SecurityGateway for Email v12.5 Release Notes

SecurityGateway 12.5.0b

CAMBIOS Y NUEVAS FUNCIONALIDADES

• [29574] Added a domain administrator permission for managing a domain's maximum user limit.

  Global administrators can now allow selected domain administrators to edit the Max Users value for their domains. Domain administrators cannot lower the limit below the domain's current user count. An operator setting can require domain administrators to set a user limit when creating new domains and, when enabled, also prevents them from removing a domain's existing user limit. An optional confirmation, disabled by default, warns domain administrators that increasing the user limit may affect billing. These domain administrator billing options are available under Setup / Users > Accounts > Administrators > Options.

• [29576] Added domain administrator warning emails when a domain approaches its maximum user limit.

  SecurityGateway now notifies the affected domain's administrators when the domain reaches 75%, 90%, or 100% of its configured Max Users limit. Administrators can turn these notices on or off from Setup > Users > Accounts > Administrators > Options.

• [29193] Modernized system-generated email messages and the quarantine action confirmation page.

  Quarantine reports, administrator alerts, secure message notifications, 2FA verification emails, low disk space warnings, and other system-generated messages now use a consistent branded email layout with clearer action buttons and improved mobile readability.

• [29156] Updated OpenSSL to version 3.6.3.

CORRECCIONES

• [29628] Updated the UnRAR library used for RAR archive extraction to address security vulnerabilities in older UnRAR versions.
• [29587] Fixed a SecurityGateway crash when a delivery failure notice attempted to attach an oversized original message. Delivery failure notices now include only the original message headers when the original message exceeds 50 MB, or a lower configured limit.
• [25568] Fixed system-generated messages, such as secure message notifications, matching several SpamAssassin rules. These messages now include a plain text alternative to the HTML body, and the To header address is enclosed in angle brackets.
• [28112] Fixed the SMTP Authentication Required and Authentication Mismatch filters running after the Invalid Sender check on upgraded installations, which could still reveal valid mailbox names through different SMTP responses.
• (beta only) [29625] Fixed user allowlist and blocklist changes not taking effect immediately during SMTP processing.
• (beta only) [29622] Fixed log files opened from the All Logs list showing the Current IKARUS AV Update Log breadcrumb and submenu highlight.
• (beta only) [29611] Fixed quarantine reports not rendering correctly in Outlook desktop clients
• (beta only) [29595] Attachment Disguise Protection may identify a GRP (MDaemon mailing list) file as a Powershell script

SecurityGateway 12.5.0a

CONSIDERACIONES ESPECIALES

• [29217] The default Host Screening blocklist now includes domain.

  Many spam bots send EHLO domain instead of a real hostname. This new default helps stop those connections earlier in the SMTP conversation. It is added automatically on new installations and during upgrades.

PRINCIPALES FUNCIONALIDADES NUEVAS

• [29180] Refreshed and modernized web interface

  The web interface has been updated with a cleaner layout, improved visual hierarchy, and a more polished overall look. The default light and dark themes have both been refreshed. Mobile browsers are better supported, particularly on the dashboard page. A new classic theme is available for users who prefer an experience closer to earlier versions.

• [29042] New REST API for automation and integration

  SecurityGateway now includes a standard, OpenAPI-described REST/JSON API that makes it easier to automate administration and connect the product to provisioning systems, identity platforms, and custom workflows.

  Manage core objects: The API supports users, domains, domain aliases, administrators, API keys, server/domain/user settings, allowlists, blocklists, mail servers, verification sources, DKIM selectors, archive stores, Sieve content-filter scripts, IP Shield entries, Dynamic Screening entries, and webhook subscriptions, plus read-only performance counters.

  Secure access with API keys: Administrators can create API keys from Settings > API Keys.

  Built-in documentation: Machine-readable OpenAPI documentation is available via the web server at /api/v1/openapi and can be imported directly into tools such as Postman. Generated HTML documentation is available on disk at /docs/api/api_openapi.htm or via the web server at /api_openapi.html.

  Compatibility note: The existing XML-RPC API remains available, but new automation should use the REST API. This is an initial release; more endpoints and capabilities will be added in future versions.

• [28787] Feature permissions for domain administrators

  Global administrators can now control which product areas each domain administrator may manage. Permissions are configured per administrator from the Edit Administrator dialog. A new Default Domain Administrator Permissions page under Setup/Users > Accounts > Default Administrator Permissions defines starting permissions for new domain admins and can apply those defaults to existing admins in bulk. Defaults can be overridden per domain.

  Read-only access: Domain admins without permission to manage a feature area retain read-only access to it for their domains. Archiving and RMail™ are the exception. Rather than dropping to read-only, their pages are hidden entirely from domain administrators who lack permission to manage them. This preserves their behavior prior to 12.5 and lets providers who don't offer these features keep them out of view for their domain admins.

  Delegation: The "Domain Admins (Delegation)" permission controls whether a domain administrator can create or manage other administrators for their domains. A domain admin cannot grant a permission they do not themselves hold.

  Upgrade behavior: All feature areas available to domain administrators prior to this version remain enabled by default for existing domain admins after upgrading.

• [29266] Dynamic Screening enhancements for authentication failure tracking

  Dynamic Screening has been extended with additional controls for how failed authentication attempts are tracked and blocked. Configure under Security > Anti-Abuse > Dynamic Screening.

  Flexible timing: Block durations and tracking windows can now be set in minutes, hours, or days.

  Escalating block duration: A repeat-offense multiplier can extend block duration on subsequent violations without changing the base rule.

  Subnet-level blocking: Optional CIDR aggregation blocks a wider network range when attacks originate from many nearby IP addresses.

  Duplicate failure suppression: Failures that repeat the same password can be excluded from the failure count, reducing unnecessary blocking from cached credentials while still counting distinct failures.

• [26290] Google Workspace API supported as user verification source

  Domains using Google Workspace can now verify local users through the Google Workspace API instead of SMTP callbacks. The integration resolves aliases and uses a Google Cloud service account and OAuth 2.0. Configure under Setup > Verification Sources.

• [1710] Attachment filtering by content type

  Attachment Filtering rules can now match on detected file type in addition to, or instead of, file extension. Configure under Security > Filtering > Attachments.

• [29394] Attachment Disguise Protection

  SecurityGateway can now detect attachments whose actual file type does not match their file extension (for example, an executable renamed to .pdf). Mismatched attachments can be refused, quarantined, or accepted, with optional subject tagging and score adjustment. Configure under Security > Filtering > Attachment Disguise.

CAMBIOS Y NUEVAS FUNCIONALIDADES

• [29228] Changed startup behavior so the service can start when the database version is newer than the executable version, allowing version downgrades and rolling cluster upgrades. Going forward, database schema changes will be additive and backward compatible.
• [29406] Added optional DNS-based domain ownership verification. When the new Require domain ownership verification setting is enabled under Setup > Server > Domain Settings (off by default), newly created domains enter a pending state and do not accept mail until the owner publishes a TXT record at _sgverify.<domain> with the token shown on the domain edit page. Verification runs on demand from the domain edit page or POST /api/v1/domains/{id}/verify, and hourly in the background. A new domain.verified webhook event fires on success. Global administrators can skip verification per-domain when creating a domain.
• [29208] New installations now enable SSL/TLS and HTTPS by default with an auto-generated self-signed certificate. Replace it with a trusted certificate for production use.
• [29504] Domain administrators can now self-serve Domain Mail Servers and User Verification Sources for the domains they manage. New permissions Can Manage Domain Mail Servers and Can Manage Verification Sources let global admins delegate these areas without granting full control. Delegated admins can create, edit, delete, and assign mail servers or verification sources to their own domains; resources shared with a domain they don't administer are visible as read-only and Test still works. A new Created By column shows resource origin. Test runs asynchronously and shows the SMTP transcript in the dialog.
• [29380] Se añadieron comandos SGDBTool para la recuperación de bloqueo: sethttpport (cambiar el puerto HTTP), disablehttpsredirect (desactivar la redirección HTTPS), disabletfa (desactivar la autenticación de dos factores para un usuario) y disablerequiretfa (desactivar el requisito de TFA globalmente o por dominio).
• [29292] SGDBTool createadmin and resetadmin no longer hard-code the administrator name and password. The email address and password may now be specified on the command line, or entered interactively when omitted.
• [29245] Added PROXY protocol support (v1 and v2) so SecurityGateway can run behind HAProxy and similar load balancers while still receiving the original client IP address and SNI hostname. Configure under Setup > System > PROXY Protocol.
• [27530] Added SNI-based domain identification for SMTP connections so the correct domain can be identified earlier in the session and its SMTP hostname can be used immediately after STARTTLS. See also [27489].
• [27489] Domain SMTP hostnames can now be configured without requiring IP binding. Hostname fields are now grouped under a Hostnames section on the domain properties tab.
• [23581] Added DNSSEC support for outbound SMTP delivery. When DNS validation is available, DNSSEC-signed domains can satisfy REQUIRETLS without needing MTA-STS.
• [28327] SMTP now rejects MAIL FROM and RCPT TO addresses longer than 254 characters instead of silently truncating them.
• [29171] Added an option to limit the size of messages attached to delivery failure notifications. If the original message is too large, only headers are attached.
• [23803] Archived messages can now still be viewed from Message Log after routine maintenance purges the message body from the primary database. This applies to messages archived from this version forward.
• [26248] Ahora se pueden personalizar las configuraciones del informe de cuarentena administrativa para cada dominio. La nueva página de Configuración de Cuarentena Administrativa admite excepciones independientes por dominio.
• [29202] Quarantine report links now take users to the correct page after login. "View All Quarantined Messages" opens quarantine, and "Manage Preferences" opens quarantine options.
• [29547] Improved bad archive queue notifications by showing the web interface path Archiving > Failed Messages, and linking directly to that view after login.
• [4576] User allowlist and blocklist pages now show when each entry was added, support column sorting, and can automatically purge entries created by outbound auto-exempt after a configurable retention period. New installations enable a 90-day default. The combined Blocklist/Allowlist Configuration page has been split into separate pages; allowlist auto-purge settings now live under Security > Allowlists > Configuration, with per-domain overrides correctly honored.
• [15630] Content Filter and DLP transcripts now show which address or envelope condition matched, making rule troubleshooting easier.
• [17768] Upgraded the content-filter regex engine from PCRE 8 to PCRE2 with JIT compilation and a compiled-pattern cache, reducing CPU use for regex-heavy Content Filter and DLP rules.
• [4664] Added audit logging for bulk domain and account imports, including summary results in the system log and individual change-log entries for imported users and domains.
• [16159] Added a Notes field to domain properties for documenting domain-specific information in the web UI, REST API, and XML-RPC API.
• [29373] Added a global default theme with per-domain override so administrators can choose the default UI theme for users. The login page also follows this setting unless a user has already chosen a personal theme.
• [29544] Improved the non-admin My Account navigation by hiding the redundant single-item Main top-level menu and renaming the account landing tab to Overview.
• [29338] LetsEncrypt: Updated the script to support multiple nodes in a cluster. This requires Windows Remote Management.
• [29345] LetsEncrypt: The script now ignores certificate errors by default.
• [29461] Updated the bundled Firebird database engine to version 5.0.4.
• [28933] Se actualizó SpamAssassin a la versión 4.0.2
• [29343] Se corrige que LetsEncrypt inserta espacios adicionales en la huella digital causando que la comparación falle

CORRECCIONES

• [28528] Fixed relayed messages (non-local sender and non-local recipient) being shown as Inbound in the message log. They are now classified as Outbound, while inbound mail rejected before RCPT keeps its Inbound classification.
• [17477] Fixed the Stop Delivery action for queued messages taking effect immediately with no confirmation prompt. Users are now asked to confirm before delivery is stopped.
• [29468] Improved performance when stopping delivery for a large remote queue. SecurityGateway now marks and removes affected queued messages in bulk, reducing cleanup time and database load.
• [29451] Fixed messages for invalid local recipients being accepted and queued for outbound relay when an external Firebird database became temporarily unreachable during an SMTP session.
• [29430] Se corrigió el problema de SMTP EmergencyCutoff que dejaba mensajes parciales y archivos de bloqueo en la cola de entrada cuando se abortaba una transferencia de DATA, lo que podría causar que esos archivos se movieran a Crashdumps\InboundQueue al reiniciar el servicio.
• [26771] Fixed SMTP/HTTP binding problems with compressed IPv6 notation and with mixed IPv4 and link-local IPv6 bindings.
• [29229] Fixed RCPT TO incorrectly accepting multiple comma-separated addresses instead of returning a syntax error.
• [28854] Fixed MAIL lookup checking only the domain's A record instead of also checking MX host IP addresses.
• [28536] Fixed BATV tags not being removed from the sender address in Message Log when a message was rejected for an invalid recipient.
• [28582] Se corrige que los mensajes salientes rechazados no aparecen en la lista de mensajes del remitente debido a que FROMUSERID no se establecía al registrar el rechazo
• [29207] Fixed NDR messages showing only the last line of multi-line SMTP error responses.
• [26034] Fixed long UTF-8 headers being encoded as one oversized RFC 2047 encoded word instead of being folded correctly.
• [27245] Fixed quarantine reports, password resets, secure message notifications, and 2FA emails using the wrong hostname in links. A new per-domain Host Name setting now controls the hostname used for login links.
• [29529] Se corrigió que las transcripciones de Verificación de Reenvío de Llamadas SMTP no aparecieran en el registro de sesión entrante. La conversación SMTP entre SecurityGateway y el servidor de correo remoto durante la verificación del destinatario ahora se incluye en la transcripción del registro.
• [29458] Se corrigió el problema de las conexiones de base de datos agrupadas de larga duración que no se recuperaban automáticamente cuando SecurityGateway no podía comunicarse temporalmente con una base de datos Firebird externa.
• [29261] Fixed failed authentication attempts not causing IP to be blocked when connecting from IPv6 address.
• [29399] Fixed failed authentication logs showing ACCOUNT: @domain.com instead of ACCOUNT:none when the account does not exist.
• [29508] Fixed administrators being able to accidentally downgrade or disable their own account via the web UI.
• [29591] Fixed domain administrators assigned to multiple domains seeing the wrong domain's address allowlist on the initial allowlist page load.
• [28455] Fixed external administrators receiving "Access Denied" when setting up two-factor authentication for the first time with the 2FA requirement enabled.
• [29050] Corrección para la expiración de la sesión que cerraba la sesión de los usuarios incluso cuando "Recordarme" estaba habilitado. Los usuarios con cookies de recordarme válidas ahora serán reautenticados automáticamente cuando su sesión expire.
• [25947] Fixed an external administrator being created with the same email address as an existing secure recipient, preventing the administrator from signing in with admin privileges.
• [21821] Fixed Location Screening not blocking connections when MaxMind geolocation returns only a continent (e.g., "Europe") with no specific country code.
• [21926] Fixed duplicate IP entries in Dynamic Screening when block occurs due to concurrent SMTP sessions.
• [27721] Fixed IP Shielding DATA event rejection error displaying the SMTP envelope sender instead of the From header domain.
• [29518] Fixed Passwordless Sign-In and Device Authentication credential registration failing with "Something went wrong while trying to register your credentials".
• [28637] Fixed URIBL spam score being incorrectly added to recipients who have spam filtering disabled in multi-recipient SMTP transactions.
• [28727] Fixed URIBL score being inflated when a message contains multiple subdomains of the same base domain.
• [29260] Corrección para que URIBL no consulte incorrectamente nombres de una sola etiqueta contra listas de bloqueo URI cuando el registro de depuración de URIBL está deshabilitado
• [29226] Fixed SpamAssassin scores being incorrectly applied to recipients who have spam filtering disabled in multi-recipient SMTP transactions.
• [29414] Fixed Bayesian classification being enabled in the UI but disabled in SpamAssassin's local.cf on clean installs, which caused sa-learn to fail.
• [17011] Fixed SPF recursive lookup errors not being logged when SPF evaluation exceeds RFC 7208 limits.
• [8610] Fixed SPF evaluation returning a result based on the first v=spf1 TXT record found when a domain publishes multiple SPF records. Per RFC 7208, multiple SPF records now correctly return PermError.
• [24488] Fixed DMARC aggregate reports having duplicate rows when there are multiple envelope from addresses with the same domain.
• [28566] Fixed DMARC verification ignoring exclusion settings such as domain mail servers and authenticated senders because the wrong configuration section was being read.
• [26072] Fixed DMARC tests running unnecessarily on messages collected through Remote POP when the sender IP address was not known.
• [27237] Fixed PTR lookup test only logging the first time it is executed in an SMTP session.
• [29471] Fixed HELO lookup test only logging the first time it is executed in an SMTP session.
• [29413] Fixed sgdbtool importselector reporting success but the imported DKIM selector not appearing in the web interface.
• [14008] Fixed multi-recipient messages having attachments stripped when one recipient matched a Content Filter discard rule.
• [26150] Fixed user-created Sieve scripts not respecting script order configured in the web interface.
• [26690] Fixed Sieve body :content matching to follow RFC 5173. It now matches the decoded body of selected MIME parts without text extraction or HTML-to-plaintext conversion. Rules that depended on the old plaintext behavior should use :text instead; :content can now match raw HTML content such as <script> redirects in attachments.
• [29365] Fixed Sieve greylist actions set during pre-RCPT phases (AUTH, IP, HELO, MAIL) not being carried into the RCPT phase.
• [29437] Fixed Content Filter and DLP "contains the word(s)" conditions not appearing when a saved rule was reopened in the rule editor, even though the words were still saved in the rule.
• [29442] Fixed Sieve :proximity allof() constraints being silently dropped when the first test was a regex or wildcard term, which could cause some content-filter rules to fire outside the configured character window. Logging now also distinguishes proximity anchor matches from matches that satisfy the proximity window.
• [29488] Fixed Sieve body :text :contains not matching messages that have no Content-Type header (bare RFC 2822 plaintext).
• [29410] Fixed Display Name Protection flagging a protected user as not authorized when sending from their own local account or one of its aliases. The verified MAIL FROM identity is now used to suppress the false positive; messages whose only match is in the From header continue to be flagged.
• [26659] Fixed domain-specific greylisting not excluding messages sent from domain mail servers.
• [28849] Fixed greylisting being incorrectly triggered when sending mail from a local domain with greylisting enabled to a local domain with greylisting disabled.
• [27811] Fixed Ikarus returning a "could not be scanned" status for documents containing macros, which caused messages to be quarantined instead of applying the configured virus action.
• [11048] Fixed allowlist and blocklist not matching senders whose email address contains a Backscatter Protection (BATV) code.
• [28825] Fixed IP blocklist/allowlist search not finding entries with CIDR notation.
• [29133] Fixed duplicate entries in block/allow lists not showing a warning message.
• [29335] Corrección para las exportaciones de la lista de permitidos y la lista de bloqueados que solo contienen encabezados de columna sin datos
• [29390] Corrección del problema del botón Atrás que no funcionaba después de hacer clic en Actualizar en el visor de registros de actualización del Antivirus: cada actualización estaba añadiendo una entrada duplicada en el historial del navegador
• [28364] Fixed page title bar not displaying domain name and navigation context at desktop screen widths.
• [29264] Fixed landing page links not highlighting the correct navigation menu item due to typos and missing submenu values.
• [29368] Fixed the tertiary navigation menu disappearing from Secure Messaging after clicking Save.
• [28605] Corrección para que el mensaje no se vuelva a seleccionar al navegar de regreso después de seguir un hipervínculo en la transcripción del mensaje que navega a una vista de lista
• [3331] Fixed domain changes (add/edit/delete) made outside of the current session not being reflected in the web interface.
• [29297] Fixed the Search Settings close icon (red X) wrapping to a new line instead of staying inline with the search field.
• [1310] Fixed Message Log "Result" and "Reason" columns not sorting correctly when clicking the column header.
• [27313] Fixed folded RFC 2047 encoded subjects being truncated in Message Log. Message Log subjects are still limited to 256 UTF-8 chars.
• [29298] Fixed Message Log not showing the admin email address when an administrator released a message from the user quarantine queue.
• [28719] Fixed quarantined messages being redeliverable from the All Messages log, and the redeliver action not displaying a success/failure summary. Quarantined messages are now skipped with a message indicating they must be released from quarantine first.
• [24702] Fixed users being able to open, download, or redeliver quarantined messages from their message log when they were not allowed to access quarantine.
• [28123] Fixed clicking slightly off a checkbox in list views (quarantine, message log, etc.) deselecting all previously selected items.
• [28082] Fixed "Search My Message Archive" menu item being visible to users when archiving is not enabled for their domain.
• [29064] Fixed slow personal message archive search when filtering by date range.
• [29450] Fixed the Domains and Users list not sorting when clicking the Name or Users column header; the list was reversed instead of sorted.
• [1296] Fixed import button being enabled before a file is selected in import dialogs (whitelist, domain, user, terms, selector).
• [24656] Fixed quarantine configuration schedule day names not being translated for non-English languages.
• [27722] Fixed "Save and Close" button not being enabled when pasting text into IP Shield, Sieve script, content filter, disclaimer, and outbound footer editor fields.
• [28684] Corrección para que los administradores globales puedan ver el menú desplegable de dominios o la lista de servidores de correo al agregar nuevos usuarios si la descripción de un servidor de correo contiene un carácter de comillas dobles
• [29342] Fixed the My Account change-password dialog not sending the user ID to the server, causing silent failure.
• [29310] Fixed the DKIM signing DNS configuration dialog not explaining the %DOMAIN% placeholder when viewing a shared selector. Also added a Copy DNS Record button and clearer guidance.
• [29346] Corrección de inexactitudes en la traducción al ruso: el menú desplegable de la lista de permitidos mostraba el texto "lista de bloqueados", el dominio del remitente en la lista de permitidos tenía un error tipográfico, y las etiquetas de los botones Mostrar/Ocultar Búsqueda estaban intercambiadas
• [29369] Fixed the AI Classification prompt editor showing {categorization_labels} instead of {classification_labels} in the variable list and example prompt.
• [29364] Fixed the QR Code Detection page missing the descriptive text shown on other Anti-Abuse pages.
• [29396] Fixed Settings Search not returning ARC verification settings from the DMARC verification page.
• [29167] Fixed local AI models (e.g., Ollama) incorrectly requiring API key to fetch model list.
• [29553] Fixed clicking "New" on the Admins tab of the Domain Properties dialog throwing an "Illegal qualified name character" XML parse error.
• [29579] Fixed clicking "Save and Close" on the Trusted ARC Sealers dialog throwing a JavaScript error and silently losing changes.
• [29316] Se corrige que ocurre un cierre inesperado del procesamiento del informe de cuarentena cuando la base de datos externa no es accesible
• [28670] Corrección en Configuración / Usuarios | Sistema | Directorios: no se puede especificar un directorio de copia de seguridad de la base de datos que no se pueda crear localmente. Esto puede ser necesario al utilizar una base de datos Firebird externa.
• [29485] Fixed configuration database backup failing with an IBPP::WrongType "BOOLEAN and int16_t" error on systems with AI Classification prompts configured.
• [29185] Fixed inaccurate system CPU usage reporting on dashboard.
• [29545] Fixed message archiving failing with "this IndexWriter is closed" errors until the service was restarted.
• [29549] Fixed the archive retry queue repeatedly retrying messages whose control files could not be read.
• [29347] Fixed LetsEncrypt not correctly detecting the redirect to HTTPS.