the Options | Cloud Apps view and OAuth 2.0. It only requires the "app key" and "app secret".

Dropbox integration is disabled by default. The "Enable Dropbox Integration" checkbox will enable it for all users, or the admin can enable access on a per-user basis by adding "DropboxAccessEnabled=Yes" to the User.ini.



MDaemon 16.5.2 - November 29, 2016



MDaemon 16.5.1 - October 11, 2016



MDaemon 16.5.0 - September 13, 2016


[17268] F2|Server Settings|IPv6 has changed default to "off" (unchecked) for the option to use IPv6 with outbound hosts for new installs.  This option can cause delivery issues for those who are not prepared for IPv6.

[11436] F2|Logging|Log Mode option to "log by day of the week" (ie, Monday.log, Tuesday.log, etc) has been deprecated and removed. If you were using this option you are now using "log by date" (ie, MDaemon-2016-02-22-X.log, etc). As a result, the F2|Logging|Maintenance checkbox to overwrite log files is no longer necessary and has been removed. Also, there is a new setting added to F2|Logging|Maintenance which lets you set the number of .OLD backups that are created once the max log file size is reached (previously only one was possible). These backups are numbered (the number is part of the file name) with the newest data always first (for example, SMTP(out).log.01.old has newer data than SMTP(out).log.02.old, etc. Finally, added hyphens into the file name to make the date easier to read.

[17076] Ctrl+S|Sender Authentication|SMTP Authentication has a new checkbox which requires all incoming messages arriving from local IPs to use authentication and be rejected if lacking. Trusted IPs are exempt. This setting is enabled by default for first time new installs. However, it is disabled by default for upgraders to avoid delivery issues from clients or other services that don't authenticate and aren't currently listed as a trusted IP. Please enable this option if you can as it is a good security practice.

[16797] In previous versions, gateway address verification never verified senders (only recipients).  A new checkbox at Ctrl+G|Gateway Manager|Global Gateway Settings can toggle this behavior.  It is enabled by default which means this is a change from previous behavior.  It is now possible that messages sent from addresses which can not be verified will be refused whereas they may have been accepted before.  If this is not to your liking disable this option.

[4884] The logic behind the AccountPrune tool's message pruning operation has been changed. This tool is called when MDaemon needs to delete old messages from user and public mail folders. In the past this tool used the "last modified" date from the message file on disk. MDaemon now looks first at the Date: header within the message itself. If the Date: header is present and complies with standards then that date is used to determine message age instead of the file's "last modified" date. This represents a change from previous behavior.

[17099] F2|Logging|Maintenance has a new setting which governs the maximum number of days the SecurityPlus update log will keep data (MDaemon\SecurityPlus\avupdate.log). The new default setting is to keep data going back 30 days. At midnight each night, and the first time MDaemon starts up after upgrading, MDaemon will delete older data from this file.

[16924] As part of the work related to task 16924 (see below) some bugs preventing the immediate sending of "urgent" priority remote mail were found and fixed. Urgent priority messages are defined as message files who's name matches the pattern: "<root>\Queues\Remote\p?10*.msg".  Messages found with that file name pattern will now be properly detected and will trigger a remote queue processing event within 5 seconds regardless of scheduled remote queue processing timers (this was broken).  Also, RAW messages were always expanded out to queue as MD_PRECEDENCE_LOW (the lowest priority value) even when created with higher values.  As a reminder, "urgent" priority messages will trigger a queue run where "high" priority messages merely sort to the top of the queue and wait for the next scheduled queue run.  As a reminder, you can use F2|Server Settings|Priority Mail to define your own criteria for important mail that should trigger immediate queue runs. Finally, IMAP logon failures due to bad credentials were not being written to the event log when so configured (only SMTP and POP failures were). This has been fixed.

[11777] Mailing list digest messages are supposed to be UTF-8 but several bugs were preventing this from working. As a result of fixing these problems it is no longer possible to trigger digest delivery based on the number of lines in the digest data file. So the option to do so has been removed from Alt+G|<list-name>|Digest. Also, the API function MD_ListMaxLineCount has been changed to always return ZERO (meaning disabled). Next, the need for the DIGEST.MBF file is no longer present and so that file has been removed. The MD_ListInfo structure and API functions related to its DigestMBF member have been left in place however changes made to this member are not saved and always contain DIGEST as the value. Finally, the $BODY-DIGEST$ macro is no longer needed and has been removed.

[16664] LDAP: added checkbox to Ctrl+G|Verification and Ctrl+U|Active Directory|LDAP screens which lets you elect to chase referrals.  MDaemon now explicitly disables referrals for every LDAP connection it makes unless this checkbox is set. This represents a change from previous behavior which defaulted to always enabling referrals. That seemed to cause issues for people so it is now disabled always UNLESS you set these options to enable it.

[16698] Ctrl+S|Sender Authentication|SMTP Authentication has a new setting which requires the credentials used for AUTH to match those of the address in the FROM header.  This prevents cases in which one person authenticates as user X while claiming to be user Y within the message.  This is similar to the existing setting we've always had which compares against the return-path value. The wording of that option was also slightly changed. This switch is enabled by default and handles aliases as if they were the real account email.

[17465] Ctrl+S|Sender Authentication|SMTP Authentication screen has two options related to forcing authentication credentials to match something else about the message (either the return-path or the From: header address). Both of these options can potentially cause issues for gateway mail storage/forwarding. Therefore a third option has been added to Ctrl+G|Gateway Manager|Global Gateway Settings which exempts gateway mail from them both. This option is enabled by default.

[16638] MDPGP: Several default settings related to MDPGP use have been changed. If you are installing for the first time or have never accessed the UI to view these settings then these are your settings now so please check them carefully. If you are updating a previous installation and have accessed the MDPGP UI in the past then your existing settings are untouched however you may wish to check and change your settings as follows:

All these options can be found within the MDPGP GUI which is accessible from the Security top-level menu.  Even though several of these settings are now enabled by default (including the entire MDPGP server itself) no work will be or can be done until keys are known and have been added to the key-ring. With this version of MDaemon there are a lot more ways to automate getting that done. Yet this may not be desired in all cases. Please check and change settings to meet your needs.

[17263] When MX record lookups during message delivery result in a DNS server failure result then the message will be left in the queue for attempted delivery during the next processing cycle. This change is in conformity with RFC guidelines. Previously, MDaemon would attempt direct delivery and, failing that, immediately bounce the message in some configurations.

[17522] This version of MDaemon is not compatible with old versions of BlackBerry Enterprise Server (BES) for MDaemon. BES will be disabled when MDaemon is installed. To continue running BES, update to BES for MDaemon version 2.0.3 after updating MDaemon.



WorldClient: WorldClient has been taught to be a very basic public-key server. A new checkbox on the MDPGP GUI enables/disables this. If enabled, WorldClient will honor requests for your users' public-keys. The format of the URL to make the request looks like this: "http://<WorldClient-URL>/WorldClient.dll?View=MDPGP&k=<Key-ID>". Where <WorldClient-URL> is the path to your WorldClient server (for example, "") and <Key-ID> is the sixteen character key-id of the key you want (for example, "0A1B3C4D5E6F7G8H").  The key-id is constructed from the last 8 bytes of the key fingerprint - 16 characters in total.

DNS (PKA1): MDPGP now supports collection of public-keys over DNS using PKA1. A new checkbox on the MDPGP GUI enables/disables this. If enabled, PKA1 queries are made and any key URI found is immediately collected, validated, and  added to the key-ring. To publish your own public-keys to your domain's DNS you must create special TXT records.  An example of how to do this is as follows:  Suppose user has key-id 0A2B3C4D5E6F7G8H.  Then, in the DNS for domain "" create a TXT record at "" (replace the @ in the email address with the string "._pka.").  The data for the TXT record would look something like this: "v=pka1; fpr=<key's full fingerprint>; uri=<WorldClient-URL>/WorldClient.dll?view=mdpgp&k=0A2B3C4D5E6F7G8H" where <key's full fingerprint> is the full fingerprint of the key (40 characters long representing the full 20 byte fingerprint value).  You can see a key's full fingerprint value by double clicking on the key in the MDPGP GUI. Keys successfully collected and imported to the key-ring using this method are tracked in a new file called fetchedkeys.txt. Keys will auto-expire and be forgotten according to the TTL value of the PKA1 record which referred them -or- when X hours have passed (a value which you can configure using a new control on the MDPGP GUI) - whichever is GREATER.  So, this means that the value you configure here can be thought of as a minimum length of time (in hours) that a key will be cached. The default value is 12 hours and the lowest acceptable value is 1 hour.

For more discussion and examples on using the pka1 method do a google search for "pka1 keys in dns" and you will find it.

Tracking Keys: As part of this work some internal changes were made such that MDPGP tracks keys by their primary key-ids always and everywhere now rather than a combination of sometimes the key-id and other times the sub-key-id which was messy. The UI was cleaned up to remove two unnecessary columns in the list box related to superfluous (for display purposes anyways) key-ids. Also, this work required me to more strictly control the content of MDPGP's "exports" folder. As a result you will always find exported copies of local user keys there.  Please use OS tools to protect this folder (and indeed the entire PEM folder structure) from unauthorized access because, although they are themselves encrypted, the private keys of users are stored here.

Preferred Keys: Some problems arose as part of this work when multiple different keys for the same email address are on the key-ring.  In past versions MDPGP would simply use the first one that it found. You can now right-click on any key and set it as preferred. When a preferred key is found then that key will be used whenever there are more than one to choose from. When there is only one key for an email address then that key is preferred automatically even if not selected as preferred (but you can still select it as preferred if you want). When multiple keys for the same address are present and none are selected as preferred then the first one found is used. When a key is selected as preferred an asterisk is set in the first column of the UI. Preferred.txt stores the preferred key selections.

Disabled Keys: As part of this work it was necessary to change how disabled keys are tracked. Previous versions tracked disabled keys by placing their key-ids into the plugins.dat file. This version migrates those settings out of plugins.dat and into a new file called oldkeys.txt. Deleted keys are now tracked there.


An XMPP server is now included that allows MDaemon users to instant message using third-party XMPP clients. Clients are available for most OSes and mobile devices. For a complete list please refer to XMPP instant messaging is completely independent of MDaemon's current chat system (WorldClient Instant Messenger).

The server is installed as a Windows service and a configuration screen for it can be found in the MDaemon UI at Ctrl+W|XMPP. The default XMPP server ports are 5222 (SSL via STARTTLS) and 5223 (dedicated SSL). The XMPP server will use MDaemon's SSL configuration if enabled in MDaemon.

For multi-user chat service, when asked the default is "conference.(your-domain)". For user search service, if asked the default is "search.(your-domain)". Often this will be pre-filled in or assumed by clients. The search fields are 'Name' and 'Email'. The % symbol may be used as a wildcard. Some XMPP clients use DNS SRV record for auto-discover of host names. Please refer to For more info on XMPP please refer to


The purists out there are going to hate this but users who have been tricked in the past will love it. Sometimes users are fooled into thinking an email comes from one person when it is actually from an attacker. This happens because email clients often display only the sender's name and not his email address. This new option defeats such an attack at the cost of altering the From: header value. If enabled, the From: header is modified. For example: From: "Spartacus" <> would become From: " -- Spartacus" <>. This only happens to messages arriving for local users. This option is disabled by default and can be found at Ctrl+S|Screening|Hijack Detection screen.  Enable with care as users are not expecting the From: header to be altered in this way even in order to help recognize an attacker.


MDaemon has been taught how to push client settings to Outlook Connector users. Setup|Outlook Connector (or Alt+O|OC Client Settings) opens up a set of screens where you can configure default client settings for all OC users of all domains. On the MDaemon Private Cloud version, the same screens appear within the Domain Manager for each of your individual domains. All these screens mirror those found within the OC client and are intended to allow you to create a set of values which are pushed out to OC users the next time they connect. This feature is disabled by default. Settings are only sent when they are new or have changed since the last time the OC client connected and received them.

Obviously, several of these client settings (like "Your Name" for example) can not be configured with a single value that works for all OC users.  Therefore macros are used such as $USERNAME$ which expands to the correct value for the individual user when the settings are sent to the OC client.  Take care not to place hard-coded values (like "Arvel Hathcock") in the "Your Name" field or every OC client will get "Arvel Hathcock" after the settings are received and applied.  The UI will help police this but it is a point you should keep in mind. A button in the UI will remind and serve as a reference for MDaemon's macro system. A checkbox on the OC Client Settings screen controls whether OC users are allowed to override these settings or not. If you don't want them to be able to change these settings then set the checkbox accordingly and the controls within their OC client will be disabled.

None of this works unless the OC user is using Outlook Connector v4.0.0 or higher.

As part of this work the Outlook Connector screens were moved from Accounts|Account Settings to Setup|Outlook Connector.


Ctrl+S|Screening|IP Screen has a new Import button. MDaemon has been partially taught how to import APF (typically used by firewalls) and .htaccess format files (typically used by web servers). MDaemon understands only a sub-set of this file format (for now). For example, "deny from" and "allow from" are understood but other verbs may not be. Only IP values are imported (not domain names). CIDR notation is OK but partial IP addresses are not. Each line can contain any number of space (or comma) separated IPs. For example, "deny from" is OK. So is ",,". These files are designed to control access to services so they are really IP deny/allow lists. You can find these files online to download and can (for example) block all IPs from a certain region or nation and there are even files online that contain lists of compromised IPs. For example, google search for "List of all IPs from <country>". Lines starting with # are ignored.  Lines can contain things other than IP addresses and that should not stop the IP addresses from importing properly. I hope to improve this in future versions so if you have a specific example of a file that you need MDaemon to import properly (but it won't) you can send it to me and I will look into it (


Ctrl+O|Preferences|Updates is a new screen with several controls that allow you to configure whether and when unattended installation of automatically downloaded product updates will be performed (or not). When enabled, MDaemon can automatically update itself, SecurityPlus (if you have it), and Outlook Connector (if you have it). The Outlook Connector update covers just the server piece. Updating Outlook Connector client plugins is covered elsewhere.

When MDaemon detects new versions of these products it will download and queue the update for installation at an hour configured by you (2 AM is the default). Queued updates are remembered across server restarts so they will be performed eventually (even if the server is periodically switched off for whatever reason). Queued updates are listed in a new file called "QueuedUpdates.dat" so you can always delete all pending updates by deleting this file.  The update installers themselves are kept in a new folder called "Updates" off the MDaemon root. If there are multiple products to update they are done one at a time and each one absolutely requires a system reboot when it finishes. If you don't like that then do not enable these settings (they are all disabled by default).

When automatic updates are performed the email to postmaster/admins about an update that they can go and download manually is not generated. Instead, these people receive the post-installation "Special Considerations" email normally sent as well as a separate email stating that the update was performed. Also, the System log tracks all installation activity. For example: "Installing update: <path to installer>" and "MDaemon will be stopped by the installation process" and "Server will be rebooted after installation completes" etc can all be seen there. Lastly, the process can take a long time (many minutes) so the time between the start of the update and the unavoidable server reboot is to be expected. Did I mention that there will be a server reboot?  Get over yourself - its gonna happen :)

As part of this work "MDLaunch /stop" no longer causes MDaemon to prompt for confirmation.

As part of this work the option to inform the postmaster about updates has been moved from Ctrl+O|Preferences|Miscellaneous to the new screen mentioned above.


[7937] WorldClient now supports categories for email in the LookOut and WorldClient themes. Users can add the Categories column to the message list by going to Options | Columns and checking "Categories" in the Message List section.  To select categories for one or multiple messages, select the message(s) in question and right click on one of the messages.  In the context menu there is a "Categories >" option.  Click the option and a list of all the available categories will be displayed.  If there are more than 27 category options, an up arrow and a down arrow will be displayed at either end of the list.  To view more options click the down arrow, and to go back up the list click the up arrow. If a user has permissions to edit categories, the user can choose the "Edit Categories" option in the toolbar in the LookOut theme or the "more" drop down menu in the WorldClient theme. If a single message is selected in the list, any saved changes will be applied to the message in question. Users can also use the Set Categories option in the external message view to choose/edit categories. Users can also sort and search by Categories. 

[15829] WorldClient now allows admins to create custom categories. There are two files for this purpose;  DomainCategories.json and PersonalCategories.json. Domain Categories are enabled globally by default.  To disable it, change the value of DomainCategoriesEnabled in MDaemon\WorldClient\Domains.ini [Default:Settings] to "No".  Users are able to add and edit their own categories by default.  To disable this either per user (in the user's User.ini under [User]) or globally (in MDaemon\WorldClient\Domains.ini [Default:UserDefaults]) change the value of CanEditPersonalCategories to "No".  If Domain Categories is enabled, and a user is not allowed to edit personal categories, the user will only see the categories listed in DomainCategories.json.  However, if Domain Categories is disabled, and a user is not allwed to edit personal categories, the user will see the categories listed in PersonalCategories.json.  Users that already have a UserCategories.js file will not lose any changes they have made upon upgrade to MD 16.5, but with Domain Categories enabled, any category in their UserCategories.js file that matches the DomainCategories.json categories will become read only.  There are also two translation files that have been added in order to attempt to handle multi-lingual users on the same server; DefaultCategoriesTranslations.js and CustomCategoriesTranslations.json. The DefaultCategoriesTranslations.js file will be overridden each time MDaemon is upgraded, but the CustomCategoriesTranslations.json file will not be, so add any necessary custom category translations to the CustomCategoriesTranslations.json file.  These files make it possible for WorldClient to recognize a category saved to an event/note/task in one WC supported language as the equivalent category in any other WC supported language.  For more detailed information relating to the files mentioned here, see the MDaemon\WorldClient\CustomCategories.txt file.

[16497] LookOut and WorldClient themes - Added option to check a composed message for attachments prior to sending, when attachments are mentioned in the subject or body of the message

[5304] Admins can now hide the WhiteList and BlackList folders for WorldClient users. To do so, HideWhiteListFolder=Yes and/or HideBlackListFolder=Yes in the MDaemon\WorldClient\Domains.ini file under the [Default:UserDefaults] section. Individual users can continue to see the WhiteList and/or BlackList folders if the their User.ini has HideWhiteListFolder=No and/or HideBlackListFolder=No in the [User] section.

[16545] [16729] [16728] Account Editor|Web Services and Ctrl+T|Template Manager|New Accounts|Web Services have each had two new checkboxes added which control whether an account is allowed or required to use WorldClient's Two-Factor Authentication (2FA) system. When the checkbox to allow 2FA is enabled then users decide whether to use 2FA or not (see users manual for details on setting up 2FA). However, if both the allow and require 2FA checkboxes are enabled then users who have not setup 2FA will be given a session and redirected to a page to setup 2FA the next time they login to WorldClient. To force 2FA use immediately you must restart the WorldClient server to force all users to login anew. Once a user's authentication application's pairing has been verified with WorldClient, the user will be redirected to the normal WorldClient view. When 2FA is required then it cannot be disabled from within WorldClient's Options|Security page. However, the same users can still use the Get A New Shared Secret and Show My Shared Secret buttons.


MDPGP can now verify embedded signatures found within messages. Previously it was not able to do this unless the message was also encrypted and signed. With this change signatures appearing without encryption can now be verified. You will see appropriate logging in the MDPGP log when this happens along with new icon and/or text which WorldClient will show when it displays a verified message. As a result of this change a new check-box has been added to the MDPGP GUI which enables signature verification for all non-local users (enabled by default) or you can specify exactly which email addresses can and can not use the service if you need (click the "Configure exactly who can and can not use MDPGP services" button for that).



MDaemon 16.0.4 - July 6, 2016


MDaemon 16.0.3 - June 21, 2016


MDaemon 16.0.2 - May 3, 2016



MDaemon 16.0.1 - March 23, 2016


[6781] Instructions below regarding item [6781] advise you to remove the Mail Archive public folder to improve server performance. Doing so however can cause Outlook users who previously had access to the Mail Archive public folder to start sending "Not Read" notifications errantly. To avoid this problem Outlook users with access to the Mail Archive public folder must disable creation of these notifications FIRST - before the Mail Archive public folder is removed - and keep it disabled until AFTER the Mail Archive public folder is removed and Outlook is restarted and/or re-syncs the mail folders. How to disable these notifications probably depends on the version of Outlook being used. For example, in Outlook 2013 the setting is at "Tools|Options|Preferences|E-Mail Options|Tracking Options - Never send a response". So, the process is (1) disable the notifications in Outlook for those users who had access to the Mail Archive public folder then (2) delete (or move) the old Mail Archive public folder structure as you like then (3) restart Outlook or cause Outlook to re-check for new mail (4) reenable the notification settings in Outlook as you desire. This only need be done for Outlook users with access to the Mail Archive public folder. Moving forward, MDaemon will detect and strip out the header(s) which trigger Outlook to behave this way (but only from archived copies of messages).


MDaemon 16.0.0 - March 8, 2016


[6781] The "Archive to Public Folders" feature has been reworked as it was the cause of a lot of slow performance. No real functionality has been lost but it has been re-designed. You can no longer archive to public folders. Instead, you can now archive to an arbitrary folder of your choice anywhere (as long as MDaemon can access it).  To browse the archive folder use one of your mail accounts (or create a new one) and point its mail folder to the same folder used for the archive (C:\MDaemon\Archives\Email\ is the default). If multiple people need access to the archive then either log into the account and share them with other users or just give the other users the logon/password to the account you used.  All the old archive settings still work but have been simplified. The "Inbound to" and "Outbound from" sub-folders have been shortened to "In" and "Out". MDaemon only archives messages sent /to/ your local users or sent /from/ your local users (or both). Messages just relaying through are not archived by this simple system. Virus and mailing list messages are not archived. The messages that are archived are the ones going into a local user's mail folder and the ones sent by local users but not until each message is in "ready to be delivered" condition.  Note that this means what appears in the archive is what the users see and not necessarily the message as it was when it first arrived at the server.  For example, if a content filter rule adds a header to the message then the archived version has the header.  The old "Mail Archive" public folder is now no longer updated. However, it was left in place so that you can decide what to do with that folder. For example, copy it somewhere else and then delete it - get it OUT of MDaemon's Public Folders directory (please do this as it greatly improves performance of the server for all users). The installation and update process will not do this for you because (a) it would cause the installation process to take too long and (b) it would lead to a wave of "WHERE'S MY ARCHIVE!!  I'M GONNA KILL ARVEL!" heart-attacks for lots of people.  Some changes to the UI at F2|Server Settings|Archiving were required.

[15733] MDPGP: There are numerous draw-backs and much confusion when sharing the same encryption keys across one or more aliases. Aliases should have their own set of keys so that various identities are safely kept separate. Therefore, the option to use or not use aliases has been removed from the UI. If you have special circumstances where you need to preserve previous behavior please add "Aliases=Yes" (without the quotes) to the [MDPGP] section of \App\Plugins.dat and restart MDaemon. Use of aliases creates many problems so this is NOT recommended.

[16324] MDaemon no longer leaves Everyone@, MasterEveryone@, and DomainAdmins@ mailing list .GRP files in the APP folder when the options to use those features are disabled.  Previously, these list files were left in the APP folder even when the features were disabled. This can cause issues because the API assumes the lists are valid if the file exists. So, with this version these files are removed if the features associated with their use are disabled. If you (for some unknown reason) do NOT want these files updated or deleted you can ATTRIB them read-only from the Windows command shell (not recommended). A better approach in such cases would be to create your own lists which can use the same "Send to everyone" macros that these system maintained lists can.

[5044] MDaemon was not honoring the mailing list setting which hides the mailing list from the domain's public contacts folder.  This has been fixed.  When this version of MDaemon starts for the first time any errors in the contact folders related to mailing lists will be corrected.  If a contact is found when it should not be the contact is removed and any missing mailing list contacts are created.  This will trigger re-sync of the contact folder for all devices that are linked to it.

[2524] A fix to a long standing content filter parsing bug could potentially (rarely) lead to the following issue:  In the past, content filter rules which compare the value of a message header would fail to work if the test string being looked for started with a space character.  For example, testing whether a header contained the string ' test ' (note the spaces) would sometimes fail.  This problem has been fixed but it could mean that rules which previously did not match, now might.  Just FYI.

[16214] The "Account can modify the public address book" setting has been removed from Account Editor|Settings and Template Manager|Settings.  Access to any public address book is now managed only through the ACL editor for the specific address book folder in question (including any defaults which will apply to newly created accounts).  As a result of these changes the MD_SetCanModifyGAB() function in the API has been deprecated and changed to do no work (but left in place for backward compatibility).  Also, the CanModifyGAB member of MD_UserInfo structure is now read-only.  Any changes you make to this member will not be saved.  Changes to ACLs are strictly a function of the ACL editor from here forward.

[16230] MDaemon's list engine no longer uses the message-id value of the original list message at all.  Each list message will get the same, single, newly generated message-id.  The mailing list engine makes many changes to the original list message.  Thus it must take ownership and issue a new message-id.  However, the old option to generate a unique message-id per recipient still works but has been disabled by default for new lists and should not be used unless special circumstances require.

[16044] Experimentation has revealed several host screen values which are effective in blocking unwanted connections.  These have been added as defaults to HostScreen.dat for new installs.  Existing installations can rename or remove HostScreen.dat and restart MDaemon (I don't want to overwrite your file myself) to get this new version.

[16274] The default "low disk space value" (the value below which MDaemon believes the disk is running low and starts complaining about it) was changed from 100MB to 1000MB.  Likewise, the "auto-shutoff value" (the value below which MDaemon will disable mail services due to critically low disk space) was changed from 10MB to 100MB.  Please check and change the values at Ctrl+O|Preferences|Disk if they present a problem for you. 

[16404] Minger queries now include the email address (sender) making the request. This allows personal blacklists to be checked. If the sender is on the minger recipient' s personal blacklist then a result of "user unknown" will be returned to the minger client. This change is backward compatible with older minger servers. As a result of this change the LDAPCache.dat file format had to be changed. Your old LDAPCache.dat file has been renamed LDAPCache.dat.old.


[15918] MDaemon Remote Administration (MDRA) GUI Update

The GUI for MDRA no longer uses frames and has been updated to use a mobile first responsive design.  Browser supported is limited to IE10+, the latest Chrome, the latest Firefox, and the latest Safari on Mac and iOS.  Android stock browsers have been known to have issues with scrolling, but Chrome on Android devices works well.

This design is based entirely on the size of the window being used.  Whether the user is on a phone, tablet, or PC, the appearance is the same for the same window size.  The most important change here is the menu.  From 1024 pixels width on down the menu is hidden on the left side of the browser.  There are two methods that can be used to display the menu.  If a touch device is in use, swiping to the right will show the secondary menu.  Whether or not the device is in use, there is also a "menu" button in the top left corner that will display the secondary menu.  Tapping or clicking the menu title with the left arrow next to it at the top of the menu will display the primary menu.  The help, about, and sign out menu in the top right corner changes based on the width of the screen as well.  From 768 pixels up shows the words Help, About, and Sign Out, from 481 pixels to 767 pixels only displays the icons, and 480 pixels or less displays a "gear" icon which when clicked or tapped will display a drop down menu with the Help, About, Sign Out options.  List views with more than one column have column on/off buttons that are accessed by clicking or tapping the gray right arrow button on the far right of the toolbar container.  The settings pages are no longer designed to be exact copies of the MDaemon GUI, but are instead designed to reposition and resize based on the width/height of the browser.

[16095] SPAMBOT DETECTION (MDaemon PRO only)

A new feature called Spambot Detection has been added to Ctrl+S|Screening. This feature tracks the IP addresses that every SMTP MAIL (return-path) value uses over a given period of time. The idea is that if the same return-path is used by multiple IP addresses (more than can be expected from typical user device switching) and all within a short time frame this may indicate a spambot network at play. Of course, it may also indicate totally legitimate use of the mail system (there are no rules against what this feature detects). Nevertheless, experimentation has shown that this can be effective in limited cases at detecting a distributed spambot network as long as the same return-path is utilized throughout.  If a spambot is detected the current connection talking to it is immediately dropped and the return-path value is optionally blacklisted for a length of time you specify.  You can also optionally blacklist all the spambot IPs then known for a user-defined period.  This feature can be enabled at Ctrl+S|Screening.

[10729] CARDDAV (MDaemon PRO only)

Support for synchronizing contacts via the CardDAV protocol has been added.  Notable CardDAV clients are Apple Contacts (included with Mac OS X), Apple iOS (iPhone), and Mozilla Thunderbird via the SOGO plugin.

Note: As of OS X 10.11 (EL Capitan), the Apple Contacts application only supports a single collection/folder.  When the CardDAV server detects the Apple Contacts application, it will only return the authenticated user's default contacts folder.  In addition, OS X 10.11 (EL Capitan) has a known issue that prevents a CardDAV account from being added using the "Advanced" view of the dialog.

To configure clients that support RFC 6764 (Locating Services for Calendaring Extensions to WebDAV (CalDAV) and vCard Extensions to WebDAV (CardDAV)), only the server address, username, and password should be required.  Apple Address Book and iOS support this standard.  DNS records can be setup that point to the client to the correct URL.  When a DNS record has not been configured, clients query a "well-known URL", which in the case of CardDAV is /.well-known/carddav.  WorldClient's built-in web server has been updated to support this well-known URL.

Clients that do not support automatically locating the CardDAV service will require a full URL.

Note: When an item is submitted from a CardDAV client, the full vCard data submitted is saved.  The data is saved as .vcf files in a "_DAV" subfolder.  When the item is later sent to an CardDAV client, this data is merged in with the data that the server generates.  This allows the server to persist unsupported and custom properties.  A new "PersistentData\DAVDataFile" node was added to the addressbook.mrk file.  The API has been updated to delete these files when an item is deleted.

Before reporting issues, please enable debug logging and the option to log HTTP messages and reproduce the issue.  This can be done via the configuration dialog, or by adding the following to the WorldClient.ini file.


Warning: Special care should be taken if testing the OutlookDAV client. OutlookDAV only supports the default MAPI profile. If multiple MAPI profiles exist, the client may issue delete commands to the server for all of the items that were returned by the server. 


WorldClient users who enable Two Factor Authentication will be required to enter a verification code before they can log into WorldClient or Remote Administration. This feature is designed for any client that supports Google Authenticator.

For users to setup 2FA, they need to go to Options | Authentication in any theme.  They must enter their current password in order to make any changes to 2FA.

If a user loses his/her 2FA device or is otherwise unable to obtain a verification code, the user can click the "I do not have a code." link below the "Verify" button.  This will do one of two things.  If the user has a password recovery email address setup, it will take the user to a page to request an email to be sent to his/her password recovery email address with a link to disable 2FA.  Otherwise, it will send an email to the address of SendLostTwoFactorAuthNotificationTo in MDaemoWorldClient\Domains.ini [Default:Settings] with the same link. Admins should do their best to confirm that a user has lost their 2FA or is otherwise unable to obtain a verification code prior to clicking the link provided.

There is also a button located in the MDaemon GUI's Account Editor under Web Services that can be used to disable a single user's 2FA upon request.

To prevent users from using 2FA, change the value of TwoFactorAuthDisabled from No to Yes in MDaemon\WorldClient\Domains.ini [Default:Settings]

Do not change TwoFactorAuthEnabled=No to Yes in MDaemon\WorldClient\Domains.ini [Default:UserDefaults], because this will prevents users from logging into their accounts if they do not already have 2FA enabled for their accounts. Changes to this functionality are already planned for a future version of MDaemon.


MDaemon now ships with an XML over http(s) based API. The result of this is that MDaemon Management clients can be written using any language on any platform that can make http(s):// post requests to the server. In MDaemon Pro, this is only available to authenticated Global Admins, while in MDaemon Private Cloud, a subset of the available operations are accessible to authenticated domain admins as well. The API also produces a website with documentation on the API specification. The installation default is to have it installed at http://servername:RemoteAdminPort/MdMgmtWS/, however, this can be set to any url for the sake of additional security.

The available operations include ...
At this time, command line management clients have been written/tested in Javascript, Powershell, VBScript, C, C++ and Visual Basic. A simple HTML and Javascript test site has been used as a proof of concept for a web based management console that operates within several popular browsers. While not tested yet, it is fully expected that this API should work fine from web servers using PHP, Perl, and other development platforms.


MDaemon now ships with an ActiveSync protocol based Migration Client (ASMC.exe). It supports migrating mail, calendars, tasks, notes, and contacts from ActiveSync servers that support protocol version 14.1. Documentation for it can be found in \MDaemon\Docs.




MDaemon 15.5.4 - July 6, 2016


MDaemon 15.5.3 - December 15, 2015


[16132] Ctrl+S|Sender Authentication|DMARC Reporting GUI allowed invalid/incomplete email address values for the Contact Email field.  You must use a complete email address here.  If you currently do not have a valid full email address then no DMARC reports will be generated until you fix it.



MDaemon 15.5.2 - November 3, 2015


[15968] The ActiveSync server now denies access to accounts whose mail directory is inside of the public folder directory.



MDaemon 15.5.1 - October 6, 2015



MDaemon 15.5.0 - September 15, 2015


[14502] The daily quota report now includes a column showing the last date and time the account was accessed (via IMAP, POP, WorldClient, etc). This required a change to the QuotaReport.dat template file. Your old file was saved as QuotaReport.dat.old in case you have customized it. If so, you may want to similarly customize the new template file.

[15058] The default setting for using color logs has been changed from disabled to enabled.  If you don't like this you can change the setting at Ctrl+O|Preferences|UI.


[2399] CALDAV (MDaemon PRO only)

Support for synchronizing calendars and task lists via the CalDAV protocol has been added.  Notable CalDAV clients are Apple iCal (Included with Mac OS X), Apple iOS (iPhone), Mozilla Thunderbird via the Lightning calendar plugin.  A configuration dialog has been added under Setup | Web & IM Services | WorldClient (web mail) | CalDAV.

To configure clients that support RFC 6764 (Locating Services for Calendaring Extensions to WebDAV (CalDAV)), only the server address, username, and password should be required.  Apple iCal and iOS support this standard.  DNS records can be setup that point to the client to the correct URL.  When a DNS record has not been configured, clients query a "well-known URL", which in the case of CalDAV is /.well-known/caldav.  WorldClient's built-in web server has been updated to support this well-known URL.

Clients that do not support automatically locating the CalDAV service, such as Mozilla Thunderbird via the Lightning plugin will require a full URL.

Free-busy availability queries are supported, however at the time of this writing the latest version of Lightning (4.0.2) has a defect where it won't query a CalDAV server for free-busy information.  Please use version, available for download from", until this issue has been resolved.

Note: When an item is submitted from a CalDAV client, the full iCalendar data submitted is saved.  The data is saved as .ics files in a "_DAV" subfolder.  When the item is later sent to an iCalendar client, this data is merged in with the data that the server generates.  This allows the server to persist unsupported and custom properties.  A new "PersistentData\DAVDataFile" node was added to the calendar.mrk file.  The API has been updated to delete these files when an item is deleted.

Before reporting issues, please enable debug logging and the option to log HTTP messages and reproduce the issue.  This can be done via the configuration dialog, or by adding the following to the WorldClient.ini file.


Warning: Special care should be taken if testing the OutlookDAV client.  If multiple MAPI profiles exist we've seen the client issue delete commands to the server for all of the calendar items returned by the server.  OutlookDAV only supports the default MAPI profile.

[9651] OPENPGP SUPPORT (MDaemon PRO only)

Support for running MDPGP has been integrated. MDPGP provides OpenPGP support for MDaemon by providing encryption, decryption, and basic key management capabilites. It is a great introduction to secure encrypted email. A new tab called "MDPGP" was added to the Security root tab.  Here you will see all MDPGP processing activity.  You can also configure MDPGP by accessing a new option within the Security top-level menu.  The Content Filter now contains actions to encrypt and decrypt messages. See MDPGP-Quick-Start.html in the DOCS folder for more information on how to setup and configure MDPGP.  Due to licensing restrictions beyond our control this functionality is not available (or even included) in builds of MDaemon intended for the Russian market.


The Ctrl+T Group Manager now supports a Do Not Disturb feature that lets you set a time frame during which an account may not be accessed by its user(s). Access during a Do Not Disturb time period is not allowed and returns an appropriate error response to IMAP, POP, SMTP, ActiveSync, and WorldClient access requests. Accounts in this state may receive incoming mail but may not originate mail or be accessed by mail clients. To apply Do Not Disturb to one or more accounts first create a group with the Do Not Disturb settings you desire. Next, use the Account Editor and add the group to the account(s) as you wish.




MDaemon 15.0.4 - July 6, 2016


MDaemon 15.0.3 - June 19, 2015


MDaemon 15.0.2 - June 16, 2015



MDaemon 15.0.1 - April 21, 2015



MDaemon 15.0.0 - March 10, 2015


[14366] Account hijack detection is now enabled by default. You can change hijack detection settings at Ctrl+S | Screening | Hijack Detection.

[14431] The options at Ctrl+S | Screening | Dynamic Screening have been changed. First, the "Watch accounts" checkbox was redundant and has been removed. The option to "freeze accounts" has been made into its own separate checkbox. Similarly the option to "Email postmaster" has been made into a separate checkbox and you now have some control over what's included in the email.  As in previous versions, this email is not sent when the account in question is already frozen.  Dynamic screening settings have been reverted to installation defaults which could change the existing behavior you are expecting.  Please check and configure these settings how you want them.  Lastly, the options related to WorldClient have been removed and placed at Ctrl+W | WorldClient (web mail) | Dynamic Screen.


[4758] IPV6 SUPPORT (MDaemon PRO only)

Support for IPv6 has been added.  MDaemon will detect the level of IPv6 capability that your OS supports and dual-stack where possible; otherwise, MDaemon will monitor both networks independently.  Outbound SMTP, POP, and IMAP connections will prefer IPv6 over IPv4 whenever possible.

When MDaemon connects to an IPv6 host it must use an IPv6 local address of its own. Therefore the Alt+F2 | Domain Manager | Host Name & IP screen now contains a separate edit control where you can specify an IPv6 address for the domain to use.  If this IPv6 address is missing MDaemon will try to automatically detect a suitable address for use but please check it.  Buttons to manually detect IP addresses have been added to the same screen.

A few options related to use of IPv6 can be found at F2 | Server Settings | IPv6.  Also, $PRIMARYIP6$ and $DOMAINIP6$ macros can be used to retrieve IPv6 addresses.  These macros can be used anywhere that the $PRIMARYIP$ and $DOMAINIP$ macros can and they retrieve IPv6 addresses.

SPF processing now supports the "IP6" mechanism and expands the "a", "mx", and "ptr" mechanisms to include AAAA records.

Several configuration files that store reserved IP address ranges will be updated to include their IPv6 network equivalents.

[6319] 64-BIT VERSION

A 64-bit version of MDaemon is now available. The 64-bit version can handle a higher number of active sessions before running out of memory. Please note that the 64-bit MDaemon is not compatible with 32-bit plugins. When switching to the 64-bit MDaemon, you must also switch to 64-bit versions of all software that uses the MDaemon API. A 64-bit version of SecurityPlus is available. We do not have a 64-bit version of BES, so stay on the 32-bit MDaemon if you need it. If you run WorldClient, Remote Administration, or ActiveSync in IIS, you will need to configure or recreate the application pools to be 64-bit. The server side component of Outlook Connector is built in to MDaemon so we do not have or need separate 32/64-bit server side Outlook Connector installers.


The user interface was improved in several ways including:

[14052] The UI has an updated ACL editor.

[14284] Changed the root page in multi-page dialogs to summarize the section rather than duplicate all the controls from the first page

Moved Ctrl+S | Security Settings | IP Shield to Ctrl+S | Sender Authentication | IP Shield

Numerous minor changes including:  (a) the Gateways and Event Scheduling UIs have been slightly reorganized (b) Domain and List Managers auto-expand sub-nodes when accessed via double-click (c) updated warnings displayed when enabling ActiveSync for the first time (d) some places throughout UI used "Settings" while others used "Options"; I picked "Settings" and updated the UI everywhere (e) all occurrences of "don't" within UI control labels have been changed to "do not" (in English version) (e) several tiny memory leaks related to gateway use cleaned up (f) The button to set default values was removed from the LAN IP editor as part of IPv6 work (g) Updated the Alt+M | ActiveSync | Domains  screen.

The "WorldClient IM" page found at Ctrl+W and within the Domain Manager has been re-organized slightly and re-labeled as "WCIM"

The F2 | Server Settings | Servers screen was re-orged somewhat and the option to require missing Date headers was removed.  It can be changed at MDaemon.ini [Special] DateComplianceCheck=Yes (default No).

Removed the "Lists" top-level menu.  All mailing list configuration is done with the new Mailing List Manager found at Setup | Mailing List Manager. This change required reorganizing controls on several list editor screens.  By default the left-hand tree does not auto-expand the nodes but if you want to change that you can with a checkbox at Ctrl+O | Preferences | UI. 

Removed the "Gateways" top-level menu.  All gateway domain configuration is done with the new Gateway Domain Manager found at Setup | Gateway Manager.  This change required reorganizing controls on several of the gateway editor screens.  The "Accounts" screen has been deprecated and removed.  The controls there allowed you to create an account through which you could access the gateway domain's mailbox via POP.  This is easily done by configuring any of your existing accounts (or the gateway itself) to share the same mailbox folder.

[13806] All the mailing list related options found at Ctrl+O | Preferences | Miscellaneous have been moved to the new mailing list manager.  The option related to spam in mailing list public folders was removed from the UI.

The "...sends 552 when account is over quota" option was removed from F2 | Server Settings | Servers because its a duplicate of the same option found at Ctrl+U | Other | Quotas.

Several options related to inbound and outbound socket binding were removed from Ctrl+O | Preferences | System and placed on a new screen at F2 | Server Settings | Binding. The new screen also contains separate edit controls for IPv4 and IPv6 addresses.

The option to add a Sender: header to all mailing list messages and the option to add a custom header+value to all mailing list messages have been removed from Ctrl+O | Preferences | Headers and placed within the new Mailing List Manager at Alt+G | Mailing List Settings.  Also, the options to configure the digest message subject and to screen incoming list mail for non-list content were removed from Ctrl+O | Preferences | System and moved to Alt+G | Mailing List Settings.

[14266] Some visual oddities with the red/green background color of password fields within the Account Editor were fixed

[13746] Added some new conditions to the account manager including showing only accounts which are forwarding, which are over-quota, or which have autoresponders configured.

The IP Screen editor has been reorganized.

[12475] The Subject column is displayed when viewing the Bad Queue.


Added several new options to Ctrl+S | Screening | Hijack Detection which let you set different message and timing thresholds depending on the source IP of the incoming connection. You can set separate limits for connections from reserved IPs, local domain IPs, and all other IPs.

MDaemon's reserved IPs are mostly as defined by RFCs (127.0.0.*, 192.168.*.*, 10.*.*.*,, ::1, FD00::/8, FEC0::/10, and FE80::/64).  Local domain IPs are all the IPs configured for any MDaemon domain. To preserve existing behavior, the defaults treat all types the same.



MDaemon 14.5.5 - July 6, 2016


MDaemon 14.5.4 - June 19, 2015


MDaemon 14.5.3 - January 20, 2015



MDaemon 14.5.2 - November 20, 2014


MDaemon 14.5.1 - November 11, 2014



MDaemon 14.5.0 - October 21, 2014


[13265] The two options to hide local IP addresses and local LAN IP addresses when processing message headers have been deprecated and removed from Ctrl+O | Preferences | Headers. They have now been replaced by a single option which hides reserved IP addresses. That was always the intent of the older two options anyway. This new option is enabled by default and prevents use of reserved IPs from appearing in certain MDaemon created message headers. Reserved IPs are as defined by various RFCs and include: (a) 127.0.0.* (b) 192.168.*.* (c) 10.*.*.* and (d)  If you want or need to do the same for your domain IPs (including LAN domains) then you can set this switch in MDaemon.ini manually: [Special] HideMyIPs=Yes (default is No).

[13332] The option "POP3, IMAP, and WorldClient passwords are case sensitive" has been deprecated and removed from Ctrl+O | Preferences | Miscellaneous.  Passwords are now always case-sensitive.  Allowing otherwise breaks security best practices and is incompatible with hash-based authentication mechanisms (APOP, CRAM-MD5) and secure (hash-based) password storage. As a result of this some of your users may need to update their password in their mail client.

[13786] The SPF cache file now caches a domain's actual SPF policy record taken from DNS rather than the final result of SPF processing. Your old SPFCache.dat file can not be migrated and so was renamed SPFCache.dat.old in case there are settings in there you need to refer to. You can delete SPFCache.dat.old at any time.

[13121] DomainKeys has been deprecated (see below). As a result the content filter action to sign messages with DomainKeys will be ignored. If you were using this action in any of your rules you may want to either change them to sign with DKIM instead or delete them if they are no longer needed.


[11196] DMARC (Requires MDaemon PRO)

Support for DMARC (Domain-based Message Authentication, Reporting, and Conformance) has been added. DMARC defines a scalable mechanism by which a mail sending organization can express, using the Domain Name System, domain level policies and preferences for message validation, disposition, and reporting, and a mail receiving organization can use those policies and preferences to improve mail handling. The DMARC specification and full details about what it does and how it works can be found here:

DMARC allows domain owners to express their wishes concerning the handling of messages purporting to be from their domain(s) but which were not sent by them.  Possible message handling policy options are "none" in which case MDaemon takes no action, "reject" in which case MDaemon refuses to accept the message during the SMTP session itself, and "quarantine" in which case MDaemon places the following header into each message for easy filtering into your user's Junk E-mail folder:  "X-MDDMARC-Fail-policy: quarantine".  This header is only added when the result of the DMARC check is "fail" and the resulting DMARC policy is something other than "none."  It is possible to configure MDaemon to accept messages even though DMARC requests that they be rejected.  In fact, this is the default operational mode.  In these cases MDaemon will place an "X-MDDMARC-Fail-policy: reject" header into the message in case you want to filter more seriously on that.

DMARC supersedes ADSP and the message disposition features of SPF.  However, you can still use all of them together with DMARC.   ADSP and SPF message rejection now takes place after DMARC processing if DMARC verification is enabled.

DMARC depends in part upon the use of a "Public Suffix List." A "Public Suffix" is one under which Internet users can directly register names. Some examples of public suffixes are .com, and A "Public Suffix List" is a list of all known public suffixes. MDaemon uses the one maintained for the community by the Mozilla Foundation that is found here: A copy of this list is installed into your \App\ folder as effective_tld_names.dat. There is currently no comprehensive or single authoritative source for such a list which is an issue the Internet community should address. Over time this file will grow obsolete and must be replaced by downloading it afresh from and saving it to your \App\ folder. MDaemon will periodically and automatically download and install this file as part of the daily maintenance event approximately once every two weeks.  Various controls to govern this can be found on the new DMARC configuration screens.  The DMARC log and the new DMARC window within the Security tab inside the main UI will contain the results of the update and all other DMARC processing operations.  You can set a different file download URL if needed but the data downloaded must conform to the format specified by Mozilla for their file. You can read about this at the URL mentioned above.  MDaemon strictly follows the parsing algorithm specified by Mozilla. Create a (possibly empty) file called "PUBLICSUFFIX.SEM" and place it in MDaemon's \App\ folder if you replace or edit the effective_tld_names.dat file yourself and need MDaemon to reload it without a reboot.

To use DMARC as a mail sender you must publish a DMARC TXT record within your domain's DNS setup.  Information on how this record is defined and structured can be found at When you publish a DMARC record to your DNS you may begin receiving DMARC reports from many different sources via email. These reports are provided as a compressed XML file whose format is governed by the DMARC specification. Consuming these reports is outside the scope of MDaemon's DMARC implementation. However, the data within these reports can provide important insight into a domain's mail flow, improper domain use, DKIM signing integrity, and SPF message path accuracy/completeness. The addresses to which these reports are sent is configured by you when you create your DMARC record.

When setting up a DMARC record for one or more of your domains take care with use of p=reject.  Take particular care if your domain provides email accounts for general use by human users.  If such users have signed up for any mailing lists, make use of a mail forwarding service, or expect to use common things like "share this article with a friend" you should know now that a DMARC p=reject policy could make those things entirely impossible and if so you'll hear about it.  DMARC p=reject is perfectly appropriate and useful but only when it is applied to domains that control how their email accounts are used (for example, transactional mail, automated (i.e. non-human) accounts, or to enforce corporate policies against use of the account outside organizational boundaries).

DMARC p=reject is especially bad for mailing lists and if careful steps are not taken this can result in list members being automatically removed from your mailing lists.  To mitigate this, the following steps should be taken:  (I) For mail receivers: (a) do not allow anyone to post to any of your mailing lists if they are from a domain that publishes restrictive DMARC policy (ie.. any policy other than "none") or (b) failing that, configure all your lists to alter the From: header within messages from such posters.  MDaemon 14.5 has new configuration options within the Mailing List Editor that can do all that work for you.  If you don't want to do either of those things then at least make sure you disable the mailing list feature that automatically removes members who refuse to accept mailing list traffic.  Otherwise, a message sent through your list by (for example) will result in the instant removal of every list member along with any and all other list members whose mail systems are DMARC compliant.  MDaemon 14.5 automatically configures all your lists to be DMARC safe so that none of your list members will be removed by enabling the From: header mitigation described above for all your lists.  (II) For mail senders:  by all means publish a DMARC record for your domains and specify an email address to receive reports but take care not to use p=reject unless you are sure its appropriate (which it very well may be).   

In order to support DMARC aggregate reporting MDaemon will store data which it will need later in order to generate aggregate reports according to the DMARC specification. MDaemon ignores the DMARC "ri="; tag and only produces DMARC aggregate reports that cover from 00:00:00 UTC to 23:59:59 UTC for a given day. At midnight UTC (which is not necessarily midnight local time) MDaemon consumes this stored data to generate the reports. MDaemon needs to be running at this time or the stored data could grow and grow and never be consumed. Therefore, if you do not run your MDaemon 24/7 you should not enable DMARC aggregate reporting.  DMARC aggregate reporting is disabled by default.

In order to support DMARC failure reporting RFC 5965 "An Extensible Format for Email Feedback Reports", RFC 6591 "Authentication Failure Reporting Using the Abuse Reporting Format", RFC 6652 "Sender Policy Framework (SPF) Authentication Failure Reporting Using the Abuse Reporting Format", RFC 6651 "Extensions to DomainKeys Identified Mail (DKIM) for Failure Reporting", and RFC 6692 "Source Ports in Abuse Reporting Format (ARF) Reports" have been fully implemented.  Failure reports are created in real-time as the incidents which trigger them occur.  MDaemon implements DMARC AFRF type failure reports and not IODEF type reports.  Therefore, only values of "afrf" in the DMARC "rf=" tag are honored.  See the DMARC specification for complete details.  Multiple failure reports can be generated from a single message depending upon the number of recipients in the DMARC record's "ruf=" tag and upon the value of the "fo=" tag times the number of independent authentication failures which were encountered by the message during processing.  When the DMARC "fo=" tag requests reporting of SPF related failures MDaemon sends SPF failure reports according to RFC 6522.  Therefore, that specification's extensions must be present in the domain's SPF record.  SPF failure reports are not sent independent of DMARC processing or in the absence of RFC 6522 extensions.  When the DMARC "fo=" tag requests reporting of DKIM related failures MDaemon sends DKIM and ADSP failure reports according to RFC 6651.  Therefore, that specification's extensions must be present in the DKIM-Signature header field and the domain must publish a valid DKIM reporting TXT record in DNS and/or valid ADSP extensions in the ADSP TXT record.  DKIM and ADSP failure reports are not sent independent of DMARC processing or in the absence of RFC 6651 extensions.  See the various specifications referenced herein for complete details.  DMARC failure reporting is disabled by default.

Important Note:  A DMARC record can specify that reports should be sent to an intermediary operating on behalf of the domain owner. This is done when the domain owner contracts with an entity to monitor mail streams for abuse and performance issues. Receipt by third parties of such data may or may not be permitted by your privacy policy, terms of use, or other similar governing document.  You should review and understand if your own internal policies constrain the use and transmission of DMARC reporting and if so you should disable DMARC reporting as appropriate.

DMARC requires use of STARTTLS whenever it is offered by report receivers however there's no way to predict or police this.  However, you should enable STARTTLS if you haven't already (see Ctrl+S | SSL & TLS | MDaemon).

There is a white list for use with DMARC verification.  This white list is for IPs only.  A match to this white list causes DMARC processing to be skipped.  DMARC also interacts with the SPF and DKIM white lists. If they cause SPF or DKIM processing to be skipped then DMARC processing will also be skipped. Naturally, when both SPF and DKIM are entirely disabled then DMARC processing will be skipped.

DMARC also honors the Approved List which can white list based on verified DKIM identifiers and/or SPF paths from sources you trust.  So, for example, if a message arrives that fails the DMARC check but has a valid DKIM signature from a domain on the Approved List the message is not subject to punitive DMARC policy (i.e..the message is treated as if the policy were p=none).  The same happens if SPF path verification matches a domain on the Approved List.  So, take note that your existing Approved List is now also a DMARC white list.  Finally, DMARC has been integrated with MDaemon's VBR system and a new option has been added to Ctrl+S | Sender Authentication | VBR Certification which allows you to ignore punitive DMARC policy on messages that fail a DMARC check but otherwise have a verified identify vouched for by at least one of your trusted VBR service providers.  This option is enabled by default.  For more information on VBR see  Congratulations on VBR (RFC 5518) achieving Standards-Track status!

The Authentication-Results header has been extended to include DMARC processing results. Note that Authentication-Results includes some data in comments for debugging purposes including the DMARC policy requested by the domain owner which is not necessarily the action taken on the message. For example, when the result of a DMARC check is "pass" it does not matter what the DMARC policy states as policy is only applied to DMARC checks which "fail". Similarly, when the result of a DMARC check is "fail" and the policy is "reject" the message may be accepted anyway for local policy reasons. Use of this header for filtering should take all this into account.  Alternatively, filter for "X-MDDMARC-Fail-policy: quarantine" or "X-MDDMARC-Fail-policy: reject" to filter these messages into spam folders or whatever you want to do.  MDaemon strips out the "X-MDDMARC-Fail-policy:" header from every incoming message.

Messages must conform to DMARC section 15.1 with respect to the RFC 5322 From header or they are not processed which basically means that the absence of a single (one and only one) properly formed (according to RFC specifications) RFC5322 From field renders the message invalid generally and therefore invalid for DMARC processing.

Several new screens have been added at Ctrl+S | Sender Authentication where you can set various options related to DMARC use. 

DMARC requires SPF and/or DKIM verification to be enabled as it is based upon the verified identities that those two mechanisms provide.  You can't make productive use of DMARC for inbound mail without one or both of those technologies enabled. The UI will try to enforce this. 

DMARCReporter is a tool that reads DMARC XML reports and transforms them into easier to read HTML.  This tool has been installed into your \MDaemon\App\ folder.  See DMARCReporterReadMe.txt for instructions on use.


Massive updates were done to the Remote Administration interface. "Mobile Device Management" is now a top-level menu item for easier access. Some other menus were relocated to align Remote Administration more closely with MDaemon's layout.  Accordingly, menus have been utilized where appropriate. Context-sensitive help has also been added.

[10279] ACTIVESYNC SERVER NOW SUPPORTS SERVER-SIDE MAIL SEARCHING (Requires MDaemon PRO and active ActiveSync Software License Renewal Coverage)

MDaemon's ActiveSync server now supports searching messages on the server. Please refer to your ActiveSync client's documentation to find out if it supports this feature and how to use it. The search indexes are stored on the server in the folders being searched in files named SrchData.mrk and SrchIndex.mrk.


The mailing list engine has had several improvements.

[13196] The mailing list editor has been slightly reworked.  All the header manipulation related settings have been removed from the Settings page and put on their own new Headers page.  Also, the option to set the list's precedence value has been deprecated and removed.  Similarly the option to insert the list's name into the 'To:' header 'Display Name' has been removed as an unnecessary duplicate of the radio button option on the same screen that does the same thing.

[13198] Added a new option to the mail list editor which will allow you to reject messages sent to the list from authors whose domain publishes a restrictive DMARC policy ("p=reject" or "p=quarantine").  This option is enabled by default.  By publishing restrictive policy these domain owners are effectively making it impossible for their users to participate in any mailing list or forwarding service or "mail this article" type of service.  That may well be what they intend.  However, allowing the mailing list engine to accept such messages can lead to unrelated members being automatically unsubscribed.  You wouldn't need to enable this option if you use the new From: header alteration option but better safe than sorry (see [13160]).  Also, you wouldn't need to do this as long as your list does NOTHING to invalidate a valid DKIM signature (if there is one) but lists do that all the time and for perfectly good reasons (like adding a label to the Subject:, adding footers to the message body, etc).

[13160] Added a new option to the Mailing List Editor Headers screen which allows you to alter the From: header value on incoming posts from authors whose domain publishes restrictive DMARC policy. This option is enabled by default and should stay enabled. As much of the previous From: header data is preserved as possible. This should help with the recent issues mailing list administrators have experienced due to the DMARC "p=reject" policies at Yahoo, AOL, and some others.  FYI, as it depends on DMARC data being available this option doesn't really do anything when DMARC processing is disabled.  Any time the From: header is changed by this feature the original From: header data will be moved into the Reply-To: header but only if (1) the message has no Reply-To: header to begin with and (2) only if the mailing list configuration itself does not specify a custom Reply-To: for all list messages.

[5102] Support for List-ID (RFC 2919) has been added.  List-ID allows you to enter a short description for your mailing list which is included in the List-ID message header. This description is optional and if not provided the List-ID header will contain just the list identifier by itself.  An example header with a description looks like this:  List-ID: "Discussion of the current MDaemon Beta" <>. An example without a description looks like this:  List-ID: <>.  The email address of the mailing list itself is used as the list's unique identifier (note that the "@" is changed to a "." character to safely comply with the specification).  The List-ID header is stripped from incoming messages sent to local mailing lists but not from incoming messages sent to local users from outside mailing lists.

[13201] Support for List-Post, List-Subscribe, List-Unsubscribe, List-Help, List-Owner, and List-Archive mailing list headers (RFC 2369) has been added.  These headers are added to list messages if URLs for each are specified in the new controls found within the mailing list editor on the Moderation tab (because that's where there was room for them).  These must be URLs as specified in RFC 2369 (for example:  See that document for examples.  Whatever you put into these controls will be inserted into all mailing list messages.  If the data is improperly formed it won't achieve any results.  When a List-Unsubscribe value is provided MDaemon will use it rather than other possible auto-generated values.

[13230] Support for sending mailing list monthly subscription reminders has been added.  When enabled, MDaemon will send the text of a reminder message to each list member on the first day of each month. You can control the content of the reminder message using some new controls on the Mailing List editor Reminders page. The following macros are available for use within the reminder message:

You can copy and paste whatever HTML you want from your favorite HTML editor into the control. If you'd rather send the reminders on a different day of the month, change it by editing MDaemon.ini and setting [Special] ListReminderDay=X (default is 1).

[13242] The option to configure a list's Reply-To value has been enhanced in the UI with radio buttons to allow you to more easily select (1) Leave any Reply-To unchanged (2) Put list's name in Reply-To (3) Put arbitrary email address in Reply-To.


MDaemon's SMTP server has had some improvements

[13243] Support for RFC 3463 (Enhanced Mail System Status Codes) has been added. These codes allow for much finer grained reporting and automation. As a result of this, nearly all of MDaemon's SMTP server protocol strings have been changed to include the enhanced codes. Also, support for RFC 2034 (SMTP Service Extension for Returning Enhanced Error Codes) has been added. The ESMTP capability ENHANCEDSTATUSCODES will be advertised to other servers during the SMTP transaction.

[13264] Support for RFC 3464 (An Extensible Message Format for Delivery Status Notifications) and RFC 6522 (The Multipart/Report Media Type for the Reporting of Mail System Administrative Messages) has been added. This completely overhauls MDaemon's DSN reporting. All of the old code and behavior related to this has been removed and replaced. With these changes, MDaemon's DSN system now fully complies with industry standards and will properly interoperate with automation tools and other MTAs. The format of the DSN has radically changed and now rigidly complies with the specifications. This means that delivery warning messages and delivery failure messages now fall under the control of these RFCs and are no longer accessible to administrators for customization. They can be localized but not customized.  The "Subject" data for these messages can still be changed but this is not recommended. The data contained in these DSNs is now in MIME multipart/report format and no longer includes the original message as an attachment.  Instead, only the headers of the original message are included in a text/rfc822-headers MIME section of the multipart/report message as the specifications recommend. Nearly all the optional components of these reports have been implemented including taking advantage of enhanced status codes if the receiving MTA supports them. DeliveryWarning.dat and DeliveryError.dat have been deprecated and removed. Ctrl+Q | DSN Options screen has been updated to remove the edit buttons and also the old option "Don't generate DSN for undeliverable list mail." This option is also deprecated and removed. MDaemon never generates DSNs for undeliverable list posts.  Please review the RFCs if you want the full details on what the meaning of the various elements within these mails mean.  MDaemon adds a Session-ID and a Queue-ID to each DSN.  The Session-ID is a functionally unique value that identifies the actual mail session or transaction event that attempted delivery (this is not new; it has just never been used for anything until now).  The Queue-ID is a functionally unique value that identifies the message file inside the queue (it's the file's name).  "Functionally unique" means unique enough to identify the data it points to for all practical purposes but not guaranteed to never repeat over the long term.

[13475] Support for RFC 3848 (SMTP and LMTP Transmission Type Registration) has been added.  This governs the value of the "WITH" clause in Received headers.  This means you'll see "ESMTP" for unauthenticated non-SSL sessions, "ESMTPA" for authenticated sessions, "ESMTPS" for SSL sessions, or "ESMTPSA" for authenticated & SSL sessions.  Values of "MULTIPOP" and "DOMAINPOP" are MDaemon specific and will continue to be used even though they don't appear in the IANA registry.


[13292] Updated MDaemon's SPF implementation to the latest specification (RFC 7208):

Section 4.6.4: Imposed a limit on the number of SPF terms that cause DNS queries. The following terms cause DNS queries: the "include", "a", "mx", "ptr", and "exists" mechanisms and the "redirect" modifier. The total allowed for such terms is now fixed at 10 and cannot be changed as per the specification. Also, each 'A' record lookup performed while processing an "mx" mechanism count toward the 10 term limit.  When the 10 term limit is reached further SPF processing stops, any SPF results are dropped, and a permanent error is recorded as the result as per the specification. Section 4.6.4: "ptr" resource records count toward the 10 term limit as well however any extras over and above 10 are simply ignored and no permanent error is generated as per the specification.

Section 4.6.4: Imposed a limit on the number of "void" lookups.  These are defined in the specification as lookups that result in either (a) domain does not exist or (b) no answers exist.  When this limit is reached SPF processing generates a permanent error as per the specification.  You can configure the number of allowable void lookups via a new control in Ctrl+S | Sender Authentication | SPF Verification.  It cannot be less than 2. 

Section 9.1: The ABNF was updated for the Received-SPF header so it required a few changes. Also, I added the "mechanism" key so you can see which mechanism matched. Note that the spec calls for using the string "default" when no mechanism matches so that may appear from time-to-time. Also, 9.2 provides guidance on the use of the Authentication-Results header (RFC 7001) so this resulted in a few updates to that header as well.

As a result of the improvements made to Authentication-Results, MDaemon no longer creates the X-MDPtrLookup-Result, X-MDMailLookup-Result, or X-MDHeloLookup-Result headers.  These headers will continue to be stripped from incoming messages but they are no longer created or used by MDaemon itself.

[13313] Updated MDaemon's implementation of "Message Header Field for Indicating Message Authentication Status (RFC 7001)." This is the latest specification governing the Authentication-Results header. This caused several changes to the format of the Authentication-Results header and it looks much different now.  PTR, HELO, and MAIL reverse lookups now use the ABNF from RFC 7001 (i.e.. iprev and policy.iprev for PTR, HELO, and MAIL with comment text as the differentiator).  Also, corrected improper use of ptypes and their values in several places.  Also, found and fixed some bugs in the inconsistent text put out in this header and in what happens if a DNS failure occurs during a lookup.

[13314] Implemented "Authentication-Results Registration for Vouch By Reference Results (RFC 6212)." I (Arvel) am one of the authors of VBR but didn't notice that my friend Murray had created RFC 6212 to document VBR results in an industry standard way using his Authentication-Results header.  That's what I get for falling into a corporate black hole for 3 years :)  MDaemon will now follow this RFC and when multiple VBR hosts are used there will be multiple VBR sections in Authentication-Results.

[13316] Implemented "Authentication-Results Registration for Differentiating among Cryptographic Results (RFC 6008)." This included documenting the results of each DKIM signature in an industry standard way. Previously, MDaemon did not document all signature results and what it did document was not in industry standard form.  MDaemon will now follow this RFC and when multiple DKIM signatures are used there will be multiple DKIM sections in Authentication-Results.

[13315] Added new option to Ctrl+S | Sender Authentication | VBR Certification which will force VBR checks even for incoming messages that lack the VBR-Info header.  Normally this header is necessary but VBR works fine without it.  When the header is missing MDaemon will query your trusted VBR certifiers using the "all" mail type.  This option existed in the previous version but was not exposed in the UI.  Also, in previous versions it was enabled by default but I changed that to be disabled by default to save on queries.  You can enable it if you want.  Also, in previous versions only the default certifier was used in this situation (which is Alt-N's service - but now MDaemon will query each of your trusted VBR certifiers.  Note that spamhaus has adopted VBR now with their DWL list.  See for information and usage.  To use this list within MDaemon just add it to the list of trusted certifiers at Ctrl+S | Sender Authentication | VBR Certification after checking with Spamhaus for any compliance requirements they may have.

[13139] Updated MDaemon's DKIM implementation to the latest specification (RFC 6376).  Also, added separate storage of header and body canonicalized data for optional use with DMARC failure reporting.  Also, the Authentication-Results header now includes the results of ADSP processing where relevant as per RFC 5617.  Finally, RFC 6651 required updates to libdkim.  Added a new option to Ctrl+S | Sender Authentication | DKIM Options which adds RFC 6651 "r=y" tag to outbound signatures.  This enables DKIM failure reporting should outside verifiers choose to honor it.  You must also configure a DKIM reporting TXT record in your domain's DNS and/or update your ADSP TXT record if you want to receive these reports.  See RFC 6651 for syntax and instructions on how to do that.  When set up correctly you may begin receiving AFRF failure reports from external sources when they encounter messages purporting to be from your domain which fail DKIM verification.  Since it requires DNS setup this option is disabled by default.  Also, I added another option to Ctrl+S | Sender Authentication | DKIM Options which toggles whether the RFC 6651 "rs=" tag is honored.  This tag allows outside domain owners to customize the SMTP rejection string that your MDaemon will display when DKIM processing results in a rejection related to their domain.  These strings cannot start with a space or number or include \r, \n, or \t. If they do, MDaemon ignores them.  Otherwise, they're fine.  This switch is enabled by default.  You can disable it if you are uncomfortable with outsiders determining what your MDaemon says in a DKIM related SMTP rejection.  Normally, this is just "550 5.7.0 Message rejected per DKIM policy".  The "550 5.7.0" bit will be prepended to whatever custom string is used (if any).



MDaemon 14.0.5 - July 6, 2016


MDaemon 14.0.4 - June 19, 2015


MDaemon 14.0.3 - July 15, 2014



MDaemon 14.0.2 - May 14, 2014


MDaemon 14.0.1 - May 13, 2014




MDaemon 14.0.0 - March 25, 2014



[12504] NEW WORLDCLIENT THEME (Requires MDaemon PRO)

A new theme, WorldClient, has been introduced in response to customer requests for a more modern, browser-based email client. This new theme incorporates numerous design elements from popular consumer and business browser-based email clients and was designed with input from professional UI/UX development teams.

This new WorldClient theme is now the default WorldClient theme for new installs. When updating, the installer will ask if you want to change your default to this new theme.

[12091] ACTIVESYNC SERVER NOW SUPPORTS SHARED FOLDERS (Requires MDaemon PRO and active ActiveSync Software License Renewal)

MDaemon's ActiveSync server now supports other users' shared folders in addition to personal and public folders. The behavior of any client accessing shared folders via the ActiveSync protocol can vary. While MDaemon's ActiveSync implementation supports Email, Events, Contacts, Tasks and Notes, not all device clients are capable of handling this data.

[12723] The MDaemon GUI has controls to turn ActiveSync shared folders on or off at the global level (at F2 | Server Settings | Public & Shared Folders and Alt+M | ActiveSync | Options), at the domain level (at Alt+F2 | Domain Settings | Options), or account level (at Account Editor | Mail Services). "Inherit" means the domain or account will use the value that was configured at the global or domain level.



MDaemon Server v13 Release Notes

MDaemon 13.6.5 - July 6, 2016


MDaemon 13.6.4 - June 19, 2015


MDaemon 13.6.3 - May 13, 2014


MDaemon 13.6.2 - January 22, 2014



MDaemon 13.6.1 - December 11, 2013




A new page has been added to F2|Server Settings which will allow you to configure MDaemon's simple message recall system. It works like this: an incoming message from an authenticated local user can be delayed for 1 to 15 minutes (you can decide how long). During this delay period the message is simply left in the inbound mail queue. The idea is to provide a grace period for your users to realize they need to recall a message. Once the delay period expires the message is delivered like normal. However, if during the delay period, the same authenticated account which created the message to be recalled should also send a RECALL email to the MDaemon@ system account which specifies the Message-ID of the message(s) to be recalled then those recalled messages are deleted from the inbound queue as if they never arrived and the recalled message will not be delivered to anybody. This is the only way to guarantee that none of the recipients of the recalled message will ever see the message. MDaemon will notify the sender of the RECALL message as to the success (or failure) of the attempt. The RECALL must be performed while the message is still present in the inbound queue. After that, its likely too late to guarantee that the recipients have not already seen it. Accounts can not recall messages sent by other accounts and SMTP authentication is required for each step of the process.  Only messages from authenticated local accounts are subject to the recall delay. All recall processing is logged to the Routing and Mail|MDaemon UI/log files.

Here's how to send a RECALL message (pick one): 1) From your mail client's Sent folder right-click (or whatever your mail client requires) and Forward As Attachment the email(s) that you want to recall, put RECALL as the message subject and send that to the MDaemon@ system account. 2) From your mail client's Sent folder view the headers of the message you want to recall. Copy the Message-ID header value (the part to the RIGHT of the Message-ID: string) to the clipboard. Create a new message to the MDaemon@ system account and place RECALL plus the message ID value on the subject. It should look something like this: RECALL <>. Either of these methods work but only the second is used if both are performed within the same RECALL message. This feature is disabled by default. The default delay interval is 1 minute.

WorldClient may also be used to recall messages. WorldClient will display a "Recall" button when viewing recent messages in the Sent Items folder. If clicked before the recall time limit expires, WorldClient will send a RECALL message to MDaemon. MDaemon will send an email back to the user saying whether the recall was successful.



MDaemon 13.6.0 - October 15, 2013




In WebAdmin, a "Reports" menu has been added for global administrators. Global administrators may choose from the reports listed below. For each report, data may be generated for several predefined date ranges or the admin may specify a custom date range.

In order to facilitate this feature, MDaemon now logs statistical information to a SQLite database file.  By default this database is stored in the "MDaemon\StatsDB" folder and 30 days of data is retained.  Data older than this will be removed during the nightly maintenance process.  A new screen has been added to F2 | Logging | Statistics log which controls the statistics log file and DB maintenance.


ActiveSync Services for MDaemon now support MDaemon’s public folders in addition to mailbox folders. The behavior of any client accessing public folders via the ActiveSync protocol can vary. While MDaemon's ActiveSync implementation supports Email, Events, Contacts, Tasks and Notes, not all device clients are capable of handling this data.  Public folder access can be controlled at the user, domain, and server levels.

[11841] Added new switch to F2 | Server Settings | Public & Shared Folders screen which lets you set the global default for public folder sync'ing to Yes or No. The same switch was also added to Alt+M | ActiveSync | Options for convenience. Also added a control to Alt+F2 | Domain Settings | Options which lets you set public folder sync'ing at the domain level to one of the following three states: Yes, No, or Inherit. Inherit means the domain will honor the global default. Finally, added a control to the Account Editor | Mail Services which lets you set public folder sync'ing at the user level to one of the following three states: Yes, No, or Inherit. Inherit means the user will do whatever the domain is configured to do. This setting is not available as part of the template system.



MDaemon 13.5.5 - July 6, 2016


MDaemon 13.5.4 - June 19, 2015


MDaemon 13.5.3 - May 13, 2014


MDaemon 13.5.2 - August 6, 2013




MDaemon 13.5.1 - June 28, 2013


MDaemon 13.5.0 - June 18, 2013


  1. Please note that MDaemon's BlackBerry Enterprise Server does not (and can not) work with BlackBerrry OS 10 devices. BlackBerry OS 10 devices are managed through MDaemon's ActiveSync server or with different management tools obtained directly from BlackBerry themselves. MDaemon's BES is for devices running BlackBerry OS 7 or below and can not possibly be updated to support BlackBerry OS 10 or newer. The newer BlackBerry devices have moved on from the older BES technology.
  2. [11236] ActiveSync for MDaemon licensing has changed to have license sizes and software license renewal. A new screen at Alt+M | ActiveSync | Accounts lets you manage which accounts are allowed to use ActiveSync. Please review this screen and the ActiveSync Server screen to confirm the enabled accounts, domains, and options are configured how you want them.
  3. [10156] The behavior of the Ctrl+S | SSL & TLS | STARTTLS Required List has changed. Hosts and IPs listed here will now require TLS on both incoming and outgoing connections from any host or IP on the list. In the past, the list only applied to outgoing connections. Also, IPs listed here can now be specified in CIDR notation.
  4. [10500] In the past MDaemon would leave the public folders behind when a domain was deleted. A new option has been added to F2 | Server Settings | Public & Shared Folders which now determines whether this takes place. The default is to leave the public folders alone to preserve existing behavior but it is recommended to enable this option to delete them.
  5. [5597] When this version starts up for the first time it will perform a one-time migration of account settings from WEBACCES.DAT into the accounts' HIWATER.MRK file which is a more appropriate place for these configuration settings. The WEBACCES.DAT file is no longer used and will be removed as part of this migration process. Also, Ctrl+T|New Accounts|Web Services settings now apply only to newly created accounts and no longer affect existing accounts at all. A new "Apply installation defaults" button reverts all the settings on this page to installation defaults. Some of the verbiage on this screen and on the Account Editor|Web Services screen was changed slightly.
  6. [6814] The content of the NoComd.dat file is obsolete. Depending on your configuration, this file was emailed like an autoresponder to anyone who submitted an MDaemon command email that failed to contain any valid commands for MDaemon to process. The content of the file contained instructions on how to ask for help, which hasn't been possible for non-local users in quite a while. A new NoCommand.dat file has been created which no longer contains this errant instruction. If you would like to provide instruction to non-local users on (for example) how to send a SUBSCRIBE or UNSUBSCRIBE command email you can easily modify the NoCommand.dat file to do so. If you have previously modified the NoComd.dat file you can move your modifications into NoCommand.dat from the backup of NoComd.dat which was created as part of the installation process or from a backup created by the nightly config file backup feature.
  7. [10419] MDaemon no longer supports extraction of attachments into an account's FILES folder. This folder was rarely accessible. Instead, this option extracts attachments into the account's Documents IMAP folder which is accessible via WorldClient. Each account's FILES folder will be left in place in case there are files there which should not be deleted. However, no further use of this folder is made by MDaemon. As part of this, the $FILEDIR$ macro was removed. Also, text was updated on both the Account Editor | Attachments screen and the Ctrl+T|New Accounts|Web Services screens.
  8. [10340] The format of log file lines in colorized logs (see below) has changed to include a two-digit color code in each line immediately following the time-stamp.
  9. [10269] MDaemon will no longer bounce messages on a 5XX error from your smart host if one or more of the MX hosts from the receiving domain returned a temporary error earlier in the delivery session. This is on the theory that maybe one of the receiving domain's servers will correct itself before the next queue run. However, it is an indication of a bad site configuration if you are using a smart host and that smart host refuses to accept mail from your MDaemon server. It is expected that this will not ordinarily be the case. A new switch was added to F2 | Server Settings | Delivery called "Bounce message on 5XX error from smart host" which defeats this mechanism and causes the message to go ahead and immediately bounce. If the message is not bounced it becomes part of the standard retry queue mechanism.  If all of the receiving domains MX hosts return 5XX errors -and- the smart host returns 5XX errors then the message has nowhere else to go and is bounced regardless of any other settings.
  10. [10839] It's very easy to accidentally configure a valid account to receive bounces from mailing lists in such a way as to cause the list pruning operation to delete the account's other (non-list) related mail. To help prevent this when it is not intended we have updated the documentation with warnings and have reversed the default settings for two existing options: Ctrl+O | Miscellaneous "List pruner deletes messages that don't contain parsable addresses" has had the default change from TRUE to FALSE and Ctrl+O | Miscellaneous "List pruner saves messages which result in list member removal" has been changed from FALSE to TRUE. Please set these options to how you want your system to behave.



The ActiveSync server now supports ActiveSync protocol versions 12.1, 14.0, and 14.1. This should allow our ActiveSync server to communciate with a wider variety of devices and applications including Outlook 2013. The amount of work and changes necessary for this were extensive but mostly behind the scenes deep inside the ActiveSync server engine itself. However, the changes have allowed us to expose new ActiveSync policy capabilities and make many improvements to overall device mananagement. As before, Alt-N's ActiveSync server is a separately licensed product available for a one-time free trial period and for purchase on the Alt-N web site after the free trial has expired. Additional changes include:

[10521] The Alt+M | ActiveSync | Policies screen has been redesigned and now allows specification of many new ActiveSync policy elements. There are numerous new possibilities with this than in older versions. As before, specific devices may elect to ignore your policy requests and we've found this to be somewhat sporadic depending on the device used and the version of the OS running on the device.

[10478] The Alt+M | ActiveSync | Options screen has a new control which will let you specify the number of days of inactivity after which MDaemon will forget about a particular device. This defaults to 31 days. When MDaemon forgets a device it means that any previous configuration and/or access history is discarded. The next time the device connects it will be forced to reprovision if a policy is in place at the domain level, perform an initial foldersync, and re-sync all subscribed folders. This helps to keep your installation clean from having a lot of old/retired/unused devices. As part of the daily cleanup event MDaemon will check all devices for inactivity.

[9240] Improved ActiveSync and SyncML Server screens in UI so that you no longer have to save changes when selecting a new domain from the domain drop-down list. Settings are remembered and saved all at once if you click OK or ignored entirely if you click Cancel.

[10477] The Alt+M | ActiveSync | Integrated Accounts screen was converted from a ListBox to a TreeView based dialog and renamed "Devices". Also, the BES and BIS "Integrated Accounts" screens were reorganized and renamed as "Devices" and "Subscribers" respectively.

[10479] The "Delete" buttons found on both the Alt+M | ActiveSync | Devices and Account Editor | ActiveSync Devices were renamed to "Forget device" which more accurately reflects what's happening there. When these buttons are pressed the ActiveSync server is told to discard any previous configuration and/or access history for a particular device.

[10692] ActiveSync now supports a device ID, device type, and device OS white and black list.  New screens for managing this were added to Alt+M | ActiveSync.  You can white and/or black list devices based on their ID, type, and OS values. 

[9508] The option to enable/disable ActiveSync services was moved from Account Editor | Options to Account Editor | Mail Services.

[10811] Added Alt+M | ActiveSync | Restrictions screen which lets you specify User Agent and Device Type values and restrict devices matching those values to specific versions of ActiveSync.


MDaemon now supports attachment linking for outbound messages. In the past this feature was restricted to incoming messages only. A new option has been added to the Account Editor | Attachments screen to enable this on a per-user basis. The option works only in conjunction with Attachment Linking so that overall system must also be enabled and the user configured to use Attachment Linking. When the user sends an email, Attachment Linking will extract the file, store it, and replace it with a URL that you can customize. Also, a new control has been added to Ctrl+W | Attachment Linking which allows you to specify the maximum number of days that any attachment will be stored.  As part of the daily cleanup event MDaemon will remove any file found to be older than the specified number of days from the root attachment folder and all sub-folders thereof.  This only works when you are using the default root attachment folder which is <MDaemonRoot>\Attachments\.  It does not work if you customize the attachment folder to point elsewhere.  This option is disabled (set to 0) by default to preserve existing behavior.  See the user's manual for complete details on Attachment Linking. In addition, the overall system was polished up and refined internally for optimization purposes. The option called "Extract text/plain attachment types" was renamed to "Extract quoted-printable text/plain attachments" to better reflect what it has always done.

[9359] Another new Attachment Linking option was added to Ctrl+W | Attachment Linking which allows you to specify a minimum size below which attachments are not extracted. Using this you can configure MDaemon to ignore small attachments and only pull out bigger ones. This option is disabled (set to 0) by default to preserve existing behavior.  As a result of the code changes needed to implement this the following macros have been deprecated and are no longer supported:  $ATTACHMENTCOUNT$, $ATTACHMENT(x)$, and $ATTACHMENTS$.

[10414] Attachment Linking will try to use the file name provided in the MIME headers (if present). But if the file name is longer than 50 chars then only the last 50 chars will be used. If the file name is missing an extension ".att" will be appended (MDaemon needs an extension).


The Alt+F2 | Domain Manager has been reworked. It now displays several screens for each domain instead of having everything on a single screen. There are also better options for creating, deleting, and renaming a domain. Many domain specific functions have been removed from other places in the UI and consolidated here. As a result of this you will no longer find default domain related settings in F2 | Default Domain & Servers. In fact, that menu selection has been renamed to F2 | Server Settings. MDaemon no longer needs the concept of primary/secondary domains but it does still need one of your domains to be selected as the default domain. The default domain is used any time the server engines can not determine a more appropriate domain to use in a given processing context (which should be almost never). The Domain Manager has a button which allows you to easily select which of your domains you want as the default.  The default domain can not be deleted.

[9303] The F2 | Domain Signatures (text/plain) and F2 | Domain Signatures (text/html) screens were removed and replaced by a single screen at F2 | Default Signatures. This makes it possible to see and edit both signatures in the same view.  The Domain Manager includes a similar screen for individual domains.

[4536] It is now possible to specify different smart host related settings on a per-domain basis using the new Domain Manager. F2 | Server Settings | Delivery still controls the type of message routing which takes place. In order to use any smart host the proper message routing option still needs to be selected there. Also, its necessary to configure a default smart host which will be used by any domain that does not configure a different smart host to use. The default smart host is configured at F2 | Server Settings | Delivery.

[10896] The "Enable smarter message routing" option was removed from F2 | Server Settings | Delivery UI.

Many of the screens at Ctrl+W | WorldClient (web mail) have lost the domain dropdown box and now apply only as defaults for newly created domains.  The screens were copied into the Domain Manager where you can configure per-domain options for all the elements.

[10008] PUBLIC FOLDER MANAGER (Requires MDaemon PRO)

The old UI for managing public folders was difficult to use with a large number of public folders. A new UI is available via Alt+P that is a bit better. The older public folder UI was removed from F2 | Server Settings however the Public & Shared Folders global options screen is still there.

[5920] The Public Folder Manager will no longer allow public folder submission addresses to be used if the address is already being used by another public folder. Also, the submission address value is now checked to be sure it is a valid email address form.


The grouping feature has been improved in several ways. First, a new UI for it has been added to Ctrl+T which lets you more easily manage groups.  The old UI for this was removed from Ctrl+T.  Second, groups can now have an optional Account Template assigned. Account Templates allow you to define named sets of account settings. A UI for managing Account Templates is accessible using Ctrl+T or from the Accounts | Groups & Templates top level menu. Third, the Account Editor | Mail Folder & Groups screen has been redone (in fact, the Account Editor has been slightly updated in several places). From this screen you can assign one or more groups to an account. The old UI for setting up new account default settings has been removed. New accounts now automatically have the "New Accounts " account template applied to them at the time they are created.  The "New Accounts" template is a special template that can not be renamed or deleted but you can edit it.  It then takes the place of the old New Account Defaults.

Groups can now be used to assign most of an account's settings automatically. For example, if you want to assign an autoresponder to a certain set of accounts you can create and name an account template which defines the autoresponder, then assign that account template to a group, and then finally assign the group to one or more of your accounts. From that point, the template will determine the accounts autoresponder settings.  Templates can control almost all or just select portions of an account's settings. You can decide what portions of an account's settings are to be part of a template.  When an account is part of a group which maintains an account template the controls within the account editor which are managed by the groups account template will be disabled and a message will be displayed saying that certain account settings are governed by a group. When you edit an account template any account which is a member of a group that owns the template will be automatically updated.  When you change a group's account template to another account template or delete a group or account template all the relevant user accounts are updated immediately.  Groups have a new "Priority" setting (from 1-1000). When an account is a member of multiple groups that each own an account template with conflicting account settings the group with the lowest priority value wins and will have its account template applied. When there is no conflict the settings from each group are collectively applied.  In the case of a tie the first group found wins.  When an account is removed from a group that has an account template the account settings previously controlled by the account template revert to whatever the New Account template says or possibly to another group's account template if the account is a member of multiple groups.

[8381] Groups can disable ComAgent entirely or just the instant messaging portion of ComAgent independently of an account template.  In case of a conflict with an account template owned by the group (if any) then this setting wins.

[10450] The Groups member of the MD_UserInfo structure has been increased in size allowing an account to be a member of many more groups than before.

[9715] Groups now have an edit control where you can specify an Active Directory group.  When an MDaemon group is configured to link to an Active Directory group any member of the Active Directory group will be placed into the linked MDaemon group automatically.  This only works if you are using the Active Directory monitoring feature.  You can map any AD attribute you want to use as a trigger for putting accounts into MDaemon groups however the "memberOf" AD attribute will most likely be the one to use.  You can configure this by editing ActiveDS.dat in notepad.  This feature is disabled by default.  To enable it, edit ActiveDS.dat and tell MDaemon what AD attribute to use for your group trigger or uncomment the "Groups=%memberOf%" line in ActiveDS.dat to use what I guess would be the most common attribute.


ComAgent now supports multiple languages. Rather than each language of MDaemon including a ComAgent in just that language, all languages of MDaemon now include a ComAgent that supports English, German, Spanish, French, Italian, Japanese, Dutch, Polish, Portuguese, Russian, Swedish, Thai, and Chinese. The user can select the language from ComAgent's Preferences dialog. ComAgent now also has improved support for international characters in instant messages and file transfers.


The UI tabs which display Routing, SMTP-in, SMTP-out, IMAP, POP, MultiPOP, and DomainPOP activity may now use some colors to help visually separate events during a session. A new option was added to F2 | Logging | Options called "Use colors when displaying mail session logs" to control this. The same UI option can also be found at Ctrl+O | GUI. The option is disabled by default. The default text colors can be changed by editing the LogColors.dat file as follows:


Background=0x000000 Background color; black
SelectedBackground=0xff0000 Selected background color; blue
Default=0xffffff Default text color; white
Processing=0x00ffff Internal processing and parsing activity; default is yellow
DataIn=0x008040 Incoming data from other server; default is dark green
DataOut=0x00ff00 Outgoing data sent to other server; default is bright green
Error=0x0000ff Error messages; default is red
TCPIP=0xff8000 TCP/UDP/DNS/PTR related activity; default is light blue
SpamFilter=0x0080ff Spam filtering; default is orange
AntiVirus=0xdda0dd AntiVirus processing; default is plum
DKIM=0xff00ff DomainKeys and DKIM activity; default is fuchsia
VBR=0x40c0ff Vouch by Reference activity; default is light orange
SPF=0x808080 Sender Policy Framework activity; default is grey
Plugins=0x0080c0 Any message sent from a plugin; default is brown
Localq=0x00ffff Local queue routing; default is yellow
Spam=0x0080ff Spam message routing; default is orange
Restricted=0x40c0ff Restricted message routing; default is light orange
BlackList=0x808080 Blacklisted message routing; default is grey
Gateway=0x00ff00 Gateway message routing; default is light green
Inboundq=0xff8000 Inbound message routing; default is light blue
PublicFolder=0xdda0dd Public folder message routing; default is plum

If you want to use colors but don't want to colorize one or more of the above elements just set the corresponding values to zero. For example: SpamFilter=0 (the Default color will be used). That trick doesn't work for Background or SelectedBackground.  If you want to change those two you have to provide a new color value.  The color values are specified in hexadecimal of this form: 0xbbggrr where bb is the relative intensity for blue, gg for green, and rr for red. So it's a COLORREF basically. There are many sites online which provide lists of hex values for colors. Watch the byte order though as many provide them in #rrggbb form. Changing colors requires a restart of MDaemon or creation of a file called COLORS.SEM in the APP folder. The main UI utilizes colors in real time as the log string is actually constructed and displayed however the configuration session which reads log files from disk must read the color value from a new bit placed just after the time-stamp in the logged string.  As a result, a configuration session will not be able to colorize portions of log files created prior to MDaemon 13.5.0.

Because attributes necessary to the use of colors may be specified only at the time the window is initially created toggling the use of colors on/off requires an MDaemon restart before it will take effect.


Active Directory monitoring has been improved to periodically query AD and keep all public contact records updated with the most recent information stored in AD. Common fields like an account's postal address, phone numbers, business contact information, etc will be populated into their public contact record and this data will be updated any time it is changed in Active Directory. Numerous contact record fields will be monitored in this way. For a complete list of which public contact record fields can be mapped to Active Directory attributes see my commentary in the ActiveDS.dat file. Also, you do not need to enable full Active Directory account monitoring to take advantage of this. A new switch has been added to the Ctrl+U | Active Directory | Monitoring which allows you to enable this feature independantly from the full Active Directory account monitoring feature (which may be too much for many sites).

The ActiveDS.dat file has several new mapping templates which allow you to specify one or more AD attributes from which to populate a particular contact record field (for example, %fullName% for the fullname field, %streetAddress% for the street address, etc). I've defaulted many of these to what appear to be correct values on our active directory server here at Alt-N but your mileage may vary. I could not find proper attributes in our Active Directory for some of the contact fields but thats because I'm not an AD expert. They are exposed anyway and can be used if needed. A one-time migration of ActiveDS.dat will be performed upon first-time start-up of MDaemon 13.5.0 in order to expose these changes.  None of your existing alterations to this file will be lost.

MDaemon must match an accounts email address to some attribute within Active Directory in order to know which contact record to update. If it can't find such a match it does nothing. By default MDaemon will try to construct an email address using the data taken from the attribute mapped to the Mailbox template (see ActiveDS.dat) to which MDaemon will internally append the default (primary) domain name just as it would when actually creating and deleting accounts based on Active Directory data. However, you can uncomment the "abMappingEmail" template inside ActiveDS.dat and tie it to any AD attribute you wish (like %mail% for example). Just understand that MDaemon expects the value of this attribute to contain an email address that will be recognized as a valid local user account.

MDaemon accounts which are flagged as hidden are not subject to having their contact record created or updated. This feature will create the contact records on the fly if they don't already exist and it will update contact records which do exist. It does not care about and will happily overwrite any changes you make outside of Active Directory. Contact record fields that are not mapped are left unaltered so any existing data that is not subject to being changed by this process will not be altered or lost. Lastly, the Active Directory UI screens have been reworked slightly and the code over-all has been somewhat optimized but you should know that this process hits Active Directory every 10 seconds by default (you can change it) so if you query the root for this rather than a more narrow Active Directory container you might notice it (or maybe not, I don't know for sure).

[10017] Active Directory monitoring will now update an account's alias value. In the past an accounts alias could be plucked from Active Directory only at the time the account was initially created. Note that there's no way to remove any old alias that might have been put there by AD changes earlier because I can't easily tell what old alias should be deleted and I can't delete them all because some aliases might have been created outside AD (users can have more than one alias). This means that over time some orphaned aliases might accumulate but no harm done and they can be removed using the alias editor.

[10476] Active Directory monitoring feature updated to test and log entire set of values for an attribute. In the past only the first in the set was being tested/logged.  Also the logging was simplified and shortened.


Performance counters have been implemented to allow monitoring software to track MDaemon's status in real time. There are counters for the number of active sessions for the various protocols, number of messages in the queues, server active / inactive states, MDaemon up time, and session and message statistics.



MDaemon 13.0.8 - July 6, 2016


MDaemon 13.0.7 - June 19, 2015


MDaemon 13.0.6 - May 13, 2014


MDaemon 13.0.5 - March 26, 2013


MDaemon 13.0.4 - January 15, 2013



MDaemon 13.0.3 - November 14, 2012



MDaemon 13.0.2 - October 24, 2012


MDaemon 13.0.1 - October 2, 2012



MDaemon 13.0.0 - September 4, 2012


  1. [9012] MDaemon FREE is no longer supported beginning with this version. The last MDaemon FREE version is MDaemon 12.5. The FREE registration key will not work in this release moving forward.  The installation process will offer to convert FREE installs to TRIAL installs.
  2. [8960] A new global on/off setting was added for SyncML and ActiveSync servers to enable/disable them globally for all domains.  Please check to be sure the SyncML and ActiveSync servers are enabled/disabled per your liking. This global switch is now used for ActiveSync when enabling/disabling it via the FILE menu and "Servers" section of the main UI.
  3. [9157] MDaemon no longer checks messages for RFC compliance by default to avoid an issue with Outlook's test messages (which are missing the Date header).  Check F2|Servers to make sure this setting is how you like it.
  4. [9022] MDaemon no longer supports Windows XP older than Service Pack 2 or Windows Server 2003 older than Service Pack 1.



Support for basic ActiveSync device policy has been added. You can manage pre-defined policies and create your own policies from a new screen at Alt+M | ActiveSync | Policies. Policies can be created from amongst the following 4 elements (more elements may be added in future versions as they become possible to achieve with ActiveSync):

  1. "Require a password" - include this policy element to force the ActiveSync device to require a password and to enable selection of other policy elements which require a password to be present.
  2. "...passwords must contain both letters and numbers" - include this policy element to force a more complex form for ActiveSync device passwords (requires "Require a password" policy element enabled).
  3. "...lock device after XX minutes of inactivity" - include this policy element to force the device to the lock screen after a given number of inactive minutes.
  4. "...wipe device after 10 failed password attempts" - include this policy element to wipe all device content (return to factory install settings) following 10 consecutive failed password attempts.

A default policy can be assigned per domain from the Alt+M | ActiveSync | Domains screen. Policies can be assigned per device from the Account Editor's ActiveSync screen (which was called "Mobile Details" in previous versions).

Note that not all ActiveSync devices recognize or apply policy consistently. Some may ignore policy altogether and others may require a device reboot before changes take effect (defeating the purpose of many of the policy elements). Also, no policy is applied until the next time the device connects on its own to the ActiveSync server.


Dynamic Screening has been improved by adding an option to disable local accounts which try to send more than XX messages in XX minutes.  When an account is disabled an email is sent to the postmaster which can be replied to which re-enables the account.  Note that the account could quickly get disabled again if the message sending continues.  Accounts disabled by this process can still accept incoming mail but they can not log in to web mail or web administration and they can not collect or send mail.  The intent is to try and recognize and stop a hijacked account so that the postmaster can review the situation and take action. The postmaster account is exempt from this.


MDaemon 13 adds document sharing to the WorldClient themes.  Document folders have full ACL controls that can be used to set permissions and sharing rules.  Any types of files can be shared through the system.  In the LookOut theme browsers that support the HTML5 Drag and Drop API such as Chrome and Firefox should be able to drag files from the desktop into the browser window to upload documents.  Filenames can be searched as well as selected documents being attached to new messages that are being composed.


[2505] The IMAP server now supports the COMPRESS extension (RFC 4978), which compresses all data sent to and from the client. This does require extra memory and CPU usage per IMAP session. You can disable COMPRESS support via a new option in F2|Servers.

[8525] The IMAP server now supports the BINARY extension (RFC 3516), which lets clients download message attachments in decoded form.


A system has been added to MDaemon that allows public folders to be configured as a message ticketing public folder. If this is enabled for a public folder MDaemon will add the public folder name and a unique identifier to the subject of messages sent to the submission address of the public folder. Any outbound messages having this specially formatted subject will have the From address changed to the submission address of the public folder and a copy of the outbound message will be placed into a child public folder named "Replied To". In addition, any inbound messages with this specially formatted subject will be automatically redirected to the public folder, regardless of the address the message was sent to.


Autodiscover allows users to set up an ActiveSync account with just their email address and password, without needing to know the host name of the ActiveSync server.   Autodiscover requires HTTPS to be enabled. For most systems it also requires that a new CNAME or A record be added to DNS. "" should resolve to the server running ActiveSync.



MDaemon Server v12.X Release Notes

MDaemon 12.5.9 - July 6, 2016


MDaemon 12.5.8 - October 24, 2012


MDaemon 12.5.7 - August 16, 2012


MDaemon 12.5.6 - May 10, 2012


MDaemon 12.5.5 - May 1, 2012




MDaemon 12.5.4 - March 6, 2012



MDaemon 12.5.3 - January 17, 2012



MDaemon 12.5.2 - December 1, 2011



MDaemon 12.5.1 - November 9, 2011



MDaemon 12.5.0 - October 18, 2011


  1. [6697] ActiveSync for MDaemon license key is now subject to product activation. Trial keys must be activated within 5 days and production keys within 30 days. Click here for more information on product activation.
  2. [7084] Incorporation of MDS-CS has required that your "BlackBerry Enterprise Server logging" value found at Alt+B | Options be reset to a default value of "Informational". If this is not what you want you can easily change it there.
  3. [7210] The Domain Sharing option "Incoming Minger lookups trigger Domain Sharing processing" has been removed.  If you have multiple servers using Domain Sharing be sure to configure each node to use all the other nodes for Domain Sharing (if appropriate for your setup) and this option should not be needed.
  4. [7003] The Ctrl+U | Quotas option "Over quota accounts can accept mail but not send mail" has been removed and replaced with two separate options "Refuse incoming messages sent to over quota accounts" (enabled by default) and "Refuse outgoing messages sent from over quota accounts" (disabled by default).  These new defaults may not replicate previously configured behavior so check and change as needed.



ActiveSync for MDaemon has been improved and is now capable of sync'ing email as well as PIM data. For information on configuring your specific ActiveSync device see the documentation that accompanied your device. Some information on basic configuration is available from the Alt-N web site for Windows Mobile, iOS, and Android devices.

ActiveSync for MDaemon is a separately licensed product available from Alt-N Technologies. ActiveSync for MDaemon will not work beyond a one-time 30-day evaluation period unless a license is purchased.


WorldClient's flagship theme, LookOut, has undergone major architectural and design changes to accomodate tablet devices such as the PlayBook and the iPad.  Users should not have to change any settings to take advantage of these changes.  Specific items of interest:

  1. Single finger scrolling
  2. Dragging and dropping between folders with one finger; use two fingers to copy to the destination folder
  3. No popup windows for message composition, item entry and item editing to help maintain context
  4. Inline message preview to help preserve the flow of the mail folder and maximize screen real estate

Other WorldClient improvements:

  1. Various HTML5 & CSS3 features have been used to improve performance and loading time (Lookout theme).  The Compose view now uses app-caching to help load up the HTML editor more quickly (particularly over SSL connections) on browsers such as the PlayBook, Chrome and Firefox that support the manifest HTML attribute.
  2. [5349] WorldClient now supports some of the dynamic screening settings. By default, 5 authentication failures will cause an IP to be banned for 30 minutes. New settings for this can be found at Ctrl+S | Dynamic Screening. DYNAMICSCREEN.SEM in the \MDaemon\WorldClient directory will reload any manual changes.
  3. [7115] If ActiveSync is enabled for any domain and WorldClient is configured to use the internal web server then WorldClient will automatically run on port 80 in addition to whatever other ports might be configured if it's not already running on port 80 or 443. ActiveSync requires port 80 or 443. If you are running WorldClient via IIS or if you have configured specific IP:Port binding combinations via the MDaemon UI then this does not apply and you must manually configure those items to include port 80 or 443.
  4. [7790] WorldClient's LookOut theme now lets you add an email contact to your whitelist or blacklist (when users have access to these features) through a drop down menu when they hover over the email address in the message preview
  5. [3692] Advanced message searching has now been enhanced with a number of other new search parameters to help make finding messages easier
  6. ComAgent chatting has been moved to a side panel instead of being in a 'floating' tab that may cover other parts of the interface (Lookout theme).
  7. Calendars can now be viewed together to help see schedules for multiple users (Lookout theme).
  8. Autoresponder settings moved to own options view to help make management easier.
  9. [4600] WorldClient's LookOut theme now auto-saves draft messages every minute.
  10. [2461] WorldClient can decode malformed =?ISO-8859-1? style header lines.
  11. [4723] WorldClient will not include Outlook winmail.dat attachments when forwarding a message.
  12. [6177] Added "Mobile Phone 2" field to WorldClient.
  13. [5949] When importing calendar .csv file in WorldClient, if no end date/time is specified assume the event is one day long.
  14. [5443] Exposed BlackBerry PIN field in WorldClient for Contacts.


MDaemon's spam filter has been updated and now includes SpamAssassin 3.3.2.  A summary of changes and other documentation on SpamAssassin can be found here.

[7543] The Spam Filter update UI option "Run SA-UPDATE as part of update process" has been removed.  This will now always take place.  In fact, this is now the only way of doing the update.  The old and out-dated Alt-N method based on UpdateSpamAssassin.exe has been removed and that file has been deleted.  We now rely on sa-update to perform all necessary SpamAssassin updates.  Also, the file is no longer used and has been deleted.

[7631] Also, changed installer to no longer delete existing .cf rule content. The rule updating process will manage .cf files.

[5331] Also, the SMTP session log will now include a line indicating if spam filter processing was skipped due to message being too large.


MDaemon's BES now includes MDS-CS. MDS-CS permits behind-the-firewall access to files and web applications from BlackBerry devices. This will (for example) allow you to access your private Intranet without a VPN connection. Click here for details about MDS-CS but please note that Alt-N does not necessarily support all the features and capabilities of MDS-CS that you may find there.

MDS-CS can be individually disabled while leaving other BES services running. This can be done from a new Alt+B | MDS-CS screen. You will also find settings there to set the default web port (MDS-CS is a web driven service) and a domain value which will appear on the BlackBerry device anytime the device prompts for authentication related to MDS-CS activities. This defaults to COMPANY.COM so you likely will want to change it.


MDaemon's BlackBerry related service integration has been improved/changed as follows.

[7758] BES users can now configure their MDaemon autoresponder using the "Out of Office Reply" settings on the handheld.

[7405] Added Mobile Details tab to the Account Editor which lists BlackBerry and ActiveSync device details.

[6321] Added BES button to Account Manager which will allow you to BES enable selected accounts.  Note that each BES enabled account consumes server resources so only select and BES enable accounts which intend to activate a BlackBerry device.

[6749] MDaemon will update BES database with current computer name on startup.

[7264] A BES cleanup thread will run at midnight which will defrag BES database indexes.

[7263] A BES cleanup thread will run at midnight which will remove old history rows from the BES database.

[5557] Added SMTP server port option to BIS domain configuration UI.  This should not normally need special configuration but it is possible to point BIS to other SMTP servers so the ability to specify a port value is useful in those cases.

[7838] The BES Agent now automatically reloads users after their email address, full name, or mail directory has changed in MDaemon. A restart of the BlackBerry Controller service is no longer needed.

[6695] A line is added to the BES log when a slow sync is started and finished for a BES user

[6804] Exposed additional BlackBerry Enterprise Server features to end user in WorldClient. The PIN, model number, platform version, and phone number of the user's activated device is displayed. The user may reset the device's password, resend service books to the device, change the service name, or wipe their device. This feature is enabled by default, however may be disabled via a new option added to the Web Services section of the Account Manager.

[6182] When a BlackBerry device is subscribed to an MDaemon account using BIS (not BES) the option "Allow multiple BlackBerry device integrations" found at Alt+B | BlackBerry Internet Service | Options will control what happens to previous subscribed BlackBerry devices.  If there are any, they will be removed from MDaemon's configuration and no further event notifications will be pushed to those devices.  However, the fully proper way to unsubscribe a device is to delete the email account from the device itself.  Still, the system will self police much better now.


A new screen at "F2 | Default Domain / Servers" will allow you to configure an HTML version of your domain signature. You must compose your HTML using your editor of choice, then cut-and-paste the HTML into this screen. If present, MDaemon will afix the HTML version of your domain signature into any "text/html" message part found within outbound email. See the users manual for more details on how this feature works.


The "Address Blacklist" feature has been renamed "Sender Blacklist" and a new "Recipient Blacklist" feature has been added.  The new "Recipient Blacklist" operates on SMTP envelope RCPT data only (not message headers).  You can configure it at Ctrl+S | Recipient Blacklist.  Also, the Blacklist.dat file has been renamed SenderBlacklist.dat and a new RecipientBlacklist.dat file has been created.  BLACKLIST.SEM now reloads both files into memory.


Each account now has a personal "BlackList" contact folder. Incoming messages from any SMTP mail sender listed in the BlackList will be rejected with "550 recipient unknown." Messages that make it past SMTP and into the local queue but have a blacklisted address in the FROM or SENDER header will be moved to the bad message folder. The BlackList folder is automatically created the next time a message is received for the account. Users can manage their account's BlackList folder via WorldClient just as with the WhiteList folder.

[7834] Added option to "Ctrl+P | White List (automatic)" to permit forwarding of messages to "BlackList@<domain>" which will automatically add the email address taken from the forwarded message's FROM header to an account's personal blacklist.  Future messages from that email address to the account which blacklisted it will be refused.  To use this feature, the option mentioned above must be enabled and the user must forward a message (as an attachment of type message/rfc822) to "BlackList@<domain>."  Each MDaemon account already has a "Spam Filter uses personal contacts, white list and black list files" checkbox on the "Account Editor | Options" screen which must also be enabled for this feature to be used.


New quota options are available in the new account defaults and account editor which let you set a limit to the number of messages an account can send via SMTP per day.  The counter automatically resets back to zero for all accounts at midnight each night.  Note that it's possible to exceed this limit slightly if messages come in faster than the cache can keep up, but it won't be much over the limit (if at all).


Maximum acceptable message size limits can now be configured on a per-domain basis using new controls in F2 | Servers and Alt+F2 | Extra Domains. There is also a new control to set a global SMTP message size limit in F2 | Servers which will be applied to all domains. By default, size limits are applied to everyone however you can exempt size checks for authenticated sessions with a new switch in Ctrl+O | Miscellaneous.


MDaemon will now use all DNS servers found within Windows if configured to use Windows DNS servers (not just the first two that are discovered).  This required several internal changes including doing away with the old "max retry attempts" option for DNS lookups.   MDaemon will now try each DNS server once per lookup operation and in sequence until it exhausts the complete list of DNS servers or finds the first one that works.  Immediate retries of DNS servers that just failed one second earlier are not productive.  Also, on startup, the System log will display each DNS server and an indication of where it came from (manually configured or taken from Windows).  Also, the UI controls for primary DNS server and secondary DNS server have been  removed.  Now there is just a single edit box that lets you manually configure as many DNS servers as you want.  Finally, the options to use Windows DNS servers or manually configured DNS servers are no longer mutually exclusive.  If you configure both, MDaemon will use both.

[6244] Also, to meet RFC requirements, MDaemon will (when possible) randomly pick from amongst several A records when determining where to send mail.

[7453] Also, MDaemon will treat blank (NULL) MX values as if no MX was provided at all (because it wasn't).

[7410] Also, removed the following DNS related options from F2 | DNS in UI and from the server code: 1. "Lookup MX records when delivering mail" (no longer a need for this option) 2. "Use IP addresses returned with MX record lookup result" (these will be used if they are found).  Also, removed the GUI'less option [Domain] "UseMultiHomedMXARecords" as MDaemon should just always do these things.

[7256] Also, added option to Ctrl+S | Reverse Lookups which will allow you to refuse MAIL domains which do not have MX records.  This is disabled by default and should be used with caution as domains do not need MX records in order to exist, be valid, or send/receive mail.


The "Configuration Session" UI has been improved in several ways. For example, the right-click menu now works properly and allows you to disconnect an active session and you can double-click or view "Properties" of one or more active sessions which displays the session log. You can also submit the connecting IP address to the IP and/or Dynamic Screen features.

[7031] Also, configuration session "Sessions" window will update individual line items more efficiently now and [7032] handle a much larger amount of session data.

[6919] Configuration session can also change the primary domain name now.

[6864] Finally, changes made to IP Screen, Host Screen, and Address BlackList via WebAdmin will now be picked up by configuration sessions.


The IP Shield has changed.  It is now enabled by default for new installations and supports the $LOCALDOMAIN$ macro which expands to cover all local domains (including gateways).  If you use this macro it is no longer necessary to keep the IP Shield up to date when local domains or gateways change.  Existing installs will not have their existing IP Shield values altered in any way.  However, a new "Default" button is in the IP Shield editor UI which will convert existing IP Shield values over to the new $LOCALDOMAIN$ system if desired.  Finally, by default (or if you hit the "Default" button in the UI) entries are added to the IP Shield associating all reserved IP address ranges with $LOCALDOMAIN$.

[7400] Also, when the IP Shield option "Don't apply IP Shield to authenticated sessions" is enabled the message returned to the SMTP client upon an access refusal will be "Authentication required" in order to give them a clue on how to fix the issue: by enabling Authentication in their mail client.

[7389] In addition, the IP Shield now has a master on/off switch.  It defaults to on and that's fine even when there are not yet any configured domain/IP pairs.

[5192] Also, the IP Shield has a new option "Check FROM header address against IP Shield" (disabled by default).  If you enable this then the IP Shield will compare the address taken from the message's FROM header in addition to that taken from SMTP MAIL value.  Note that this option can lead to problems with incoming list messages (for starters).  This option should not be enabled unless you are sure you need it. 

[7988] Also, added option to IP Shield to exempt Trusted IPs from the IP Shield.  This option is enabled by default.

[7391] Finally, the IPShield.dat file is now cached in memory to increase access speed. Create an IPSHIELD.SEM to reload the file into memory.