SecurityGateway for Email Servers v4.0 Release Notes
Developed with 20 years of proven email security expertise, SecurityGateway provides
affordable email security. It protects against spam, viruses, phishing, spoofing,
and other forms of malware that present an ongoing threat to the legitimate email
communications of your business.
Click here to
learn more about SecurityGateway for Email Servers.
- (beta only)  fix to messages may appear in a domain's message log that
are neither to or from that domain
- (beta only)  fix to domain administrators and users that are not
administrators are unable to view the content or source of messages from the
-  fix to under specific conditions, a message may be accepted but not
delivered to the domain email server. In the outbound log, the session for
the message will contain SIZE=0 and delivery will fail.
SecurityGateway 4.5.0 - April 4, 2017
 The option "Honor CRAM-MD5 authentication method" found at Setup
/ Users | Mail Configuration | Email Protocol has changed to disabled by default
for security and technical reasons. Using TLS is the preferred way to avoid transmission
of passwords in the clear.
CHANGES AND NEW FEATURES
-  Added a set of built-in "Data Leak Prevention" rules. These
rules can be used to assist in detecting if sensitive information is being sent
outside of the organization.
-  Added the ability to compare the message body or subject in a content filter
-  Added a "MAIL and RCPT" item in the "Rule Condition Editor"
for Message Content Filter and Data Leak Prevention rules. Comparators for
this item are Inbound, Outbound, and Internal along with a negative option for each.
- Inbound - Message is to a local user and is not from a local user of the same domain
- Outbound - Message is from a local user and is not to a local user of the same domain
- Internal - Message is to and from a local user of the same domain
-  Added "contains word" and "does not contain word" comparators
for message content filter and data leak prevention rule conditions. These
are similar to the "contains" and "does not contain" comparators
but will only match if there is a
word boundary anchor proceeding and following the string. This avoids
the need to manually create a regular expression in the format of \b(word1|word2|word3)\b.
-  Added the ability to edit a "Currently defined string" for a content
filter or data leak prevention rule condition by double clicking it.
-  Integration with Let's Encrypt via PowerShell script
Let's Encrypt is a certificate authority that provides free certificates for
Transport Layer Security (TLS) encryption via an automated process designed to eliminate
the current complex process of manual creation, validation, signing, installation,
and renewal of certificates for secure websites.
A PowerShell script that supports LetsEncrypt is now installed to the SecurityGateway\LetsEncrypt
directory. A dependency of the script, the ACMESharp module,
requires PowerShell 3.0. This means this script will not work on Windows
The SecurityGateway HTTP service must be listening on port 80 or the HTTP challenge
cannot be completed and the script will not work. You will need to correctly set
the execution policy for PowerShell before it will allow you to run this script.
Running the script will set everything up for LetsEncrypt, including putting the
necessary files in the SecurityGateway HTTP (templates) directory to complete the
http-01 challenge. It uses the FQDN configured in SecurityGateway for the default
domain as the domain for the certificate, retrieves the certificate, imports it
into Windows, and configures SecurityGateway to use the certificate using SecurityGateway's
The script creates a log file in the SecurityGateway\Logs\ directory called LetsEncrypt.log.
This log file is removed and recreated each time the script runs. The log includes
the starting date/time of the script but it does not include a date/time stamp for
each action. Notification emails can be sent when an error occurs.
If you have an FQDN setup for your default domain that does not point to the SecurityGateway
server, this script will not work. If you want to setup alternate host names in
the certificate you can do so. You need to pass the alternate host names on the
Example usage: .\SGLetsEncrypt.ps1 -UserName firstname.lastname@example.org -Password Password1
-AlternateHostNames mail.domain.com,imap.domain.com,wc.domain.com -EmailErrorsTo
You do not need to include the FQDN for the default domain in this list. For example,
our default domain, altn.com, is configured with an FQDN of mail1.altn.com. We use
an alternate host name of mail.altn.com. When I run the script, I only pass mail.altn.com
as an alternate host name. If you pass alternate host names, an HTTP challenge will
need to be completed for each them. If the challenges are not all completed the
process will not complete correctly.
If you do not need to pass in alternate host names then do not include the –AlternateHostNames
parameter in the command line. If you do not want to have email notifications sent
when an error occurs do not include the –EmailErrorsTo parameter in the command
-  Updated Cyren Anti-Virus engine to version 5.4.28-r1
-  Updated to version 8.00.0125 of the Cyren Outbreak Protection SDK
-  Changed the write mode for the Firebird database from asynchronous to synchronous
as this should resolve some instances of database corruption. However, this
change does come with a performance cost. This will not be an issue for most installations.
A new screen has been added at Setup | Database | Configuration to specify the database
write mode. Asynchronous write mode is only recommended when the performance
of synchronous write mode is not sufficient. It is critical that the system be protected
by a reliable UPS and that database backups are maintained.
-  Replaced built in crash memory dump generation code with code that creates
registry entries for Windows Error Reporting. This functionality requires
Windows Server 2008/Windows Vista or later. A memory dump file should be created
in the "CrashDumps" folder if the securitygateway.exe process crashes.
The location of this folder may be changed from Setup/Users | System | Directories.
-  Added "Result" column to the Queued for Delivery view
-  Implemented Sieve extension "proximity" tag for "allof"
test. This allows for scripts where multiple search terms must exist within
a proximity of a specified number of characters of each other.
-  Added GetSetting and PutSetting methods to the XML-RPC API
-  Added option to Setup | Mail Configuration | Email Protocol to "Hide
software version identification in responses and 'Received:' headers".
This option is disabled by default.
-  SecurityGateway may report the version of the OS version that it is running
on when it requests an updated license file from Alt-N. This information is helpful
as we make decisions about which OSes to support. To not report such information,
disable the "Include optional usage and environment data in license request"
option on the Setup | Registration page in the web interface.
-  Added options to Security|Anti-Spam|Backscatter Protection to specify IP
addresses and domain names of sites that are exempt from Backscatter Protection
-  Updated SpamAssassin engine (SGSpamD.exe) to include Encode module for charset
conversion and normalization
-  Added a per-domain option for the maximum acceptable SMTP message size
-  SecurityGateway starts warning about impending license deactivation 7 days
in advance (up from 5 days).
-  Improved logging in DMARC processing when SPF lookup was not performed due
to a NULL SMTP return path
-  fix to it is possible to add a content filter condition when an empty criteria
-  fix to updating a Message Content Filter Rule may result in the truncation
of the last character of the condition string
-  fix to usage key returned by activation server is not saved when "Click
here to request an updated license file" link is manually clicked
-  fix to the "Exclude the files listed below" virus scanning options
only apply to the "Quarantine messages that cannot be scanned" option
and need to be indented
-  fix to "Account Hijack Detection" is not activated if sender authenticates
as a user account alias address
-  fix to DMARC failure reports (RUF) are not DKIM signed
-  fix to Bayesian learning process fails when SecurityGateway is installed
under the Program Files (x86) directory and support for NTFS short file names is
not enabled on the volume. This is the default configuration for new volumes
created by Windows Server 2012.
-  fix to Sieve "envelope" test "domain" tag does not match
-  fix to the DNS parser adds an additional space character between the lines
of multi-line TXT DNS records. This may result in erroneous SPF and DMARC policy
failures when a single policy element spans multiple lines.
-  fix to the message count contained in the administrative quarantine report
may be incorrect for domain administrators
-  fix to unable to disable DKIM signing for a domain
-  fix to browser may autofill other password fields with saved logon password
-  fix to SPF test may errantly return pass result if SPF policy contains the
-  fix to regular expression for detecting blank subjects not working
-  fix to unable to edit a condition in a Message Content Filter rule while
that rule is disabled
-  fix to the Whitelist/Blacklist list view may display characters in an entry's
comments encoded as HTML entities
-  fix to incorrect DMARC / DKIM / SPF lookups occurring for some domains
SecurityGateway 4.0.1 - July 26, 2016
CHANGES AND NEW FEATURESS
-  SPF will now only honor the global IP whitelist. This prevents an
issue where SPF lookups are not performed if the sender's address is on a whitelist.
-  fix to users are re-verified against the user verification source for each
message received. The "flag users for re-verification after X hours"
is not honored.
-  fix to the Configuration and Defaults settings on the User Options page
are not be saved when specifying them per domain
-  fix to when creating or editing an SMTP user verification source the password
is not hidden
-  fix to when the operating system's codepage for non-Unicode application
is set to a multi-byte codepage (i.e. Japanese or Chinese) , and the logged in user's
language is Japanese or Chinese, report graphs may not be displayed. The SecurityGateway
system service may also terminate when the above is true and a report is requested.
-  fix to subject of automated messages may contain additional whitespace around
-  fix to German language Disclaimer List page does not load and displays pop-up
-  fix to unable to save "When SPF processing returns a PASS result add
points to message score" option
-  fix to database configuration backup fails if any Remote POP Accounts are
SecurityGateway 4.0.0 - June 14, 2016
MAJOR NEW FEATURES
 Web Interface Updated to use a Mobile First Responsive Design
The web interface has been updated to use a mobile first responsive design.
Browser support is limited to IE10+, the latest Chrome, the latest Firefox, and
the latest Safari on Mac and iOS. Android stock browsers have been known to
have issues with scrolling, but Chrome on Android devices works well.
This design is based entirely on the size of the window being used. Whether
the user is on a phone, tablet, or PC, the appearance is the same for the same window
size. The most important change here is the menu. From 1024 pixels width
on down the menu is hidden on the left side of the browser. There are two
methods that can be used to display the menu. If a touch device is in use,
swiping to the right will show the secondary menu. Whether or not a touch
device is in use, there is also a "menu" button in the top left corner
that will display the secondary menu. Tapping or clicking the menu title with
the left arrow next to it at the top of the menu will display the primary menu.
The help, about, and sign out menu in the top right corner changes based on the
width of the screen as well. From 768 pixels up shows the words Help, About,
and Sign Out, from 481 pixels to 767 pixels only displays the icons, and 480 pixels
or less displays a "gear" icon which when clicked or tapped will display
a drop down menu with the Help, About, Sign Out options. List views with more
than one column have column on/off buttons.
Support for DMARC (Domain-based Message Authentication, Reporting, and Conformance)
has been added. DMARC defines a scalable mechanism by which a mail sending organization
can express, using the Domain Name System, domain level policies and preferences
for message validation, disposition, and reporting, and a mail receiving organization
can use those policies and preferences to improve mail handling. The DMARC specification
and full details about what it does and how it works can be found here:
DMARC allows domain owners to express their wishes concerning the handling of messages
purporting to be from their domain(s) but which were not sent by them. Possible
message handling policy options are "none" in which case SecurityGateway
takes no action, "reject" in which case SecurityGateway refuses to accept
the message during the SMTP session itself, and "quarantine" in which
case SecurityGateway places the following header into each message for easy filtering
into your user's Junk E-mail folder: "X-SGDMARC-Fail-policy: quarantine".
This header is only added when the result of the DMARC check is "fail"
and the resulting DMARC policy is something other than "none." It
is possible to configure SecurityGateway to accept messages even though DMARC requests
that they be rejected. In fact, this is the default operational mode.
In these cases SecurityGateway will place an "X-SGDMARC-Fail-policy: reject"
header into the message in case you want to filter more seriously on that.
DMARC supersedes ADSP and the message disposition features of SPF. However,
you can still use all of them together with DMARC. ADSP and SPF message
rejection now takes place after DMARC processing if DMARC verification is enabled.
DMARC depends in part upon the use of a "Public Suffix List." A "Public
Suffix" is one under which Internet users can directly register names. Some
examples of public suffixes are .com, .co.uk and pvt.k12.ma.us. A "Public Suffix
List" is a list of all known public suffixes. SecurityGateway uses the one
maintained for the community by the Mozilla Foundation that is found here: https://publicsuffix.org/.
A copy of this list is installed into your \App\ folder as effective_tld_names.dat.
There is currently no comprehensive or single authoritative source for such a list
which is an issue the Internet community should address. Over time this file will
grow obsolete and must be replaced by downloading it afresh from https://publicsuffix.org/list/effective_tld_names.dat
and saving it to your \App\ folder. SecurityGateway will periodically and automatically
download and install this file as part of the daily maintenance event approximately
once every two weeks. Various controls to govern this can be found on the
new DMARC configuration screens. The DMARC log and the new DMARC window within
the Security tab inside the main UI will contain the results of the update and all
other DMARC processing operations. You can set a different file download URL
if needed but the data downloaded must conform to the format specified by Mozilla
for their file. You can read about this at the URL mentioned above. SecurityGateway
strictly follows the parsing algorithm specified by Mozilla. Create a (possibly
empty) file called "PUBLICSUFFIX.SEM" and place it in SecurityGateway's
\App\ folder if you replace or edit the effective_tld_names.dat file yourself and
need SecurityGateway to reload it without a reboot.
To use DMARC as a mail sender you must publish a DMARC TXT record within your domain's
DNS setup. Information on how this record is defined and structured can be
found at http://www.dmarc.org. When you publish
a DMARC record to your DNS you may begin receiving DMARC reports from many different
sources via email. These reports are provided as a compressed XML file whose format
is governed by the DMARC specification. Consuming these reports is outside the scope
of SecurityGateway's DMARC implementation. However, the data within these reports
can provide important insight into a domain's mail flow, improper domain use,
DKIM signing integrity, and SPF message path accuracy/completeness. The addresses
to which these reports are sent is configured by you when you create your DMARC
When setting up a DMARC record for one or more of your domains take care with use
of p=reject. Take particular care if your domain provides email accounts for
general use by human users. If such users have signed up for any mailing lists,
make use of a mail forwarding service, or expect to use common things like "share
this article with a friend" you should know now that a DMARC p=reject policy
could make those things entirely impossible and if so you'll hear about it.
DMARC p=reject is perfectly appropriate and useful but only when it is applied to
domains that control how their email accounts are used (for example, transactional
mail, automated (i.e. non-human) accounts, or to enforce corporate policies against
use of the account outside organizational boundaries).
In order to support DMARC aggregate reporting SecurityGateway will store data which
it will need later in order to generate aggregate reports according to the DMARC
specification. SecurityGateway ignores the DMARC "ri="; tag and only produces
DMARC aggregate reports that cover from 00:00:00 UTC to 23:59:59 UTC for a given
day. At midnight UTC (which is not necessarily midnight local time) SecurityGateway
consumes this stored data to generate the reports. SecurityGateway needs to be running
at this time or the stored data could grow and grow and never be consumed. Therefore,
if you do not run your SecurityGateway 24/7 you should not enable DMARC aggregate
reporting. DMARC aggregate reporting is disabled by default.
In order to support DMARC failure reporting RFC 5965 "An Extensible Format
for Email Feedback Reports", RFC 6591 "Authentication Failure Reporting
Using the Abuse Reporting Format", RFC 6652 "Sender Policy Framework (SPF)
Authentication Failure Reporting Using the Abuse Reporting Format", RFC 6651
"Extensions to DomainKeys Identified Mail (DKIM) for Failure Reporting",
and RFC 6692 "Source Ports in Abuse Reporting Format (ARF) Reports" have
been fully implemented. Failure reports are created in real-time as the incidents
which trigger them occur. SecurityGateway implements DMARC AFRF type failure
reports and not IODEF type reports. Therefore, only values of "afrf"
in the DMARC "rf=" tag are honored. See the DMARC specification
for complete details. Multiple failure reports can be generated from a single
message depending upon the number of recipients in the DMARC record's "ruf="
tag and upon the value of the "fo=" tag times the number of independent
authentication failures which were encountered by the message during processing.
When the DMARC "fo=" tag requests reporting of SPF related failures SecurityGateway
sends SPF failure reports according to RFC 6522. Therefore, that specification's
extensions must be present in the domain's SPF record. SPF failure reports
are not sent independent of DMARC processing or in the absence of RFC 6522 extensions.
When the DMARC "fo=" tag requests reporting of DKIM related failures SecurityGateway
sends DKIM and ADSP failure reports according to RFC 6651. Therefore, that
specification's extensions must be present in the DKIM-Signature header field
and the domain must publish a valid DKIM reporting TXT record in DNS and/or valid
ADSP extensions in the ADSP TXT record. DKIM and ADSP failure reports are
not sent independent of DMARC processing or in the absence of RFC 6651 extensions.
See the various specifications referenced herein for complete details. DMARC
failure reporting is disabled by default.
Important Note: A DMARC record can specify that reports should be sent to
an intermediary operating on behalf of the domain owner. This is done when the domain
owner contracts with an entity to monitor mail streams for abuse and performance
issues. Receipt by third parties of such data may or may not be permitted by your
review and understand if your own internal policies constrain the use and transmission
of DMARC reporting and if so you should disable DMARC reporting as appropriate.
DMARC requires use of STARTTLS whenever it is offered by report receivers however
there's no way to predict or police this. However, you should enable STARTTLS
if you haven't already (see Setup | System | Encryption).
The Authentication-Results header has been extended to include DMARC processing
results. Note that Authentication-Results includes some data in comments for debugging
purposes including the DMARC policy requested by the domain owner which is not necessarily
the action taken on the message. For example, when the result of a DMARC check is
"pass" it does not matter what the DMARC policy states as policy is only
applied to DMARC checks which "fail". Similarly, when the result of a
DMARC check is "fail" and the policy is "reject" the message
may be accepted anyway for local policy reasons. Use of this header for filtering
should take all this into account. Alternatively, filter for "X-SGDMARC-Fail-policy:
quarantine" or "X-SGDMARC-Fail-policy: reject" to filter these messages
into spam folders or whatever you want to do. SecurityGateway strips out the
"X-SGDMARC-Fail-policy:" header from every incoming message.
Messages must conform to DMARC section 15.1 with respect to the RFC 5322 From header
or they are not processed which basically means that the absence of a single (one
and only one) properly formed (according to RFC specifications) RFC5322 From field
renders the message invalid generally and therefore invalid for DMARC processing.
Several new screens have been added at Security | Anti-Spoofing where you can set
various options related to DMARC use.
DMARC requires SPF and/or DKIM verification to be enabled as it is based upon the
verified identities that those two mechanisms provide. You can't make
productive use of DMARC for inbound mail without one or both of those technologies
enabled. The UI will try to enforce this.
 Bind Domain to an IP address
For servers that have multiple IP addresses assigned, each domain may be bound
to a specific IP address. Mail from the domain will be sent from this IP address.
A SMTP Hostname may also be specified for the domain. This value is the Fully Qualified
Domain Name (FQDN) that will be used in the SMTP HELO/EHLO instruction when sending
mail for the domain. For incoming connections, this value will be used unless multiple
domains are bound to the IP address, in which case the FQDN used will be the one
that is associated with the domain that is first in alphabetical order.
CHANGES AND NEW FEATURESS
-  Updated ClamAV engine to version 0.99.2
-  Updated to version 8.00.0122 of the Cyren Outbreak Protection SDK
-  All support for the original DomainKeys message authentication system has
been removed. DomainKeys is obsolete and has been replaced by the acceptance
and adoption of DKIM which SecurityGateway continues to support. Some web
interface dialogs related to DomainKeys and DKIM found within Security | Anti-Spoofing
have been reorganized as a result and options related to DomainKeys removed and
the remaining options better consolidated. The install process will remove
-  All support for Sender-ID has been removed. This technology never
caught on and is obsolete.
-  All references to "company.mail" have been changed to "company.test"
to comply with RFC 6761
-  Updated the look of the quarantine report emails to match the new SG GUI
-  Added check boxes to lists that allow the selecting of multiple list items
-  Added an option to decide when to display the charts on the Main and My
Account landing pages to Main -> My Account -> Settings and to Setup / Users
-> Account -> User Options. The 4 choices are "Automatic" (default),
"Always", "Manual", and "Never".
-  Added X-Frame-Options: SAMEORIGIN header to HTTP responses
-  Added X-XSS-Protection: 1 header to HTTP responses
-  The Free Disk Space Monitoring page has been changed to display values in
MB instead of KB. The default "low disk space value" (the value
below which SecurityGateway believes the disk is running low and starts complaining
about it) was changed from 10MB to 1000MB. Likewise, the "auto-shutoff
value" (the value below which SecurityGateway will disable mail services due
to critically low disk space) was changed from 1MB to 100MB. Please check
and change the values at Setup|System|Disk Space if they present a problem for you.
-  Added description for system service, when viewed from the services manager
-  The "... unless message is TO a local account" exclusion for the
"Only domain mail servers can send local mail" Relay Control option is
now disabled by default
-  Added the ability to filter the message log by sender IP using
CIDR notation, simply enter the CIDR pattern as the IP address in the filter
-  Removed the "Blacklist" link from the quarantine report email
by default. Added a "Confirm as Spam" link that will learn the message
as spam if Bayesian learning is disabled and delete the messages from the user's
quarantine. The "Blacklist" link can be restored via an option in
Setup | Mail Configuration | Quarantine Options.
-  fix to Host, Addresses Blacklist and Address Whitelist dialogs are cut off
at bottom when using Firefox
-  fix to outbound SMTP session hangs if server returns that it supports AUTH
but lists no AUTH methods
-  fix to message that contains embedded NULL characters is corrupted
-  fix to message collected from remote POP accounts may be discarded if case
does not match
-  fix to if quarantine_report.xsl is found custom_admin_quarantine_report.xsl
is also assumed to exist
-  fix to cannot change a local admin to an external admin
-  fix to cannot edit an external administrator
-  fix to DKIM will not sign messages if the sender's domain name specified
in the SMTP session contains upper case letters
-  fix to Message Log "Subject Starts With" search condition returns
no results when using "NOT"
-  fix to Security->Anti-Spam->Greylisting unable to click "Exclude
messages from domain mail servers"
-  fix to Unable to "Delete All" quarantined messages when using
a filter with a date range set
-  fix to subject tag based upon the message's score is not added if the
message is also quarantined due to its score
-  fix to no result feedback message is displayed after using the Spam/Not
Spam toolbar buttons from the Quarantined (Admin) view.
-  fix to the sending of Administrative Quarantine reports are not logged to
-  fix to mouse cursor is not changed to a pointer when hovering over enabled
paging bar icons that can be clicked
-  fix to no VBR certifiers are trusted when multiple values are specified
for "Host name(s) of certification services that I trust"
-  SPF verifier ignoring CIDR pattern for A and MX policies
-  fix to Outbreak Protection queries may fail with "Unable to comply
with the request because you are not licensed for the antispam or VOD service"
after registration key is updated until SecurityGateway service is restarted