MDaemon Server v16.5 Release Notes
MDaemon 16.5.2 - November 29, 2016
 Hosted email options with MDaemon Private Cloud are now available. To learn
more, please visit:
-  If AccountPrune is taking too long to delete old messages since  was
implemented in 16.5.0 to determine a message's age from its Date: header, edit \MDaemon\App\MDaemon.ini
and set [AccountPrune] UseDateHeader=No to return to the previous behavior of using
the message file's last modified timestamp.
-  MDaemon may report the version of the OS version that it is running on when
it requests an updated license file from Alt-N. This information is helpful as we
make decisions about which OSes to support. To not report such information, edit
\MDaemon\App\MDaemon.ini and set [Special] ReportOptionalData=No.
-  fix to long SPF DNS records are not processed correctly
-  fix to Remote Administration's ActiveSync Device Details dialog will
not show details for anything but first listed device
-  fix to LookOut theme - calendar tooltips do not show up
-  fix to WorldClient theme - Tasks list does not show up in IE11 on Windows
-  fix to Remote Administration's Content Filter "rule jump" action
not showing all available rules
-  fix to meeting attendees are corrupted if an attendee's name contains an
accented character and a comma
-  fix to a message larger than the SMTP spam filter scan limit may cause the
scans of subsequent messages in the SMTP session to be skipped
-  fix to CFEngine crash due to system rule conflict with rule hit counter
-  fix to 64-bit installer does not register MDAutoDiscover.dll
-  fix to WorldClient - Translated categories are converted to English after
saving the calendar event
-  fix to Minger authentication fails if sender's email address contains "d="
-  fix to not being able to set up a CalDAV or CardDAV account on an iOS device.
Existing CalDAV or CardDAV accounts on iOS devices may also stop synchronizing.
-  fix to Active Directory Monitoring "Page size" and "Verbose
AD logging" settings are broken in the MD GUI
-  fix to a "<template_undefined>" alias is created when Active
Directory Monitoring creates an account
-  fix to malformed Trusted IPs and Trusted Hosts when editing with Remote
-  fix to WorldClient theme - The Sort Messages By option does not save
-  fix to ActiveSync Ping requests from iOS devices do not work since 16.5
-  fix to ActiveSync FolderSync response may be missing Delete elements for
shared folders that no longer exist
-  fix to CalDAV unable to edit the notes/comments for a single occurrence
of a recurring calendar event or task
-  fix to MD GUI's Mobile Device Management | ActiveSync | Accounts screen
does not save changes
-  fix to possible ActiveSync server hang
-  fix to CIDR notation not working in SMTP AUTH Credentials Matching White List
-  fix to possible XMPP server crash
MDaemon 16.5.1 - October 11, 2016
-  Updated Remote Administration's Host and IP Screening pages to match updates
-  Updated Remote Administration's RA Options page.
-  MDPGP: Changed overall system default to disabled.
-  Ctrl+S|Sender Authentication|SMTP Authentication now has a white list for
the 'Credentials mustmatch...' options found there. A button was added to edit the
-  Ctrl+S|Screening|HiJack Detection|From Header Modification now has a white
-  Added proxy server support for license requests. If the installer is unable
to download a license file it now prompts for a proxy server address and credentials
which it will use to retry the HTTPS request.
-  Urgent Update system has been deprecated and removed (redundant these days).
-  fix to defaults for Outbreak Protection inconsistent between MDaemon and
-  fix to Mail List Member Edit screen remaining open after user clicks Cancel
in Remote Administration
-  fix to Outlook Connector Client Settings pages remain open after user clicks
Cancel in Remote Administration
-  fix to small GUI inconsistency on DNS-BL Settings page in Remote Administration
-  fix to small GUI issue on Spam Filter Updates tab in Remote Administration
-  fix to ActiveSync MaxPublicFolders setting not saving correctly in Remote
-  fix to DKIM option on the wrong dialog in Remote Administration
-  fix to encoded body text of calendar items created by Outlook 2016 with
OC is not decoded
-  fix to WorldClient may crash when importing an .ics attachment
-  fix to WorldClient's Lite theme - Issue changing password
-  fix to non-ASCII characters in a calendar item created by Outlook 2016 with
Outlook Connector are corrupted after editing the item in WorldClient
-  fix to WorldClient and LookOut themes - if Virtru is disabled on the Domain
level, the Compose view does not finish loading
-  fix to potential crash processing certain oddly formed messages
-  fix to disabled XMPP server starts back up when Windows is restarted
-  fix to account editor preventing disabling an account with a weak password
-  fix to MD GUI log windows needlessly display internal color code for each
-  fix to incorrect verbiage describing an option at Ctrl+S|SSL&TLS
-  fix to Outlook 2016 using ActiveSync may crash when marking a recurring
task as complete
-  fix to LookOut theme - IE8 - cannot send emails when Warn On Missing Attachments
-  fix to LookOut and WorldClient theme - When right-clicking to perform copy
or move to another calendar nothing happens
-  fix to possible MDaemon hang when MultiPOP downloads put an account over
-  fix to one more issue with Public Folder rights not matching up between
MDaemon and Remote Administration
-  fix to session timeout not always redirecting properly in Remote Administration
-  fix to Mailbox Reports view in Remote Administration not handling a session
-  fix to some pages not redirecting properly upon session timeout in Remote
-  fix to unable to use Group Membership as Content Filter Rule criteria in
-  fix to accepting a TNEF (Winmail.dat) formatted meeting cancellation in
WorldClient for a single occurrence of a recurring meeting will remove all occurrences
of the meeting
-  fix to formatting problem in an error when saving an account in Remote Administration
with a weak password
-  fix to WorldClient's web server directs all "/.well-known" requests
-  fix to ActiveSync policies set at the account level are not applied
MDaemon 16.5.0 - September 13, 2016
 F2|Server Settings|IPv6 has changed default to "off" (unchecked)
for the option to use IPv6 with outbound hosts for new installs. This option
can cause delivery issues for those who are not prepared for IPv6.
 F2|Logging|Log Mode option to "log by day of the week" (ie, Monday.log,
Tuesday.log, etc) has been deprecated and removed. If you were using this option
you are now using "log by date" (ie, MDaemon-2016-02-22-X.log, etc). As
a result, the F2|Logging|Maintenance checkbox to overwrite log files is no longer
necessary and has been removed. Also, there is a new setting added to F2|Logging|Maintenance
which lets you set the number of .OLD backups that are created once the max log
file size is reached (previously only one was possible). These backups are numbered
(the number is part of the file name) with the newest data always first (for example,
SMTP(out).log.01.old has newer data than SMTP(out).log.02.old, etc. Finally, added
hyphens into the file name to make the date easier to read.
 Ctrl+S|Sender Authentication|SMTP Authentication has a new checkbox which
requires all incoming messages arriving from local IPs to use authentication and
be rejected if lacking. Trusted IPs are exempt. This setting is enabled by default
for first time new installs. However, it is disabled by default for upgraders to
avoid delivery issues from clients or other services that don't authenticate and
aren't currently listed as a trusted IP. Please enable this option if you can as
it is a good security practice.
 In previous versions, gateway address verification never verified senders
(only recipients). A new checkbox at Ctrl+G|Gateway Manager|Global Gateway
Settings can toggle this behavior. It is enabled by default which means this
is a change from previous behavior. It is now possible that messages sent
from addresses which can not be verified will be refused whereas they may have been
accepted before. If this is not to your liking disable this option.
 The logic behind the AccountPrune tool's message pruning operation has
been changed. This tool is called when MDaemon needs to delete old messages from
user and public mail folders. In the past this tool used the "last modified"
date from the message file on disk. MDaemon now looks first at the Date: header
within the message itself. If the Date: header is present and complies with standards
then that date is used to determine message age instead of the file's "last
modified" date. This represents a change from previous behavior.
 F2|Logging|Maintenance has a new setting which governs the maximum number
of days the SecurityPlus update log will keep data (MDaemon\SecurityPlus\avupdate.log).
The new default setting is to keep data going back 30 days. At midnight each night,
and the first time MDaemon starts up after upgrading, MDaemon will delete older
data from this file.
 As part of the work related to task 16924 (see below) some bugs preventing
the immediate sending of "urgent" priority remote mail were found and
fixed. Urgent priority messages are defined as message files who's name matches
the pattern: "<root>\Queues\Remote\p?10*.msg". Messages found
with that file name pattern will now be properly detected and will trigger a remote
queue processing event within 5 seconds regardless of scheduled remote queue processing
timers (this was broken). Also, RAW messages were always expanded out to queue
as MD_PRECEDENCE_LOW (the lowest priority value) even when created with higher values.
As a reminder, "urgent" priority messages will trigger a queue run where
"high" priority messages merely sort to the top of the queue and wait
for the next scheduled queue run. As a reminder, you can use F2|Server Settings|Priority
Mail to define your own criteria for important mail that should trigger immediate
queue runs. Finally, IMAP logon failures due to bad credentials were not being
written to the event log when so configured (only SMTP and POP failures were). This
has been fixed.
 Mailing list digest messages are supposed to be UTF-8 but several bugs were
preventing this from working. As a result of fixing these problems it is no longer
possible to trigger digest delivery based on the number of lines in the digest data
file. So the option to do so has been removed from Alt+G|<list-name>|Digest.
Also, the API function MD_ListMaxLineCount has been changed to always return ZERO
(meaning disabled). Next, the need for the DIGEST.MBF file is no longer present
and so that file has been removed. The MD_ListInfo structure and API functions related
to its DigestMBF member have been left in place however changes made to this member
are not saved and always contain DIGEST as the value. Finally, the $BODY-DIGEST$
macro is no longer needed and has been removed.
 LDAP: added checkbox to Ctrl+G|Verification and Ctrl+U|Active Directory|LDAP
screens which lets you elect to chase referrals. MDaemon now explicitly disables
referrals for every LDAP connection it makes unless this checkbox is set. This represents
a change from previous behavior which defaulted to always enabling referrals. That
seemed to cause issues for people so it is now disabled always UNLESS you set these
options to enable it.
 Ctrl+S|Sender Authentication|SMTP Authentication has a new setting which
requires the credentials used for AUTH to match those of the address in the FROM
header. This prevents cases in which one person authenticates as user X while
claiming to be user Y within the message. This is similar to the existing
setting we've always had which compares against the return-path value. The wording
of that option was also slightly changed. This switch is enabled by default and
handles aliases as if they were the real account email.
 Ctrl+S|Sender Authentication|SMTP Authentication screen has two options
related to forcing authentication credentials to match something else about the
message (either the return-path or the From: header address). Both of these options
can potentially cause issues for gateway mail storage/forwarding. Therefore a third
option has been added to Ctrl+G|Gateway Manager|Global Gateway Settings which exempts
gateway mail from them both. This option is enabled by default.
 MDPGP: Several default settings related to MDPGP use have been changed.
If you are installing for the first time or have never accessed the UI to view these
settings then these are your settings now so please check them carefully. If you
are updating a previous installation and have accessed the MDPGP UI in the past
then your existing settings are untouched however you may wish to check and change
your settings as follows:
All these options can be found within the MDPGP GUI which is accessible from the
Security top-level menu. Even though several of these settings are now enabled
by default (including the entire MDPGP server itself) no work will be or can be
done until keys are known and have been added to the key-ring. With this version
of MDaemon there are a lot more ways to automate getting that done. Yet this may
not be desired in all cases. Please check and change settings to meet your needs.
- "Enable MDPGP" (enabled by default)
- "Authorize all local MDaemon users for all services" (enabled by
default) (previously called: "All MDaemon users on this server can use MDPGP")
- "Sign mail automatically when sender private-key is known" (disabled
- "Encrypt/Sign mail sent to self" (enabled by default)
- "Email public-key when requests are made (--pgpk command)" (enabled
- "Email details of encryption failures (--pgpe command)" (enabled
- "Expires in 0 days" (changed to 365 by default)
 When MX record lookups during message delivery result in a DNS server failure
result then the message will be left in the queue for attempted delivery during
the next processing cycle. This change is in conformity with RFC guidelines. Previously,
MDaemon would attempt direct delivery and, failing that, immediately bounce the
message in some configurations.
 This version of MDaemon is not compatible with old versions of BlackBerry
Enterprise Server (BES) for MDaemon. BES will be disabled when MDaemon is installed.
To continue running BES, update to BES for MDaemon version 2.0.3 after updating
MAJOR NEW FEATURES
 WORLDCLIENT/PKA1 PUBLIC-KEY SERVERS (MDaemon PRO only)
WorldClient: WorldClient has been taught to be a very basic public-key server.
A new checkbox on the MDPGP GUI enables/disables this. If enabled, WorldClient will
honor requests for your users' public-keys. The format of the URL to make the
request looks like this: "http://<WorldClient-URL>/WorldClient.dll?View=MDPGP&k=<Key-ID>".
Where <WorldClient-URL> is the path to your WorldClient server (for example,
"http://wc.altn.com") and <Key-ID> is the sixteen character key-id
of the key you want (for example, "0A1B3C4D5E6F7G8H"). The key-id
is constructed from the last 8 bytes of the key fingerprint - 16 characters in total.
DNS (PKA1): MDPGP now supports collection of public-keys over DNS using PKA1.
A new checkbox on the MDPGP GUI enables/disables this. If enabled, PKA1 queries
are made and any key URI found is immediately collected, validated, and added
to the key-ring. To publish your own public-keys to your domain's DNS you must
create special TXT records. An example of how to do this is as follows:
Suppose user email@example.com has key-id 0A2B3C4D5E6F7G8H. Then, in the DNS
for domain "altn.com" create a TXT record at "arvel._pka.altn.com"
(replace the @ in the email address with the string "._pka."). The
data for the TXT record would look something like this: "v=pka1; fpr=<key's
full fingerprint>; uri=<WorldClient-URL>/WorldClient.dll?view=mdpgp&k=0A2B3C4D5E6F7G8H"
where <key's full fingerprint> is the full fingerprint of the key (40
characters long representing the full 20 byte fingerprint value). You can
see a key's full fingerprint value by double clicking on the key in the MDPGP
GUI. Keys successfully collected and imported to the key-ring using this method
are tracked in a new file called fetchedkeys.txt. Keys will auto-expire and be forgotten
according to the TTL value of the PKA1 record which referred them -or- when X hours
have passed (a value which you can configure using a new control on the MDPGP GUI)
- whichever is GREATER. So, this means that the value you configure here can
be thought of as a minimum length of time (in hours) that a key will be cached.
The default value is 12 hours and the lowest acceptable value is 1 hour.
For more discussion and examples on using the pka1 method do a google search for
"pka1 keys in dns" and you will find it.
Tracking Keys: As part of this work some internal changes were made such
that MDPGP tracks keys by their primary key-ids always and everywhere now rather
than a combination of sometimes the key-id and other times the sub-key-id which
was messy. The UI was cleaned up to remove two unnecessary columns in the list box
related to superfluous (for display purposes anyways) key-ids. Also, this work required
me to more strictly control the content of MDPGP's "exports" folder.
As a result you will always find exported copies of local user keys there.
Please use OS tools to protect this folder (and indeed the entire PEM folder structure)
from unauthorized access because, although they are themselves encrypted, the private
keys of users are stored here.
Preferred Keys: Some problems arose as part of this work when multiple different
keys for the same email address are on the key-ring. In past versions MDPGP
would simply use the first one that it found. You can now right-click on any key
and set it as preferred. When a preferred key is found then that key will be used
whenever there are more than one to choose from. When there is only one key for
an email address then that key is preferred automatically even if not selected as
preferred (but you can still select it as preferred if you want). When multiple
keys for the same address are present and none are selected as preferred then the
first one found is used. When a key is selected as preferred an asterisk is set
in the first column of the UI. Preferred.txt stores the preferred key selections.
Disabled Keys: As part of this work it was necessary to change how disabled
keys are tracked. Previous versions tracked disabled keys by placing their key-ids
into the plugins.dat file. This version migrates those settings out of plugins.dat
and into a new file called oldkeys.txt. Deleted keys are now tracked there.
 XMPP INSTANT MESSAGING SERVER (MDaemon PRO only)
An XMPP server is now included that allows MDaemon users to instant message using
third-party XMPP clients. Clients are available for most OSes and mobile devices.
For a complete list please refer to
http://xmpp.org/xmpp-software/clients/. XMPP instant messaging is completely
independent of MDaemon's current chat system (WorldClient Instant Messenger).
The server is installed as a Windows service and a configuration screen for it can
be found in the MDaemon UI at Ctrl+W|XMPP. The default XMPP server ports are 5222
(SSL via STARTTLS) and 5223 (dedicated SSL). The XMPP server will use MDaemon's
SSL configuration if enabled in MDaemon.
For multi-user chat service, when asked the default is "conference.(your-domain)".
For user search service, if asked the default is "search.(your-domain)". Often this
will be pre-filled in or assumed by clients. The search fields are 'Name' and 'Email'.
The % symbol may be used as a wildcard. Some XMPP clients use DNS SRV record for
auto-discover of host names. Please refer to
http://wiki.xmpp.org/web/SRV_Records. For more info on XMPP please refer
 FROM HEADER PROTECTION/MODIFICATION
The purists out there are going to hate this but users who have been tricked in
the past will love it. Sometimes users are fooled into thinking an email comes from
one person when it is actually from an attacker. This happens because email clients
often display only the sender's name and not his email address. This new option
defeats such an attack at the cost of altering the From: header value. If enabled,
the From: header is modified. For example: From: "Spartacus" <firstname.lastname@example.org>
would become From: "email@example.com -- Spartacus" <firstname.lastname@example.org>.
This only happens to messages arriving for local users. This option is disabled
by default and can be found at Ctrl+S|Screening|Hijack Detection screen. Enable
with care as users are not expecting the From: header to be altered in this way
even in order to help recognize an attacker.
 CENTRALIZED MANAGEMENT OF OC CLIENT SETTINGS (MDaemon PRO only)
MDaemon has been taught how to push client settings to Outlook Connector users.
Setup|Outlook Connector (or Alt+O|OC Client Settings) opens up a set of screens
where you can configure default client settings for all OC users of all domains.
On the MDaemon Private Cloud version, the same screens appear within the Domain
Manager for each of your individual domains. All these screens mirror those found
within the OC client and are intended to allow you to create a set of values which
are pushed out to OC users the next time they connect. This feature is disabled
by default. Settings are only sent when they are new or have changed since the last
time the OC client connected and received them.
Obviously, several of these client settings (like "Your Name" for example)
can not be configured with a single value that works for all OC users. Therefore
macros are used such as $USERNAME$ which expands to the correct value for the individual
user when the settings are sent to the OC client. Take care not to place hard-coded
values (like "Arvel Hathcock") in the "Your Name" field or every
OC client will get "Arvel Hathcock" after the settings are received and
applied. The UI will help police this but it is a point you should keep in
mind. A button in the UI will remind and serve as a reference for MDaemon's
macro system. A checkbox on the OC Client Settings screen controls whether OC users
are allowed to override these settings or not. If you don't want them to be
able to change these settings then set the checkbox accordingly and the controls
within their OC client will be disabled.
None of this works unless the OC user is using Outlook Connector v4.0.0 or higher.
As part of this work the Outlook Connector screens were moved from Accounts|Account
Settings to Setup|Outlook Connector.
 IMPROVED IP SCREENING
Ctrl+S|Screening|IP Screen has a new Import button. MDaemon has been partially taught
how to import APF (typically used by firewalls) and .htaccess format files (typically
used by web servers). MDaemon understands only a sub-set of this file format (for
now). For example, "deny from" and "allow from" are understood but other verbs may
not be. Only IP values are imported (not domain names). CIDR notation is OK but
partial IP addresses are not. Each line can contain any number of space (or comma)
separated IPs. For example, "deny from 22.214.171.124 126.96.36.199/16" is OK. So is "188.8.131.52,
184.108.40.206, 220.127.116.11". These files are designed to control access to services so
they are really IP deny/allow lists. You can find these files online to download
and can (for example) block all IPs from a certain region or nation and there are
even files online that contain lists of compromised IPs. For example, google search
for "List of all IPs from <country>". Lines starting with # are
ignored. Lines can contain things other than IP addresses and that should
not stop the IP addresses from importing properly. I hope to improve this in future
versions so if you have a specific example of a file that you need MDaemon to import
properly (but it won't) you can send it to me and I will look into it (email@example.com).
 AUTOMATIC INSTALLATION OF PRODUCT UPDATES
Ctrl+O|Preferences|Updates is a new screen with several controls that allow you
to configure whether and when unattended installation of automatically downloaded
product updates will be performed (or not). When enabled, MDaemon can automatically
update itself, SecurityPlus (if you have it), and Outlook Connector (if you have
it). The Outlook Connector update covers just the server piece. Updating Outlook
Connector client plugins is covered elsewhere.
When MDaemon detects new versions of these products it will download and queue the
update for installation at an hour configured by you (2 AM is the default). Queued
updates are remembered across server restarts so they will be performed eventually
(even if the server is periodically switched off for whatever reason). Queued updates
are listed in a new file called "QueuedUpdates.dat" so you can always
delete all pending updates by deleting this file. The update installers themselves
are kept in a new folder called "Updates" off the MDaemon root. If there
are multiple products to update they are done one at a time and each one absolutely
requires a system reboot when it finishes. If you don't like that then do not enable
these settings (they are all disabled by default).
When automatic updates are performed the email to postmaster/admins about an update
that they can go and download manually is not generated. Instead, these people receive
the post-installation "Special Considerations" email normally sent as
well as a separate email stating that the update was performed. Also, the System
log tracks all installation activity. For example: "Installing update: <path
to installer>" and "MDaemon will be stopped by the installation process"
and "Server will be rebooted after installation completes" etc can all
be seen there. Lastly, the process can take a long time (many minutes) so the time
between the start of the update and the unavoidable server reboot is to be expected.
Did I mention that there will be a server reboot? Get over yourself - its
gonna happen :)
As part of this work "MDLaunch /stop" no longer causes MDaemon to prompt for confirmation.
As part of this work the option to inform the postmaster about updates has been
moved from Ctrl+O|Preferences|Miscellaneous to the new screen mentioned above.
 IMPROVED WORLDCLIENT
 WorldClient now supports categories for email in the LookOut and WorldClient
themes. Users can add the Categories column to the message list by going to Options
| Columns and checking "Categories" in the Message List section.
To select categories for one or multiple messages, select the message(s) in question
and right click on one of the messages. In the context menu there is a "Categories
>" option. Click the option and a list of all the available categories
will be displayed. If there are more than 27 category options, an up arrow
and a down arrow will be displayed at either end of the list. To view more
options click the down arrow, and to go back up the list click the up arrow. If
a user has permissions to edit categories, the user can choose the "Edit Categories"
option in the toolbar in the LookOut theme or the "more" drop down menu
in the WorldClient theme. If a single message is selected in the list, any saved
changes will be applied to the message in question. Users can also use the Set Categories
option in the external message view to choose/edit categories. Users can also sort
and search by Categories.
 WorldClient now allows admins to create custom categories. There are two
files for this purpose; DomainCategories.json and PersonalCategories.json.
Domain Categories are enabled globally by default. To disable it, change the
value of DomainCategoriesEnabled in MDaemon\WorldClient\Domains.ini [Default:Settings]
to "No". Users are able to add and edit their own categories by
default. To disable this either per user (in the user's User.ini under
[User]) or globally (in MDaemon\WorldClient\Domains.ini [Default:UserDefaults])
change the value of CanEditPersonalCategories to "No". If Domain
Categories is enabled, and a user is not allowed to edit personal categories, the
user will only see the categories listed in DomainCategories.json. However,
if Domain Categories is disabled, and a user is not allwed to edit personal categories,
the user will see the categories listed in PersonalCategories.json. Users
that already have a UserCategories.js file will not lose any changes they have made
upon upgrade to MD 16.5, but with Domain Categories enabled, any category in their
UserCategories.js file that matches the DomainCategories.json categories will become
read only. There are also two translation files that have been added in order
to attempt to handle multi-lingual users on the same server; DefaultCategoriesTranslations.js
and CustomCategoriesTranslations.json. The DefaultCategoriesTranslations.js file
will be overridden each time MDaemon is upgraded, but the CustomCategoriesTranslations.json
file will not be, so add any necessary custom category translations to the CustomCategoriesTranslations.json
file. These files make it possible for WorldClient to recognize a category
saved to an event/note/task in one WC supported language as the equivalent category
in any other WC supported language. For more detailed information relating
to the files mentioned here, see the MDaemon\WorldClient\CustomCategories.txt file.
 LookOut and WorldClient themes - Added option to check a composed message
for attachments prior to sending, when attachments are mentioned in the subject
or body of the message
 Admins can now hide the WhiteList and BlackList folders for WorldClient users.
To do so, HideWhiteListFolder=Yes and/or HideBlackListFolder=Yes in the MDaemon\WorldClient\Domains.ini
file under the [Default:UserDefaults] section. Individual users can continue to
see the WhiteList and/or BlackList folders if the their User.ini has HideWhiteListFolder=No
and/or HideBlackListFolder=No in the [User] section.
   Account Editor|Web Services and Ctrl+T|Template Manager|New
Accounts|Web Services have each had two new checkboxes added which control whether
an account is allowed or required to use WorldClient's Two-Factor Authentication
(2FA) system. When the checkbox to allow 2FA is enabled then users decide whether
to use 2FA or not (see users manual for details on setting up 2FA). However, if
both the allow and require 2FA checkboxes are enabled then users who have not setup
2FA will be given a session and redirected to a page to setup 2FA the next time
they login to WorldClient. To force 2FA use immediately you must restart the WorldClient
server to force all users to login anew. Once a user's authentication application's
pairing has been verified with WorldClient, the user will be redirected to the normal
WorldClient view. When 2FA is required then it cannot be disabled from within
WorldClient's Options|Security page. However, the same users can still use the
Get A New Shared Secret and Show My Shared Secret buttons.
 MDPGP SIGNATURE VERIFICATION (MDaemon PRO only)
MDPGP can now verify embedded signatures found within messages. Previously it was
not able to do this unless the message was also encrypted and signed. With this
change signatures appearing without encryption can now be verified. You will see
appropriate logging in the MDPGP log when this happens along with new icon and/or
text which WorldClient will show when it displays a verified message. As a result
of this change a new check-box has been added to the MDPGP GUI which enables signature
verification for all non-local users (enabled by default) or you can specify exactly
which email addresses can and can not use the service if you need (click the "Configure
exactly who can and can not use MDPGP services" button for that).
CHANGES AND NEW FEATURES
-  MDaemon will refuse MAIL and RCPT parms that are missing their "@domain.com"
component. In the past, MDaemon tried to "fix" things by making assumptions
and appending any missing pieces. MDaemon now insists these parms comply with RFC
specifications which require the "@domain.com" part. The only exception
to this allowed by MDaemon and RFC rules is the reserved mailbox "postmaster"
which must be accepted as a valid RCPT parm even when no "@domain.com"
-  MDaemon's SMTP and POP clients now validate SSL certificates presented
to them by remote hosts. However, no action other than a line added to the log is
taken at this time pending further work in the IETF regarding the various competing
STS-like proposals. So for now you will only see a line in the log indicating whether
the remote host's name is a match for the certificate it presents (or not) and
whether that certificate chains to a valid certificate authority recognized by Windows
(or not). Don't panic if you see a lot of "invalid" SSL certificates
presented. Such certificates are perfectly fine for encrypting data transmission.
They are "invalid" because they are either self-signed or do not match
the host name expected (or both). In such cases you can be sure encryption is happening.
Various weaknesses in TLS (of which its opportunistic nature and acceptance of nearly
all certificates are major examples) are being worked on by industry experts and
will make their way into products and services once that work has completed.
-  MDaemon UI changes: Items have been added to the Servers list on the Stats
pane for Auto-Discovery Service and XML API Service. The right click menu for the
ActiveSync server has additional commands. "Enable ActiveSync Server"
has been removed from the File menu. The ActiveSync server log is now a sub-tab
of Plug-ins instead of WorldClient, and logs for the Auto-Discovery Service and
XML API Service are there as well.
-  F2|Logging|Windows Event Log has several new checkboxes added and an edit
control. These allow you to specify the email address to your phone carrier's
email-to-SMS (text message) gateway. For example, with Verizon, the address is PhoneNumber@vtext.com
(ex: firstname.lastname@example.org). When a value is specified here you can then enable individual
checkboxes next to the various events. When these events occur a message will be
sent to the SMS gateway address you specify. I was not able at this time to have
shutdown notifications sent immediately because MDaemon needs to do it and it has
shut down. Until I can figure this out shutdown notifications are not sent. Also,
any event which triggers this feature will cause instant remote queue processing
(notifications are treated as "urgent" mail).
-  Ctrl+S|Sender Authentication|SPF Verification now allows domains in the
white list file to be included in SPF lookups. See descriptive text on that screen
for how it works. Often you need to white list your backup MX provider(s)
from SPF lookups but you do not know or can not configure all of their IPs.
To safely solve this problem you can now specify your backup MX provider(s) by using
a new "spf" tag to white list them and MDaemon will do the required lookups
in real-time. MDaemon does this by adding its own "wlinclude:" tag to
the actual SPF results for a queried domain. Although this "wlinclude"
data is logged it is important to realize that "wlinclude" tags are your
white-listed entries and are not actually part of the queried domain's SPF data
taken from DNS.
-  Ctrl+P|DNS-BL|White List now permits white-listing FROM values. See
descriptive text on that screen for how it works.
-  Ctrl+S|Screening|Dynamic Screening has a new option which omits accounts
from being frozen due to multiple authentication failures when the same password
is used every time. This option is useful to prevent lockouts when users change
passwords legitimately. This option is enabled by default.
-  Authentications over POP, IMAP, or SMTP servers will add a line to the Screening
log showing the IP that was granted access if that IP has never been seen before.
This aids in debugging access problem.
-  Ctrl+S|Screening|Hijack Detection has a new setting that includes LAN IPs
when limiting Local IPs. This setting is enabled by default.
-  Ctrl+S|Screening|Hijack Detection has a new setting that controls whether
connections are refused with a 5XX or a 4XX reply code.
-  Ctrl+U|Other|Quotas - slightly changed wording on first checkbox option
to make more clear what it does.
-  Content Filter will track and log the total number of times a rule was used.
This is tracked as HitCount=XX in CFRules.dat for each rule.
-  MDPGP: The results header better calculates the FQDN value used within the
-  When deleting a domain the confirmation dialog will only mention deleting
public folders if the option to delete public folders is enabled at F2|Server Settings|Public
& Shared Folders.
-  Several screens had bad tab-order or no tab-order at all and you could never
tab from the left-hand tree-view through to the selected right-hand dialog box nor
to the OK/Cancel/Help buttons. These matters have been fixed. As part of this work
the controls on the F2|Logging|Log Mode had to be reorganized.
-  Ctrl+A, Ctrl+C, Ctrl+V should now work where appropriate throughout the
-  The top-level Windows|Composite Log View and the "Activate Composite
Log" button within the logging UI will now activate and bring to the top any
existing composite log window or create a new one if there isn't one.
-  Changed composite log window caption to include the names of the items being
included in the log. Note: if you change the items you wish to include in
the composite log you will need to close and restart any already running composite
log to update the window caption.
-  Added some descriptive text to New List Member dialog to explain how to
use path to arbitrary addrbook.mrk file as list member.
-  LDAP: ldapcache.dat was caching the sender value needlessly for LDAP lookups.
Since this value is ignored when checking the cache during LDAP processing its presence
there served no purpose. Future items added to cache will not include this piece
and existing items will eventually expire out that currently include it.
-  LDAP: added checkbox to enable/disable LDAP cache to LDAP options screen
and also moved this screen and the LDaemon settings screen out of F2|Server Settings
and into Ctrl+U|Active Directory. This is where I want LDAP related settings to
-  LDAP: logging was improved and fixed in a few places. First, the system
log gets nothing now. All goes to the LDAP log tab like it should. Errors
are simplified and properly logged. The composite log was not being used properly.
Now it is.
-  LDAP: exporting speed improved and just general improvement to address several
things that would just bore you and are internal to my programming style.
Anyway, its better trust me.
-  LDAP: added checkbox to Ctrl+U|Active Directory|LDAP which lets you use
protocol version 3 servers correctly.
-  LDAP: added checkbox to Ctrl+G|Verification which lets you use protocol
version 3 servers correctly.
-  The SyncML log tab has been removed and replaced with a WebDAV log tab.
SyncML functionality has not been removed and its log file can be viewed from disk
-  ActiveSync log file contains data on day-of-week and milliseconds already
but GUI was not showing it. Now it does.
-  LDAP: Normally when MDaemon exports aliases to an LDAP address book it puts
the accounts' actual email address in the CN field (not ideal but a long standing
practice). However, non-alias exports place the accounts' full name value
there (more correct). A new checkbox was added to Ctrl+U|Active Directory|LDAP which
causes the export process to always put the accounts' full name value in CN
(if known). This option is disabled by default to preserve existing behavior.
-  SMTP server responds with "500 5.0.0 Unrecognized command" (correct)
rather than "501 5.0.1 Missing or errant parameters" (technically incorrect)
when encountering an unrecognized command.
-  Moved call to AV update function from MDaemon to SecurityPlus code-base.
-  Added link and text reminding about free support to "Help|Register
your Alt-N products".
-  Archiving tool uses MDaemon's temp folder now rather then Windows temp
folder to solve some access permissions problems.
-  Work was done to prevent the UI from needlessly refreshing itself when nothing
was changed. This was visible as a "flashing" of the tool window pane
(especially noticible over remote connections). The items in this window will now
only update if something has actually changed.
-  Added "apply to all accounts" button to New Accounts template
-  Alt+F2|Domain Manager|Settings has a new control that allows you to specify
the maximum number of messages per hour that a domain can send (zero means no limit).
Once this limit is reached further messages are left in queue and a line is logged
about it to the System log. All counts are reset hourly or on a server restart.
This option is only available in MDaemon Private Cloud version.
-  Alt+F2|Domain Manager|Settings has a new control that allows you to specify
the maximum disk space quota for a domain's accounts. This option is only available
in MDaemon Private Cloud version.
-  Alt+F2|Domain Manager|Host Name & IP has a new control that allows you
to enable/disable a domain. When domains are disabled users can no longer
send or retrieve their mail and all new messages sent to the domain are rejected
with "User Unknown". This option is only available in MDaemon Private
-  MDaemon no longer accepts MAIL <forward-path> or RCPT <reverse-path>
values which are enclosed in tick marks ( ' chars) or quote marks ( " chars).
These forms are not in accord with the standards and although MDaemon accepted and
tried to "fix" them in the past they end up causing problems for down-stream
modules so they are now refused during the SMTP session.
-  WorldClient - Added "Verified with key-id <key-id>" information
to the message header in the message previews and external message views when the
message contained a verified PGP signature.
-  The version node on the status bar at bottom of UI will show 32-bit or 64-bit.
-  UI nodes in toolwnd text changed from using "active/inactive"
to using "enabled/disabled"
-  WorldClient - Added support for recurring tasks in the LookOut and WorldClient
themes. The behavior matches that of Outlook.
-  Added icons for messages with valid DKIM signatures, messages decrypted
by MDPGP, and messages signed with an MDPGP key
-  LookOut and WorldClient themes - Added the ability to accept, accept tentatively,
or decline a meeting from the event editor
-  MDPGP: libraries and binaries updated to latest versions.
-  Moved cleanup event strings to resources for translations.
-  WorldClient - Added option to turn off display of the "Share Folder"
button in the Options | Folders view and in the folders context menu. Use
HideShareFolderOption=Yes in Domains.ini [Defaults:UserDefaults] to hide for all
users. Setting HideShareFolderOption in the User.ini will override the setting
from the Domains.ini
-  LookOut and WorldClient themes - Added context menu and shortcut key options
to delete messages permanently without sending them to the Deleted Items folder.
In the message list context menu (right click menu) choose "Delete Permanently"
from the drop down or use "Shift + Del" to permanently delete selected
-  WorldClient theme - Removed the "Click to add to contacts" in
the message preview and external message window, because the user can simply hover
and get the "Add to Contacts" option.
-  LookOut and WorldClient themes - Added an Options | Categories view for
editing user categories. View is available as long as the user setting CanEditPersonalCategories
-  Reversed order of operations to now check IP Screen before Dynamic Screen
in order to reduce needless waste of CPU and logging.
-  Ctrl+U|Autoresponders has a new screen called Attachments. Only paths listed
here are eligible to be used within autoresponder scripts.
-  WorldClient - Added option to turn off display of email address hover context
menus in the message preview frame and the external message view. Use HideEmailAddressHoverMenus=Yes
in Domains.ini [Defaults:UserDefaults] to hide for all users. Setting HideEmailAddressHoverMenus
in the User.ini will override the setting from the Domains.ini
-  Changed message queue right-click menu text from "White List 'To'" to "White
List Recipient", "White List 'From'" to "White List Sender" etc. Also message queue
tab column header labels were changed from "From" and "To" to "Sender" and "Recipient".
-  Ctrl+P|Spam Filter|Settings had an option to configure spam score on a DNS-BL
match. This option was removed as it's a duplicate of the same option
which appears just a few tabs down on the same screen at Ctrl+P|DNS-BL|Settings.
It also did not store state correctly at times.
-  MDPGP no longer logs data about messages when MDPGP is completely disabled
(this was just wasting disk space).
-  LookOut theme - added ability to select multiple contacts from the Contacts
folder and then send a message to all of them
-  WorldClient theme - changed the X that saves notes to a floppy disk (save
-  Added the ability in WorldClient to modify the notes field of a single occurrence
of a recurring appointment
-  Updated to new version of the HTML editor used by WorldClient and Remote
Admin (CKEditor 4.5.10).
-  MDaemon will email the Outlook Connector release notes to the postmaster
and global admins when a new version (4.0.0 or newer) is installed on the server.
-  An ActiveSync client setting has been added that allows iOS clients to be
able to send mail using an alias, by returning the logon alias as the user's primary
-  fix to log file archives sometimes having incorrect files included
-  fix to MDPGP minor issues and processing bottle-necks
-  fix to spam filter "no filtering" white list not working for some
queue based scans
-  fix to spam filter "no filtering" white list (and others) not
always working properly with encoded header data
-  fix to MDPGP not reloading domain settings when they change
-  fix to left-hand tree-view in UI dialogs not accessible via tab key
-  fix to main menu not immediately available for key-board focus on startup
-  fix to MDPGP GUI options related to encrypting mail not disabled when services
-  fix to encoded From and Subject header data lost by CF "copy to"
action when destination is a mailing list
-  fix to X-MDArchive-Copy: header not inserted into messages archived to folder
-  fix to CF failing to detect and extract attachments in certain emails; also
fixed lack of logging of these facts on success or failure
-  UTF-8: fix to list digests not in proper charset and thus unreadable for
some; also simplified and updated logging of results
-  fix to X-MDAV-Infected header not always listing file names correctly
-  UTF-8: fix to calendar reminder data not encoding properly
-  fix to install process errors when moving from older 32-bit versions (<
13.5) to newer 64-bit versions
-  LDAP: fix to ldap export not automatically happening when enabling/disabling
options to do so on Alt+G|Mailing List Settings; also the wording of this option
was slightly improved
-  fix to content filter compressing inbound attachments when not configured
to do so; also simplified logging related to compression
-  UTF-8: fix to incorrect full name sometimes added to contacts when forwarding
mails to the special "add to whitelist/blacklist" address
-  fix to WorldClient - 2FA if a user cancels a new secret request the old
secret is deleted, but 2FA remains enabled
-  fix to Screening log not getting "----------" lines added; wasteful
but without this the search function fails to work correctly
-  fix to LookOut theme - Disable New Email Sound does not stay checked after
-  fix to config session needlessly writing/updating counts within the UI
-  Minger: fix to gateway "test" button returning "Success -
these settings don't work" ROFL (should be "Success - look like it's
-  Minger: fix to minger not properly honoring options to allow over-quota accounts
to send mail
-  fix to status bar at bottom of UI not showing IPv6 address in config session
-  fix to WorldClient - When setting up 2FA with long user names and long domain
names, the bar code will not display
-  fix to WorldClient theme - When the Company field in a contact contains
an apostrophe, the Edit button no loger works
-  fix to WorldClient theme - Comment field called Note when viewing contact
-  fix to WorldClient theme - Tab order off/confusing when creating new contact
-  fix to SPF processing not showing any error text when SPF records setup
as errantly recursive
-  fix to DMARC white list not honoring DKIM/SPF Approved domains list
-  fix to WorldClient theme - Hitting enter in the text input of the New Folder
dialog does nothing
-  fix to LookOut theme - Options | Folders - Notify checkbox is displayed
for non-email type folders
-  fix to LookOut and WorldClient themes - the date on the day view and week
view is incorrect for the Print a list view of calendar events printing format
-  fix to LookOut theme - Categories - In the Calendary Day View, all day events
with a dark gray have the wrong font color
-  fix to LookOut and WorldClient themes - shortcut key to send email results
in the "Are you sure you want to leave this page" alert
-  fix to LookOut theme - FF 45.0.2 German version forces refresh when clicking
on Calendar in folder list
-  fix to Remote Administration not allowing enough digits for Bayesian Database
-  fix to unable to toggle "Always log to screen" in Remote Administration
-  fix to unable to select IPv6 addresses for Host or IP Screening in Remote
-  fix to "Undefined IPs should be..." value always blank on IP Screening
page in Remote Administration
-  fix to forwarded messages not processing by CF rules when configured to
-  fix to creation of mail folders with trailing spaces being allowed
-  fix to queue status not written to system log when toggled via tool window
-  AD: fix to problems processing user data fields with a single % char in
-  fix to errant "save changes first" box when canceling out of public
folder manager with no changes made
-  fix to unable to set "Hide List from Global Address Book" in Remote
-  fix to Domain Admin gets blank Attachments page in User Editor in Remote
-  fix to Gateway Editor in Remote Administration not always showing the right
value for certain options
-  fix to labeling error for a page in User Editor for Domain Admins in Remote
-  fix to LookOut and WorldClient themes - Unable to edit an appointment in
Day View due to the inability to select it
-  fix to LookOut and WorldClient themes - When setting the default contacts
view to an alternate folder and then saving it twice, it changes to All Contacts
-  fix to Remote Administration allows non-local addresses to be added as Spam
-  fix to Remote Administration unable to edit domains with certain special
characters in them
-  fix to some windows display in the wrong size in Remote Administration
-  fix to LookOut theme - When there are several addresses in the CC field,
the CC field will not wrap in the window frame
-  fix to LookOut and WorldClient themes - If a pdf attachment has spaces before
.pdf in the filename the pdf viewer does not work
-  fix to WorldClient - AutoComplete - When an ampersand is used in a contact
that is added as a recipient it shows the HTML encoding
-  fix to WorldClient theme - Unread view shows read messages after resizing
-  fix to various spelling errors found within the product
-  fix to contacts with mobile numbers being removed incorrectly when UI button
used in Account Editor|White List
-  fix to MDaemon alias sometimes lost or unchanged when primary domain changed
(also fixes potential extra MDaemon account created)
-  fix to Content Filter GUI checkbox for "If the X-MDaemon-Deliver-To
HEADER contains" is not checked when editing a rule using that condition
-  fix to MDaemon account not properly handling some multipart messages sent
-  fix to IP Syntax checker in Remote Administration not accounting for IPv6
-  fix to Remote Administration not saving the new default Host Screen entries
-  fix to Remote Administration not saving authorized Outlook Connector accounts
-  fix to CalDAV server does not honor SCHEDULE-AGENT=CLIENT ATTENDEE parameter
-  fix to possible crash when MDaemon is configured to send mail to a smart
host and the smart host address is invalid
-  fix to unable to save changes to certain actions in the CF Rules in Remote
-  fix to WorldClient tasks - In the Estimated Work and Actual Work fields,
an entered decimal point is not saved
-  fix to WorldClient - Cannot replace signature image with new image of same
-  fix to inconsistencies in MaxPingFolders configuration between MDaemon and
-  fix to ActiveSync may remove the flag on a message when it is replied to
-  fix to domain specific smart hosts not being used in some situations
-  fix to accountprune sometimes making empty ZIP archive files; when this
happens file will be deleted
-  fix to when removing a start date from a task in WorldClient the change
may not be saved
-  fix to certain strings not showing up translated in Remote Administration
-  fix to "Access Denied" error when viewing certain MDAS pages in
Remote Administration as a Domain Admin
-  fix to Remote Administration not showing the correct per-device AS Client
-  fix to Cancel button on Support Files Editor in Remote Administration does
not close window
-  fix to Cancel button on Outlook Connector Users page in Remote Administration
does not close window
-  fix to Ctrl+S|Other|BATV two checkboxes in UI not always working properly
-  fix to ActiveSync clients are sent attachments even when their device policy
does not allow attachments if they request message bodies in MIME format
-  fix to accented characters in the From header of messages sent using iOS
ActiveSync clients may be converted to ASCII
-  fix to hijack detection not always working correctly (allowing too many
-  fix to DMARC report recipients may mistakenly be discarded
-  fix to MDaemon Account Editor truncates an account's smart host password
to 15 characters
-  fix to Help links not working on some pages in Remote Administration
-  fix to calendar event recurrence end dates are not synced to ActiveSync