SecurityGateway for Email Servers v10.0 Release Notes

SecurityGateway 10.0.2 - June 25, 2024

FIXES

• [27858] fix to certain links in the "Dark Mode" theme are difficult to read due to poor contrast.
• [27873] fix to Sieve script fails to extract/log certain variables.
• [27874] fix to From Header Screening does not function.
• [27879] fix to when sending a message from the Delivery Queue the entire message is read into memory from disk when only the headers need to be.
• [27882] fix to crash when searching a particular HTML message for keywords.

SecurityGateway 10.0.1 - June 11, 2024

SPECIAL CONSIDERATIONS

• [27849] This update will disable the Abusix Welcome List DNSBL (white.mail.abusix.zone) if it was added through the Abusix integration. The welcome list is extensive, and its use has led to a decrease in scores, resulting in reports of false negatives. If you want to continue using the Abusix Welcome List, you will need to re-enable it manually.

CHANGES AND NEW FEATURES

• [27816] The request and response sent to the MS Graph API by an "Office 365 User Verification Source" is now logged when debug logging is enabled.

FIXES

• [27799] fix to Let's Encrypt script fails with "Error 7 Logon Failed" when executed by the SecurityGateway process.
• [27815] fix to only the last active SSL certificate is loaded.  This could prevent the correct certificate from being returned as the default or for a specific hostname when SNI is available.
• [27826] fix to possible crash during DMARC processing if no SPF lookup was performed.
• [27828] fix to specific QR Code in attached image not detected.
• [27835] fix to "Setup / Users | System | HTTP Server | Bind sockets to these IPs" has no effect
• [27837] fix to quarantine reports may not be sent when a custom schedule is specified
• [27850] fix to DNSBL and URIBL hosts/lists with a negative score (welcome list) are not exempt from punitive actions
• [27845] fix to "Exclude messages from domain mail servers" option is not respected when domain mail server is Office 365

SecurityGateway 10.0.0 - May 14, 2024

MAJOR NEW FEATURES

• [27462] Added the ability to create custom charts/reports for the administrative dashboard.
• [25127] CPU and memory counters have been added to the administrative dashboard for the SecurityGateway, SpamAssassin, Ikarus AV, and ClamAV processes.
• [27148] "QRshing" Protection - SecurityGateway can detect and take action if a QR code image is attached to a message. QR Code Detection can be enabled and configured at "Security | Anti-Abuse | QR Code Detection".
• [19951] "Setup | System | Encryption | Select Certificate" now includes a new option titled "Configure Let's Encrypt". This option allows you to automate a PowerShell script that downloads SSL certificates from Let's Encrypt. Let's Encrypt is a Certificate Authority that offers free certificates through an automated process. This process is designed to simplify the traditionally complex procedure of manual creation, validation, signing, installation, and renewal of certificates.
• [27357] Added support for Abusix Mail Intelligence at Security | Anti-Spam. For more information on Abusix Mail Intelligence visit https://www.mdaemon.com/mdaemon-abusix-trial-sign-up.

CHANGES AND NEW FEATURES

• [27073] A new option has been added (enabled by default): "Automatically detect and activate newer certificates". When this option is enabled, the system will perform a check during its nightly maintenance process. For each active certificate, it will check if there's another certificate on the system that expires later, is for the same hostname, and includes all alternative hostnames. If such a certificate exists, the system will automatically make it the active certificate.  This feature is particularly useful when there's a scheduled task on the system that automatically updates the certificate, such as Let's Encrypt.
• [26409] A warning email is now sent to global administrators when an SSL certificate configured for use is about to expire.
• [27606] A Secure Message Recipient can use the "Forgot Password" link on the login page, even if they have not completed the setup process.  In this scenario, the account setup invitation message will be resent.
• [23357] Added a new log file that logs failed authentication attempts.
• [24248] Updated the default "Security | Filtering | Attachments | Attachments to Block" list for new installations. A new action link, "Block recommended files" allows these extensions to be applied to upgraded installations.
• [26593] The Location Screening option "SMTP connections are accepted but authentication is blocked" is now per country instead of global. Blocking SMTP connections prevents your server from receiving mail from a country. Allowing SMTP connections with authentication disabled lets your server receive mail from a country while blocking brute force / dictionary attacks from them. Configure this at "Security | Anti-Abuse | Location Screening".
• [27665] Updated Acme-PS PowerShell module used by the Let's Encrypt PowerShell script to version 1.5.9
• [26924] ESMTP support for AUTH is not advertised if not allowed by location screening policy
• [27493] The domain SMTP AUTH Password now matches any user of the domain for the "Security | Anti-Abuse | SMTP Authentication | Authentication credentials must match those of the email sender" requirement.
• [27581] "Setup / Users | Accounts | User Options | Access Control" has a new option "Allow users to view message transcripts". If this option is disabled, only administrators will be able to view the transcript details for a message in their message log or quarantine. This option is enabled by default for upgrades, but disabled for new installations.
• [27668] The properties dialog for creating or editing a domain administrator has a new option "Can view the source of domain user's messages".  This option applies to messages that SecurityGateway has retained according to the "Setup / Users | Database | Data Retention" settings.  Messages that are queued for delivery to a Domain Mail Server and messages that are quarantined are always retained.  This option does not apply to archived messages.
• [24747] Increased default size of "Message Information" (View Message) window.
• [27578] Updated ClamAV to version 1.0.6
• [27763] "Security | Anti-Abuse |SMTP Authentication" has a new option "Do not allow authentication on the SMTP port". If enabled AUTH will not be offered in the EHLO response and will be treated as an unknown command if provided by the SMTP client. This setting is useful in configurations where all legitimate accounts are using the MSA or other port to submit authenticated mail. In such configurations the assumption is that any attempt to authenticate on the SMTP port must be from an attacker.

FIXES

• [27556] fix to when upgrading the country is changed to "United States (US)" in "Setup / Users | Registration | License Information"
• [27201] fix to after restarting the system service all users are logged out of the web interface
• [26496] fix to self-signed certificates generated by SecurityGateway cannot be trusted by recent versions of Chrome and Android
• [14014] fix to deleting the last active SSL certificate and creating a new one disables SSL
• [27182] fix to "Setup | System | Encryption" unchecking the "Active" checkbox for an SSL certificate immediately deactivates the certificate
• [27660] fix to possible crash if external Firebird database server cannot be reached
• [27619] fix to IP addresses being looked up on Spamhaus DBL.  The Spamhaus DBL only supports querying domain names.
• [27620] fix to URIBL result codes matching pattern they should not match
• [27621] fix to URIBL engine is reversing numeric URIs even though they are not IP addresses
• [27622] fix to URIBL engine incorrectly parsing URIs that contain a port number
• [27594] fix to external administrator account is unable to configure two factor authenticator application due to "access denied" error
• [27501] fix to exceptionally large values in the "Maximum acceptable SMTP message size" setting result in a negative size attribute in the EHLO response
• [27613] fix to "ReadDataFilterHostProcess failed" error attempting to extract text from attachments
• [27561] fix to if the SPF DNS lookup result contains a CNAME record that points back to the queried domain, it could cause the thread to hang and consume excessive CPU time
• [19111] fix to "Setup | Database | Restore" the displayed size for database backup files larger than 2GB is incorrectly shown as a negative value
• [27492] fix to "May be forged" returned in EHLO response even if EHLO DNS lookup was not performed
• [27016] fix to no action is taken when the Account Hijack Detection threshold is reached. When this occurs, a database error "multiple rows in singleton select" is logged to the system log file.
• [27676] fix to access denied error when domain administrators access "Security | Anti-spoofing" and "Security | Anti-abuse" menus
• [27677] fix to potential SQL exception related to "violation of foreign key constraint".  This issue can occur when sending quarantine reports if a user is deleted during the report generation process.
• [27369] fix to "Message Log | Message Information | Transcript" is partially hidden in Dark Mode
• [27453] fix to the pipe character "|" cannot be used in the mailbox portion of an email address
• [27768] fix to if the logging level is set to "Debug" Administrative Quarantine Summary Reports may not be sent to all administrators
• [27736] fix to quarantine reports may not be sent or include the wrong messages if the "only include new messages" option is enabled
• [27771] fix to SpamAssassin temp folder left on disk