SecurityGateway for Email Servers v12.0 Release Notes

SecurityGateway 12.0.0b

CHANGES AND NEW FEATURES

[29039] Archive Failure Queue for messages that fail to be archived. Messages that cannot be archived due to errors (disk full, archive store unavailable, etc.) are now saved to a dedicated archive failure queue. Administrators can view and manage these messages from Setup / Users | Archiving | Failed Messages.
[29108] User Settings Page Redesign - The user settings page has been reorganized into logical sections (Security, Display Preferences, Email Filtering, Quarantine, Archiving, and Advanced Options) for improved usability. Password changes now open in a dialog, dark mode uses a dropdown selector.

FIXES

(beta only) [28834] Fixed an issue where SecurityGateway would fail to start when configured to use an external Firebird database server, reporting "Firebird Unknown Version (ODS 0)". The Firebird version check now queries the database server directly instead of reading from the local database file, which is not accessible when using an external server.
(beta only) [29103] fix to Archive store backups fail as hard coded test path "Z:\invalid" was inadvertently left in code
(beta only) [29104] fix to HTTP socket lifetime race condition crash

SecurityGateway 12.0.0a

SPECIAL CONSIDERATIONS

MAJOR NEW FEATURES

[28631] Display Name Protection to protect against business email compromise (BEC) and impersonation attacks
Protect against display name impersonation attacks where threat actors use display names similar to trusted users (such as executives, vendors, or colleagues) to trick recipients into taking actions like transferring money or revealing sensitive information. This feature provides comprehensive protection through multiple layers of defense:

Core Detection Engine: Uses advanced name similarity detection (Jaro-Winkler algorithm) to identify when an email's display name closely matches a protected user but originates from a different email address. Administrators can configure a similarity threshold (0.0 - 1.0) where 1.0 requires an exact match and lower values enable fuzzy matching to catch variations like "Jon Smith" vs "John Smith".

Protected User Management: Administrators can designate high-value targets (executives, finance personnel, HR staff) for monitoring. Each protected user can maintain a personal address list of legitimate alternate addresses to prevent false positives when they email from personal accounts.

Free Email Provider Actions: Apply stricter policies to messages from free email providers (Gmail, Yahoo, Outlook.com, Hotmail, ProtonMail, iCloud, AOL, and many others) where impersonation attacks commonly originate. Configure separate actions specifically for these high-risk sources.

Flexible Response Actions: Choose from multiple response options including rejecting messages, quarantining for security review, adding warning headers (X-SecurityGateway-DisplayNameSpoofed), tagging subject lines with [SPOOFED], or filing to spam folders. Different actions can be configured for general matches versus matches from free email providers.

Granular Exclusions: Prevent false positives with multiple exclusion options: allowlisted IP addresses, authenticated sessions, domain email servers, and a configurable sender exclusion list supporting wildcard patterns (*@company.com, user*@domain.com, admin@*.com).

Sieve Integration: Advanced users can create custom policies using the new vnd.mdaemon.display_name_spoofed and vnd.mdaemon.sender_is_free_email Sieve tests.

Configuration is available under Security | Anti-Spoofing | Display Name Protection in the web interface.
[29012] Database connection pooling for improved performance and reliability under high load.
Connection pooling reuses existing database connections instead of creating new ones for each operation, includes automatic retry logic with exponential backoff for transient failures, and provides circuit breaker protection to prevent cascade failures during database outages. The pool automatically prunes idle connections to optimize resource usage.

Dashboard Monitoring: Global administrators can monitor database connection pool health in real-time from the dashboard. Statistics include current pool size, maximum pool size, active connections, idle connections, circuit breaker status, and consecutive failure count. The DB Connection Pool statistics display on the dashboard can be disabled under Main | My Account | Settings.

Windows Performance Monitor: Database connection pool metrics are exposed as Windows Performance Monitor counters under the SecurityGateway object, enabling integration with external monitoring tools and alerting systems.
[25124] Administrator IP Restrictions to enhance administrative account security
Restrict administrator login access to specific IP addresses or IP ranges, providing an additional layer of security for administrative accounts. This feature helps prevent unauthorized access by limiting where administrators can authenticate from.

Global and Per-Domain Configuration: Configure IP restrictions for global administrators separately from domain administrators. Domain administrators can login from IPs in their domain-specific allow list OR the global allow list, providing flexibility for multi-domain environments while maintaining centralized security policies.

Flexible IP Matching: Supports individual IP addresses, IP ranges, and CIDR notation. Localhost access (127.0.0.1 and ::1) is always permitted to ensure local access is never blocked.

Comprehensive Logging: All administrator access attempts (granted and denied) are logged to the HTTP log with IP address and administrator email for security auditing and compliance requirements.

Configuration is available under Setup / Users | Accounts | Administrators | IP Restriction Option.

CHANGES AND NEW FEATURES

[39039] Bad Archive Queue for messages that fail to be archived. Messages that cannot be archived due to errors (disk full, archive store unavailable, etc.) are now saved to a dedicated bad archive queue instead of being lost. Administrators can view and manage these messages from Setup / Users | Archiving | Failed Messages or from the new Archiving section on the Setup landing page. Messages can be retried for archiving or deleted as needed.
[29015] Quarantine action confirmations now support action-specific "Do not show this prompt again" preferences. Users can independently configure each action type (release, delete, block, exempt, confirm spam, etc.), enabling them to skip prompts for routine actions while maintaining confirmations for destructive operations. A new "Clear quarantine report confirmation preferences" button in Main | My Account | Settings allows users to restore all confirmation prompts for the current browser.
[11429] Email alerts for failed scheduled database backups. Administrators can now configure SecurityGateway to send email notifications to all global administrators when scheduled database backups fail. This optional setting (enabled by default) is available on the Setup / Users | Database | Backup page and helps ensure critical backup failures are promptly addressed.
[4107] Quarantine reports can now be sent on-demand via a "Send Quarantine Report Now" button in Main | My Account | Settings | Quarantine Options. Administrators may send a report for a user for which they have permissions from that user's setting page ("Settings" button of the User List toolbar). This allows immediate delivery of quarantine report emails without waiting for the scheduled report interval.
[29046] Archive search now includes Sender/Recipient in default search criteria. When searching archived messages, the search will now automatically include sender and recipient fields in addition to subject and message body, making it easier to find messages without manually enabling additional search options.
[13555] Passwords are no longer included in the user export CSV file
[26679] Option to exclude external administrators from receiving admin quarantine summary emails. This setting is available under Setup / Users | Mail Configuration | Quarantine Configuration in the Administrative Quarantine section and helps organizations comply with GDPR requirements by preventing quarantine summaries containing user message information from being sent to administrators outside the organization.
[29079] Updated API Documentation. Reorganized into separate files by category. Added C#/.NET and Python code samples.
[24065] The SecurityGateway system service is now configured with recovery options to automatically restart the service on the first and second failures. This configuration is applied once during new installations and upgrades. If you modify the recovery settings afterward, your changes will be preserved.

FIXES

[27718] fix to custom dashboard report drill-down showing blank message list when using $LOCALDOMAIN$ or $REMOTEDOMAIN$ macros
[28636] fix to Sieve rules created for disclaimers are not read-only when opened from Security | Advanced | Sieve Scripts
[28671] fix to attachment filtering patterns R0*, R1*, R2* matching entire filename instead of extension, causing files like R2345694373.png to be incorrectly blocked
[28742] fix to attachment downloads fail in Chromium browsers when filename contains a comma
[28992] fix to From Header Screening "Put email address before name" option corrupting From header when display name contains accented characters (RFC 2047 encoded words)
[29044] fix to archive store backup reporting success even when individual store backups failed
[29049] fix to debug performance timing interval logged in scientific notation
[29068] fix to unresponsive OK button when overriding blocklist/allowlist conflicts due to JavaScript error
[29025] fix to BayesianLearning.log not being archived, causing the file to grow indefinitely
[13989] fix to aliases from user verification sources (Minger, AD/Exchange) being created as new users instead of being added as aliases to existing accounts
[29050] fix to session expiration logging out users even when "Remember Me" is enabled. Users with valid remember-me cookies will now be automatically re-authenticated when their session expires.