SecurityGateway for Email Servers Release Notes

SecurityGateway for Email Servers v9.0 Release Notes

Developed with 20 years of proven email security expertise, SecurityGateway provides affordable email security. It protects against spam, viruses, phishing, spoofing, and other forms of malware that present an ongoing threat to the legitimate email communications of your business.

Click here to learn more about SecurityGateway for Email Servers

SecurityGateway 9.0.3 - July 5, 2023

SPECIAL CONSIDERATIONS

[26983] Outbreak Protection has been restored.

FIXES

[27025] fix to NDR messages expose full path names
[27016] fix to Account Hijack Detection: No action is taken when the defined threshold is reached
[27017] fix to Account Hijack Detection: "Include non-authenticated sessions from a domain mail server" can be selected with Account Hijack Detection disabled
[27041] fix to the "Setup | HTTP Server | Redirect HTTP requests to HTTPS" option is always displayed as disabled in the web interface

SecurityGateway 9.0.2 - April 18, 2023

SPECIAL CONSIDERATIONS

[26751] Cyren Anti-Virus has been replaced with IKARUS Anti-Virus. Cyren recently announced its plans to discontinue operations with little warning. This necessitated the need for us to find a new anti-virus partner. After a thorough evaluation, IKARUS stood out for its excellent detection rate and speed. The IKARUS Anti-Virus automatically updates its definitions every 10 minutes.
[26803] Cyren Outbreak Protection been removed. Cyren recently announced its plans to discontinue operations with little warning. We are actively researching and considering viable antispam technologies as suitable additions to the existing antispam mechanisms found in our software products.

CHANGES AND NEW FEATURES

[25284] A new option has been added to enable Account Hijack Detection for SMTP sessions received from a Domain Mail Server, regardless of whether the session is authenticated.
[26740] Updated ClamAV to version 0.105.2.
[22520] Changed the default search comparator when searching a Blocklist/Allowlist from the web interface from "equal to" to "contains"
[26760] LetsEncrypt: Updating script to check orders that are ready or valid

FIXES

[26724] fix to secure message recipients may be deleted when a User Verification Source is created or modified
[23728] fix to "AlertOLE2Macros " option is not enabled in clamd.conf
[26720] fix to DNS queries do not use the Windows client-side DNS cache as the DNS_QUERY_BYPASS_CACHE flag is always set
[18264] fix to bugs in generation of received header
[26513] fix to generated received header has "S" added in the wrong place when received via a secure connection
[26663] fix to unable to edit the text of a content filter rule condition string by double-clicking on it in the list
[26745] fix to process may terminate after receiving an improperly formatted HTTP request if the operating system's non-Unicode character set is not Windows-1252
[26725] fix to updating SecurityGateway from the web interface fails, but the interface immediately displays that the installation was successful
[26752] fix to process terminates when viewing the list of SSL certificates from Setup | System | Encryption if an installed certificate has an alternative name that is a registered object identifier (OID)
[26719] fix to whitelist/blacklist links in the message transcript (details tab) do not switch to the correct page after loading the appropriate list
[26775] fix to unable to save changes made to "SGSpamD Configuration" settings
[26774] fix to sgperf.dll may not be replaced during upgrade. This can result in the performance counter data being incorrect.
[4734] fix to domain mail server not being exempted from HELO DNS Lookup
[26773] fix to with Firefox no vertical scrollbar is shown in the Help | About dialog
[26767] fix to unable to add IPv6 address in CIDR format to whitelist or blacklist
[26810] fix to users cannot log in to the web interface when the "Require users to enable Two-Factor Authentication" user option is enabled, and the user has not yet set up Two-Factor Authentication

SecurityGateway 9.0.1 - January 31, 2023

CHANGES AND NEW FEATURES

[26613] Added a warning on the login page when caps lock is turned on
[26643] Updated Outbreak Protection SDK to version 8.5.7-2212280909
[26644] The version number of the Outbreak Protection SDK is now logged to the System log file at startup
[26635] Added Bad Messages queue to the queues section of the global administrator dashboard page
[26628] Removed legacy SpamAssassin update heuristic rule updates from http://files.altn.com/securitygateway/updates/spamassassin/. This mechanism has not been utilized in many years. SA-Update will continue to provide SpamAssassin rule updates.

FIXES

[26623] fix to process may crash when taking an action that causes a sieve script to be edited
[26624] fix to domain administrators are not able to view the domain list
[26621] fix to the message log, remote queue, and quarantine views will not load when the web interface language is French or Italian
[26641] fix to Cyren ThreatLookup not using proxy settings
[26650] fix to Attachment Text Extraction Fails - FilterHost.exe will not start (Exception 0xc0000135)
[26667] fix to Cryen AV scanning errors when scanning certain Microsoft Office documents. This was resolved by reverting to version 6.5.2r2 of the Cyren AV SDK.
[26669] fix to Russian Language - Unable to view Security | Anti-Spoofing | From Header Modification
[26611] fix to error "Form field [QueryDefaultUVSExternalAliases] not found" displayed when attempting to save User Verification Source Options
[26680] fix to unable to restore database backup file from within the web interface
[26686] fix to Disabling the Setup | Users | User Verification Sources | Options "Flag users for re-verification after X hours" option has no effect
[26687] fix to unable to save domain that has "domain aliases" defined

SecurityGateway 9.0.0 - January 10, 2023

SPECIAL CONSIDERATIONS

[25882] By default, mailbox names that contain a plus character (+) will now be considered to be subaddressed. The user verification process will consider the subaddress to be an alias. For example, user+folder@example.com will resolve as user@example.com and an alias where user+folder@example.com = user@example.com. New users for which the mailbox name contains a plus character cannot be created. Existing users for which the mailbox name contains a plus character are not automatically removed. They can be fixed up (renamed or merged) by running the Setup | Accounts | User Verification Sources | Verify Users process. An option to restore the previous behavior "Allow user mailbox name to contain plus (+) character" has been added to Setup | Accounts | User Options. When enabled, these mailbox names will not be considered aliases/sub-addresses. For example, user+folder@example.com will be considered its own user and not an alias of user@example.com.

MAJOR NEW FEATURES

From Header Screening
- [24420] New options have been added (Security | Anti-Spoofing | From Header Screening) to help expose fraudulent (spoofed) from headers sent from spammers that could potentially trick users into believing a message was submitted from a legitimate source.
Web Interface Usability Enhancements
- [13473] Added the ability to include up to four additional search header patterns, results, and reasons on message pages. Header patterns can be separated by AND/OR using a button toggle. Results and Reasons are always separated by OR
- [4152] Added basic search to Setup/Users | Accounts | Domains and Users
- [25743] Added the ability to resize, move, or maximize pop up windows
- [26055] Added a mobile friendly list editor
- [25119] Changed the Search dialog toggle feature to use a "Show/Hide" search paradigm and an additional Cancel Search button in the main toolbar.
- [21150] Added Previous/Next buttons to the archived message view
- [21291] Added a "Message(s) Restored" status message to the bottom right hand corner of the Search Archive pages
Administrative Dashboard Page Improvements
- [1073] Added display of available disk space for global admins on the dashboard page, and Setup/Users | System | Disk Space
- [4622] Added count of active SMTP inbound and outbound sessions to the dashboard page
- [4622] Added count of messages in administrative quarantine queue to the dashboard page for global administrators
- [4622] Added count of messages in any user quarantine queue to the dashboard page for global administrators
- [26183] Added ability to freeze the inbound and remote delivery queues
[16162] Added option to include an HTTP Strict Transport Security (HSTS) header to HTTPS responses to Setup | System | HTTP Server. This option is enabled by default. When a browser that supports HSTS receives an HSTS header and the SSL certificate is valid, and any future HTTP requests made to the same domain will be automatically upgraded to HTTPS.
[25874] SecurityGateway now supports TLS 1.3 on newer versions of Windows. Windows Server 2022 and Windows 11 have TLS 1.3 enabled by default. Windows 10 versions 2004 (OS Build 19041) and newer have experimental TLS 1.3 support that can be enabled for inbound connections by setting the following in the registry:
```
            HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server
                DisabledByDefault (DWORD) = 0
                Enabled (DWORD) = 1
```
[26075][23613] Extracting plain text from attachments now occurs in a separate process (filterhost.exe). This prevents a hung iFilter .dll from impacting the SecurityGateway process.
[26348] Added "Referrer-Policy" and "Content-Security-Policy" HTTP headers
[26325] Updated ClamAV to version 0.105.1
[26477] Updated Cyren Outbreak Protection engine to version 8.2.0.10
[5098] Added proxy support to Cyren AV updater, Cyren CloudAssist, and software update checks/downloads.
[25197] Added an option to allow users to view their messages listed in the quarantine report. Global Admins can enable it at Setup/Users | Mail Configuration | Quarantine Configuration or Main My Account | Settings.
[21166] Added a confirmation prompt when clicking on options in a quarantine report email
[25544] Added an option to disable remember me on the current device/browser at Main -> My Account -> Settings and Settings for secure message users.
[25992] Added a setting to Setup/Users | Secure Messaging | Recipient Options to allow admins to include contact information or a contact link on the sign-in page.
[25994] Added a setting to Setup/Users | Accounts | User Options to allow admins to include contact information or a contact link on the sign-in page.
[1472] Added a "Save and Test" button to the User Verification Source editor.
[26167] Added a CSRFToken to the sign-in page
[26166] Added a secondary session ID to web interface URLs to mitigate CSRF attacks
[26168] Added a public/private key verification method as part of the Remember Me feature
[25538] Updated the secure message notification emails with styles and slightly different language.
[26074] Reduced number of database transactions. This helps prevent the database from growing in size.
[23493] The VBR certification host "vbr.emailcertifcation.org" has been deprecated and removed from VBR settings.
[26281] Made the Change Password page have the Change Password button disabled until the passwords are valid.
[26324] Added an option "Only delete messages from active archive stores" to Setup | Archiving | Compliance that controls if the "Automatically delete archived messages older than X days(s)" option only applies to active archive stores. This option is enabled by default. When enabled, the behavior is unchanged from previous versions.
[26252] SMTP socket connection is now disconnected for SIEVE actions "error" or "reject" if they occur during the IP phase.
[26251] At startup, locked messages in the inbound queue are now moved to the CrashDumps\InboundQueue directory. Messages in the inbound queue are unlocked when a response is sent to the sender. Locked messages may be orphaned in the inbound queue if the SecurityGateway process crashes or is terminated before it has a chance to shut down. Since the sender did not receive a response to the SMTP DATA command, they should send the message again. Delivering the message may result in the recipient receiving multiple copies. However, the content of these messages may be helpful for debugging crashes. Any messages moved to this directory are automatically deleted after 30 days.
[25712] LetsEncrypt - Changed the Log function to use add-content instead of out-file. Add-content uses the default system code page which should enable the log file to be viewed in SecurityGateway. No change will be made to the encoding of the log file until a new log file is created.
[25713] LetsEncrypt - Updated the script to work with PS 7.

FIXES

[25997] LetsEncrypt - Fix references to variable that was not being set
[26288] fix to "aspmx.l.google.com" is not considered a Google Workspace (AKA GSuite) domain mail server
[26308] fix to ClamAV doesn't run on Windows 2008 R2
[26199] fix to Performance Monitor - Inbound Queue Messages only displays 0 or 1
[26378] fix to Automatic Domain Creation adds an account that already exists as an external administrator
[26374] fix to local global admin account is deleted after changing the password via the Administrators list
[26443] fix to when used as a URIBL host Spamhaus SBL return codes "Query via public/open resolver (127.255.255.254)" and "Excessive number of queries (127.255.255.255)" are mistakenly considered as a "LISTED" response
[23613] fix to "Error loading ifilter for file" errors when scanning messages with certain file types in sieve scripts
[26571] fix to unable to add IP to a whitelist or blacklist where a wildcard character spans multiple octets, i.e. 192.168.*
[26572] fix to SMTP Call Forward User Verification Source fails server does not advertise support for AUTH until after STARTTLS
[26500] fix to when logging in with a space in front of the email address, a new account may be created containing the space if the user verification source returns a positive result
[26585] fix to User Verification Source: maximum length of the search filter field may be too short. The maximum length has been increased from 256 characters to 1024 characters.