SecurityGateway for Email Servers v10.5 Release Notes

SecurityGateway 10.5.3 - February 11, 2025

FIXES

• [27443] fix to after restarting the SecurityGateway system service, the Global Administrator and Domain Administrator flags swapped for active HTTP sessions until they time out.
• [27908] fix to DMARC alignment check performed even when no DMARC policy is found in DNS
• [28199] fix to the DMS check for a Microsoft 365 or Google Workspace server needs to be performed again after a RSET command
• [28426] fix to when editing an existing Global Administrator from the user list, the "Domain Administrator" option is selected
• [28415] fix to crash when Data Leak Protection | Medical Terms detection is enabled and a match is made
• [28452] fix to when the web administrator domain is configured as a subdomain, the "Remember Me" option for login or two-factor authentication may not work. This could prevent users from logging in if additional cookies are set for the parent domain.
• [28456] fix to Archiving - Message sent to journaling address is repeatedly added to the message log if archiving is disabled for the recipient or sender of the attached message.
• [28360] fix to SG Cluster nodes may incorrectly display a status of "Offline" when they are actually online.
• [28330] fix to change log shows LDAPRootPass in plain text
• [28491] fix to ARC verification does not prevent DMARC punitive action

SecurityGateway 10.5.2 - November 19, 2024

CHANGES AND NEW FEATURES

• [28192] Multiple threads are now used when sending messages to remote destinations

FIXES

• [28198] fix to if a Microsoft 365 or Google Workspace server sends a RSET command before the MAIL FROM command, it will not be detected as a domain mail server.
• [28212] fix to domain administrators receiving an 'Access Denied' error when attempting to access various settings pages.
• [28226] fix to WebAuthn: Unable to register a new passkey for primary or two factor authentication
• [28228] fix to WebAuthn: The "userVerification": "required" parameter is not being added to authentication challenges. This prevents users from authenticating with a passkey in Google Password Manager on desktop via Chrome unless a biometric device is available.
• [28227] fix to DMARC aggregate reports are not sent
• [28286] fix to clean installation does not create default host blocklist entries
• [27784] fix to message transcript not changing entry ID to link for attachment filtering allowlist matches
• [27780] fix to AV plugin being loaded multiple times if the directory has been copied. This can occur if the administrator copied the plugin directory to create a backup. The AV plugins are now only loaded from the known locations: ../plugins/clamav and ../plugins/ikarus.
• [27684] fix to URIBL: If the DNS lookup for a URI's domain does not return any results, the IP address of the last queried domain may be used
• [28317] fix to unable to create custom dashboard reports if the database is not in Firebird 3 format (ODS 12). This may be an issue for customers who first installed SecurityGateway prior to version 7.0.0 when support for Firebird 3 was introduced.
• [28315] fix to Message-ID header format is incorrect for DMARC reports
• [28311] fix to HTML disclaimer adding HTML markup code into plain text emails

SecurityGateway 10.5.1 - October 17, 2024

FIXES

• [28191] fix to crash with specific SPF sender domain/host values
• [28193] fix to error in System Log file "Unable to DKIM sign system generated message: Unable to get selector from database"

SecurityGateway 10.5.0 - October 15, 2024

SPECIAL CONSIDERATIONS

• [28099] Microsoft Internet Explorer is longer supported for accessing the Administration Console. Please use the latest version of Microsoft Edge, Firefox, Chrome, Safari, or a modern mobile browser.

MAJOR NEW FEATURES

• [25142] Added a "Quarantine Administrator" role.

  This role allows a user to be configured to manage and optionally view messages in the user quarantine queue without being allowed to change any settings.

• [27273] ARC (Authenticated Received Chain) - RFC 8617

  ARC is an email authentication protocol that allows intermediate mail servers to digitally sign a message's authentication results. When a downstream mail server performs DMARC verification and detects that SPF or DKIM have failed (due to forwarding or mailing list modifications, for instance), it can review ARC results from a trusted server to determine whether to accept the message.

  ARC verification can be configured under Security | Anti-Spoofing | DMARC Verification and is enabled by default. Trusted ARC Sealers are domains whose ARC results are trusted. ARC results from non-trusted domains will be ignored during DMARC verification.

  ARC signing can be enabled under Security | Anti-Spoofing | DKIM Signing. Messages that are not from a local domain are eligible for ARC signing. ARC signing is disabled by default.

• [27243] Feature/Settings Search Field Added

  A search field has been added to the top of the user interface, allowing users to quickly locate specific features and settings. This functionality is available to administrators and users, but excludes Secure Messaging recipients.

• [592] Improved DKIM selector management

  Added support for shared/global selectors that can be used across multiple domains.

  DKIM signing can now be globally enabled by selecting a shared/global selector as the default. This requires creating a DNS record pointing to the selector’s public key for each domain.

  Introduced the ability to import and export selectors.

• [27119] Location Data Enhancements

  The country and continent of the sender's IP address are now stored in the database. These fields can be displayed as optional columns in the Message Log and used as search criteria when querying the Message Log.

  New reports introduced: Summary | Junk Email - Top Countries, Inbound Email | Top Countries, Anti-Spam | Top Countries

  Location data can be utilized when creating Custom Dashboard Reports.

CHANGES AND NEW FEATURES

• [4720] Added connection IP address as an available column to message log
• [27885] LetsEncrypt will change the HTTP host name and AlternateHostNames to use all lower case characters.
• [27803] Added an option to Custom Dashboard Reports to "Show the top X number of Y property"
• [27153] Added default values for Host Block list ("localhost", "friend", "user", "ylmf-pc", "-*", "*_*", "#.#.#.#", "*.invalid", "*/*", "*|*").  These hostnames are commonly associated with botnets.
• [18878] SPF Check Behavior Update: When the reverse-path (MAIL FROM) is null, the SPF check will now use the EHLO/HELO domain value for verification, provided it is a valid domain.

FIXES

• [26101] fix to SPF lookup fails to find a nested INCLUDE SPF record
• [19166] fix to SPF record containing an unknown mechanism does not return a permanent error
• [27936] fix to unable to save user options when enabling the option to show administrator contact info
• [28090] fix to list column resize does not work correctly after hiding the first column
• [27993] fix to when the "User Verification Sources | Options | Flag users for re-verification after X hours" option is enabled, re-verification is not triggered after the set number of hours when the user sends or receives mail
• [28136] fix to message header modifications are not made when message is redirected
• [28137] fix to when a client sends an EHLO/HELO command containing a literal IP address, the open and closing brackets are stripped from the EHLO/HELO string before it is evaluated against the host blocklist or allowlist. As a result, an EHLO string such as [192.168.1.100] will match a host blocklist entry formatted as #.#.#.#.
• [24988] fix to redirected messages are not archived
• [28151] fix to From Header Screening may truncate the modified header value