Special Considerations
32bit builds and support for 32bit operating systems has been discontinued. Starting with SecurityGateway 8.5.0, only 64bit builds will be distributed. This allows for us to streamline development and testing and utilize libraries that are only available as 64bit. If you are currently running a 32bit build on a supported 64bit operating system, you can simply download the 64bit build and install on top of the existing installation.
Major New Features
SecurityGateway's new Secure Messaging feature provides a way for your users to send secure message to recipients outside their domain but in such a way that the message never leaves the SecurityGateway server. It does this by utilizing a secure messaging web portal. When the message is sent, the recipient receives an email notification that a secure message for them is available, with a link to create a Secure Message Recipient account so that they can view the message located on your SecurityGateway server. The secure message is accessed via the recipient's browser, and end-to-end encryption is maintained between the SecurityGateway server and the recipient via HTTPS encryption. Secure messaging requires a valid SSL certificate and that HTTPS is enabled (see also: HTTPS Server). Recipients can view and reply to the messages within the SecurityGateway portal, and they can optionally compose new secure messages to a designated list of users. See: Recipients and Recipient Options for more information on secure message recipient accounts.
User-based Mail Routing
•Using a new Mail Delivery section on the User Edit page, you can choose a specific domain mail server to use for the user's mail, rather than it using the default mail servers assigned to the domain.
•A new option has been added to the domain properties dialog: "Do not use this mail server to deliver domain mail, only make available to assign to specific domain users".
•These settings allow for a hybrid deployment where the mailboxes for some local users are hosted in the cloud while others are on site. This also makes it possible for you to use a single domain and a single SecurityGateway server to route mail to mail servers running at each location of your business.
SecurityGateway now provides various Performance Counters for use in the Windows Performance Monitor, which allow you to monitor SecurityGateway's status in real time. There are counters for the number of active inbound and outbound SMTP sessions, the number of messages queued for delivery, how many messages are quarantined, how long SecurityGateway has been running, the domain and user counts, and so on.
Additional Features and Changes
•Added an option on the User Options page to require strong passwords. This option can be disabled per user on the User Edit page.
•The dashboard and registration pages will now display if a service provider/private cloud registration key is used.
•Recipient whitelists for attachment filtering. A list of recipient addresses, including support for wildcards, may be defined for both attachment blocking and quarantining that bypass the relevant filtering.
•Lets Encrypt - the script will no longer delete the log file on each run.
For a complete list of all changes and bug fixes, see the Release Notes located in the SecurityGateway program group under the Windows Start Menu.
New in Version 8.0.0
Major New Features
•SecurityGateway now supports active/active database replication in your Clustering environment, but it requires an external replication tool and its configuration is beyond the scope of this help file. For a discussion on its requirements and instructions on configuring your cluster to use active/active replication, see the PDF document: SecurityGateway: Configuring Active-Active Database Replication.
•Data Leak Prevention - Search for medical terminology. A list of medical terms may be defined and a score assigned to each. Messages are scanned for matching terms and the sum of the scores for all terms found is calculated. The specified action is performed on messages for which the calculated score exceeds the defined threshold.
•Added ability to run a custom process/script during message processing and select an action based on the result of the script.
•The script must be placed in the "Sieve Executable Path" directory which can be configured from Setup » System » Directories.
•The "execute" sieve keyword has been added which may be used as an action and a test.
•First parameter is the name of the script. At this time, .bat, .exe, and PowerShell are supported.
•The second parameter is arguments that will be passed to the process. The message_filename is populated with the full path to the RFC822 source of the message being currently processed.
•For example... if execute "Test.ps1" "-msg '${message_filename}'" { }
•Added the ability to export all archived messages for a domain.
•Change/Audit logging - Added a new log file which logs changes to the configuration and who made them.
•Added the ability to send user and administrative quarantine reports on a defined schedule.
•Added an option for emailed quarantine reports to include only new messages that have been quarantined since the last time the quarantine report email was sent. A quarantine report will not be generated if there are no new messages to include in the report.
Additional Features and Changes
•Updated the "Forgot Password" process to send an email with a link to change the user's password.
•LetsEncrypt - Updated script to look for the new Issuer being used by LetsEncrypt.
•Updated DKIM Signing to use SHA256 hash.
•Added GetServerSetting and PutServerSetting methods to XMLRPC API and PowerShell module.
•Added the SMTP connection and protocol timeouts to the Setup » Mail Configuration » Email Protocol page.
•Added the ability to download attachments from the Message Log » Message Information » Message tab.
•Updated the alert, confirm, and prompt message boxes.
•Added several example PowerShell scripts to the docs\API\PowerShell Samples directory for reference.
•The HELO Domain Name value (Setup » Mail Configuration » Email Protocol) is now a per-server setting in clustered environments. The value may be set to a unique value on each server in the cluster.
•Added the ability to manually execute an SQL statement against the database from the web interface. This feature should only be used on the instruction of technical support and it is recommended that a database backup be performed first.
•Added option to include "Blacklist Domain" link in the quarantine report email.
For a complete list of all changes and bug fixes, see the Release Notes located in the SecurityGateway program group under the Windows Start Menu.
New in Version 7.0.0
Special Considerations
•On the Email Protocol page (at Setup » Mail Configuration » Email Protocol), two options have been removed: Use ESMTP whenever possible and Hide ESMTP SIZE command parameter. Both options are now always advertised and ESMTP is used whenever possible.
•Because of changes to and deprecation of many settings in clamd.conf, the installer will now overwrite the existing clamd.conf. If you have customized your clamd.conf you may need to review and make changes to it after installation.
•The Logging Configuration option to "Create log files based on the day of the week" has been removed. If this option was selected, it will be changed to "Create a new set of log files each day" by the upgrade process.
New Features and Changes
Clustering
SecurityGateway's new Clustering feature is designed to share your configuration between two or more SecurityGateway servers on your network. This makes it possible for you to use load balancing hardware or software to distribute your email load across multiple SecurityGateway servers, which can improve speed and efficiency by reducing network congestion and overload and by maximizing your email resources. It also helps to ensure redundancy in your email systems should one of your servers suffer a hardware or software failure. Here are a number of key points to know about SecurityGateway's Clustering feature (for more detailed information and setup instructions, see: Clustering):
•Clustering allows multiple active SecurityGateway instances/servers to share a single database.
•An external Firebird version 3 database server must be manually installed and configured.
•An option has been added to the installer that allows external Firebird server parameters to be specified during an initial installation. An existing installation may be configured to connect to an external Firebird database server via the sgdbtool.exe command line tool.
•Shared storage is required and shared directories must be set to a UNC path that all servers in the cluster can access. This may require changing the user account for the SecurityGateway Windows Service.
•The primary server is responsible for scheduled maintenance tasks.
•Each server in the cluster must have its own unique registration key.
Firebird 3 Database Upgrade
•Firebird 2 and 3 runtimes are included and installed in SecurityGateway 7.0.
•New installations of SecurityGateway 7.0 or later will use Firebird 3.
•When updating an existing SecurityGateway installation to SecurityGateway version 7 or later, Firebird 2 will continue to be used.
•Using the new Clustering feature requires a Firebird 3 database.
•Upgrading the database so that it is compatible with Firebird 3 requires that it be backed up using the 2.x runtime and restored using the 3.x runtime. The Administrator may upgrade an existing database from version 2 to 3 by using the sgdbtool.exe command line tool, located in the \SecurityGateway\App folder. To convert the database, stop the SecurityGateway service, open the Command Prompt, and run: "sgdbtool.exe convertfb3".
Two Factor Authentication
Under User Options, Administrators may allow and require Two Factor Authentication (2FA) globally or per domain. If 2FA is required, the user is presented with a Setup 2FA page the first time they sign in. Otherwise the user can go to Main » My Account » Two Factor Authentication to setup 2FA.
Check for Compromised Passwords
SecurityGateway can check a user's password against a compromised password list from a third-party service, and it is able to do this without transmitting the password to the service. If a user's password is present on the list, it does not mean the account has been hacked. It means that someone somewhere has used an identical password before and it has appeared in a data breach. Unique passwords that have never been used anywhere else are more secure, as published passwords may be used by hackers in dictionary attacks. See Pwned Passwords for more information.
Domain Administrators Can Create New Domains
There is a new option on the Edit Administrator page that allows you to give a Domain Administrator permission to create new domains. The administrator will be automatically added as a Domain Administrator for any domains that they create. There is also an option to set a limit on how many domains the administrator is allowed to create.
New SMTP Extensions
The RequireTLS effort in IETF is finally finished, and support for this has been implemented. RequireTLS allows you to flag messages that must be sent using TLS. If TLS is not possible (or if the parameters of the TLS certificate exchange are unacceptable) messages will be bounced rather than delivered insecurely. RequireTLS is enabled by default, but the only messages that will be subject to the RequireTLS process are messages specifically flagged by a Content Filter rule using the new Content Filter action, "Flag message for REQUIRETLS...", or messages sent to <local-part>+requiretls@domain.tld (for example, arvel+requiretls@mdaemon.com). All other messages are treated as if the service is disabled. Additionally, several requirements must be met in order for a message to be sent using RequireTLS. If any of them fail, the message will bounce back rather than be sent in the clear. For more information about these requirements and how to set up RequireTLS, see the Enable REQUIRETLS (RFC 8689) option. For a complete description of RequireTLS, see: RFC 8689: SMTP Require TLS Option.
SMTP MTA-STS (RFC 8461) - Strict Transport Security
The MTA-STS effort in the IETF has finished, and support for this has been implemented. SMTP MTA Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers (SPs) to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate. MTA-STS support is enabled by default. See the Enable MTA-STS (RFC 8461) option for more information on setting this up. SMTP MTA-STA is fully described in RFC 8461: SMTP MTA Strict Transport Security (MTA-STS).
TLS Reporting allows domains using MTA-STS to be notified about any failures to retrieve the MTA-STS policy or negotiate a secure channel using STARTTLS. When enabled, SecurityGateway will send a report daily to each STS-enabled domain to which it has sent (or attempted to send) mail that day. There are several options provided for configuring the information that your reports will contain. TLS Reporting is disabled by default and discussed in RFC 8460: SMTP TLS Reporting.
Additional Features and Changes
•Updated the SecurityGateway GUI with a more modern appearance.
•Updated the FusionCharts graphing component.
•Added ability to exclude specific senders from virus scanning.
•Added option for whitelist to take precedence over blacklist.
•LetsEncrypt will now check the version of PowerShell running on the machine and return an error if the correct version has not been installed.
•LetsEncrypt will now check the PSModulePath environment variable to make sure the SG module path is included, if it is not, it will be added for the session.
•LetsEncrypt will now delete and recreate the account when changing between the staging and live LetsEncrypt systems.
•LetsEncrypt will now retrieve errors from LetsEncrypt when a challenge fails and write the data to the log and to the screen.
•LetsEncrypt has a new -Staging switch that can be passed on the command line. If this switch is passed the script will use the LetsEncrypt staging system to request a certificate.
•Updated JSTree library to version 3.3.8.
•Added ability to specify which user account the SecurityGateway Windows Service runs under.
•Added support for SIEVE Variables Extension RFC-5229.
•Added :eval modifier to SIEVE Variables Extension, which allows you to do simple computations.
Example:
require "securitygateway";
require "variables";
require "fileinto";
if header :matches "from" "*" {
set :length "length" "${1}";
set :eval "fileintovar" "${length} * 25 - 1 / 8+3";
fileinto "${fileintovar}";
}
•The "Create log files based on the day of the week" option has been removed. If this option was selected, it will be changed to "Create a new set of log files each day" by the upgrade process.
•Added an option to toggle viewing a password when it's being typed. A new access control option added to the User Options page allows this feature to be disabled.
•Changed Cyren AV updater to use TLS when downloading virus definitions.
•Added an option to include the computer name in the log file name. This option is required if the log directory is set to a UNC path and allows multiple servers in a cluster to log to the same location.
•Added option to the installer to specify external Firebird server parameters during initial installation.
•Updated Chilkat library to verson 9.5.0.82.
•Added a logging option to not log SMTP or HTTP connections from specified IP addresses. Incomplete and rejected SMTP messages from a specified IP address will also not be added to database. If the message is accepted for delivery it will be added to the database.
•Added Sieve action "changesender" to allow the SMTP envelope sender that SG will use to deliver the message to be changed/specified
•Updated Cyren AV engine to 6.3.0r2
•Updated ClamAV engine to version 0.102.4
For a complete list of all changes and bug fixes, see the Release Notes located in the SecurityGateway program group under the Windows Start Menu.
New in Version 6.5.0
Special Considerations
The LetsEncrypt functionality has been updated to use ACME v2. This update is required because LetsEncrypt is discontinuing support for ACME v1. PowerShell 5.1 and .Net Framework 4.7.2 are now required in order to use LetsEncrypt.
New Features and Changes
•Updated ClamAV to version 0.102.0
•Updated Cyren AV engine to version 6.2.2.
•Added support to scan RAR archives for attachment filtering.
•Added an Archiving option to send a Journaling Report with a copy of internal messages, external messages, or all messages to a specified email address.
•Added the ability to remove the subject tag used to trigger RMail processing.
•Added the ability to exclude calendar invitation messages from RMail processing.
•Added support to host the database on a standalone external Firebird server. A "-setdbconnect" parameter has been added to sgdbtool.exe to specify the IP address, database path/alias, username, and password to use when connecting to the database.
•The "Include 'Blacklist' link in quarantine email" option has been renamed to "Include 'Blacklist' option in quarantine list and email" and also applies to the user's quarantine list view in the web interface.
•Added XML API functions to manage Sieve scripts.
•Added XML API functions to enable archiving and manage archive stores.
•All settings related to DKIM ADSP have been deprecated and removed.
•Added ability to scan TNEF (winmail.dat) files for restricted attachments.
•Messages from a domain mail server will now be DKIM signed (if enabled) even if SMTP session has not authenticated.
•Added option to detect macros in documents during virus scanning.
•Disabled registry reflection, the "64bit Windows Registry" is always used even with the 32bit build running on a 64bit operating system. Existing registry keys and values that may exist in the Wow6432bit node are copied to the non-reflected location HKEY_LOCAL_MACHINE\SOFTWARE\ALT-N Technologies\SecurityGateway.
•For a complete list of all changes and bug fixes, see the Release Notes located in the SecurityGateway program group under the Windows Start Menu.
New in Version 6.1.0
Changes and New Features
Archiving Compliance
This new Archiving screen contains settings for controlling how long archived messages must be protected from deletion and how long they will be retained before automatic deletion. There is also a Forget Contact option for deleting archived messages that were sent from (and optionally to) specific users, and a Legal Hold option for preventing any archived emails from being deleted, regardless of any other settings or user privileges set elsewhere in SecurityGateway.
Other New Archiving Features
•Under Accounts » User Options » Access Control, a new option was added to "Allow users to delete archived messages addressed to or from their account." This option is disabled by default.
•There is a new link on the User Settings page that allows you to delete all archived messages sent or received by the user. A confirmation box will open before deleted the messages.
Office 365/Azure AD User Verification
You can now utilize Office 365/Azure Active Directory as a user verification source. This allows SecurityGateway to query Office 365/Azure Active Directory directly to verify users, obtain associated aliases, and verify user passwords. In order to query Office 365/Azure Active Directory you must first grant permission following the steps outlined here: https://www.altn.com/Support/KnowledgeBase/KnowledgeBaseResults/?Number=1229.
Other Changes
•Added the ability to search white and black lists.
•Added the ability to sort the quarantine report by score. The messages with the lowest spam score, and more likely to be false positives, will appear at the top of the report.
•LetsEncrypt now includes an option to delete certificates that were issued by LetsEncrypt, have a subject the same as the FQDN in SecurityGateway and with an expiration date over 30 days ago. To use this option pass -RemoveOldCertificates as a command line parameter.
•LetsEncrypt: By default PowerShell only supports SSLv3 and TLS1.0. Code was added to enable TLS1.0, 1.1, and 1.2 for the active session. PowerShell also honors the operating system settings for client SSL/TLS protocol support, so if you disable support for TLS 1.0 as a client protocol in the operating system, PowerShell will not attempt to use it.
•Updated Chilkat library to version 9.5.0.78
New in Version 6.0.0
SPECIAL CONSIDERATIONS
SecurityGateway now requires at least Windows Vista or Windows Server 2008. Due to the discontinuation of security patches from Microsoft, and the lack of required functionality, Windows XP and Windows 2003 are no longer supported.
New Features
Message Archiving
Added support for long term email archiving. Archived messages are fully searchable, and the archived messages are stored in configurable archive stores.
64bit Version
A 64-bit version of SecurityGateway is now available for installation on 64-bit operating systems. The 64-bit version can handle a higher number of active sessions before running out of memory.
Improved Data Leak Prevention
Over sixty additional data leak prevention rule templates are now available.
Additional Changes and Features
•Improved support for Google G Suite. If a domain mail server is configured to deliver mail to Google G Suite (aspmx.l.google.com), connections from any Google G Suite mail server will be treated as from a domain mail server. This facilitates SecurityGateway being used as an outbound mail gateway with Google G Suite.
•The options to refuse messages that are not RFC compliant or incompatible with DMARC do additional checks for invalid syntax in the From header
•Updated inbound/outbound icons in the message log view
•Added support for TLS Server Name Indication (SNI) which allows a different certificate to be used for each domain without requiring them to be on different IP addresses. Multiple certificates can be active, and SecurityGateway will use whichever one has the requested host name in its Subject Alternative Name field.
•Self-signed certificates can now be created with larger key sizes, use SHA2 instead of SHA1, and automatically include the main host name in the Subject Alternative Name field.
•Updated Cyren AV engine to version 6.2.0r2. This version fixes a few reported scanning errors.
•SMTP Callback Verification now supports encrypted connections utilizing STARTTLS
•Updated ClamAV to version 0.101.1
New in Version 5.5.0
IPv6 SUPPORT
Support for IPv6 has been added. SecurityGateway will detect the level of IPv6 capability that your OS supports and dual-stack where possible; otherwise, SecurityGateway will monitor both networks independently. If the new "Connect to outbound IPv6 hosts where possible" option is enabled, outbound SMTP connections will prefer IPv6 over IPv4 whenever possible.
A few options related to use of IPv6 can be found at: Setup | System| IPv6.
Changes and New Features
•Updated Cyren AV engine to AVSDK 5.4.30.7. This fixes some possible scanning error issues.
•Updated ClamAV to version 0.99.4
•For a complete list of all changes and bug fixes, see the Release Notes located in the SecurityGateway program group under the Windows Start Menu.
New in Version 5.0.1
Changes and New Features
•Added the ability to define which DNS servers that SecurityGateway should query. By default the DNS servers defined in the operating system are queried.
•Updated ClamAV to version 0.99.3
•Renamed Alt-N Technologies to MDaemon Technologies
•The suffix domain "rpost.biz" is now appended to the To and CC fields of email messages that are sent via RMail. This is necessary for certain RMail reports to display properly.
•Custom branding now also uses domain IP binding to determine if a domain specific branding images should be used
•LetsEncrypt will now clean up files older than 180 days from the Acme-Challenge and PEM directories. Only .PFX files that have a file name beginning with the Default domain configured in SecurityGateway are removed. The names of the files that are removed are logged in the LetsEncrypt Log file.
•For a complete list of all changes and bug fixes, see the Release Notes located in the SecurityGateway program group under the Windows Start Menu.
New in Version 5.0
Location Screening
A geographically based blocking system has been developed which allows you to block incoming SMTP and Remote Administration connections being attempted from unauthorized regions of the world. A new screen has been added at Security|Anti-Abuse|Location Screening to configure this.
Other Changes and New Features
•In order to assist administrators with compliance to laws such as the General Data Protection Regulation in the EU, administrators can now add a Terms of Use statement on the User Options screen. Activate this option if you wish to require users to accept the statement each time they log in to SecurityGateway. Users can accept the statement by checking a box.
•Added hyperlinks to the message details view to find the matching list entry for whitelist and blacklist matches.
•Improved support for Office 365. If a domain mail server is configured to deliver mail to Office 365 (mail.protection.outlook.com), connections from an Office 365 mail connector will be treated as from a domain mail server.
•Added a button to the Message Log | Message Source view to download a message in EML format. This option is only available when the message's content is still available in the SecurityGateway database.
•LetsEncrypt logging will now include additional details that will make it easier to troubleshoot. The log will include a URL to LetsEncrypt.com that will help explain why challenges fail.
•For a complete list of all changes and bug fixes, see the Release Notes located in the SecurityGateway program group under the Windows Start Menu.
New in Version 4.5
SPECIAL CONSIDERATIONS
The option "Honor CRAM-MD5 authentication method" found at Setup/Users » Mail Configuration » Email Protocol has changed to disabled by default for security and technical reasons. Using TLS is the preferred way to avoid transmission of passwords in the clear.
New Features
SecurityGateway now integrates with the RMail™ service from RPost® (new in 4.5.1)
RMail™ is a service from RPost® that is intuitive to use and that doesn't require your recipients to have any special software. RMail empowers email usage for consumers and businesses of all sizes, across all industries and departments.
The RMail service is powered by RPost's Registered Email technology, the global standard for email delivery proof. The RMail service extends your email platform, providing:
•Tracking of your important emails and knowledge of precisely when they are delivered and opened.
•Proof of Delivery, Time, and Exact Content.
•Ease of encrypting sensitive emails and attachments for security or legal compliance.
•An easy way for all parties to e-sign documents and complete a transaction.
Using a trial RPost account, each user is limited to sending/receiving 5 encrypted messages per month. Additional messages can be purchased through RPost. Go to RPost.com for information on plans/pricing for increased message limits.
The RMail service may be enabled and configured from the RMail page under the Security menu. It can also be implemented as an action in a Message Content Filter Rule.
Integration with Let's Encrypt via PowerShell script
To support SSL/TLS and HTTPS for SecurityGateway, you need an SSL/TLS Certificate. Certificates are small files issued by a Certificate Authority (CA) that are used to verify to a client or browser that it is connected to its intended server, and that enable SSL/TLS/HTTPS to secure the connection to that server. Let's Encrypt is a CA that provides free certificates via an automated process designed to eliminate the currently complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites.
To support using Let's Encrypt's automated process to manage a certificate, SecurityGateway includes a PowerShell script in the "SecurityGateway\LetsEncrypt" folder. A dependency of the script, the ACMESharp module, requires PowerShell 3.0, which means the script will not work on Windows 2003. Additionally, the SecurityGateway HTTP service must be listening on port 80 or the HTTP challenge cannot be completed and the script will not work. You will need to correctly set the execution policy for PowerShell before it will allow you to run this script. Running the script will set up everything for Let's Encrypt, including putting the necessary files in the SecurityGateway HTTP (templates) folder to complete the http-01 challenge. It uses the FQDN configured in SecurityGateway for the default domain as the domain for the certificate, retrieves the certificate, imports it into Windows, and configures SecurityGateway to use the certificate using SecurityGateway's XMLRPC API.
If you have an FQDN setup for your default domain that does not point to the SecurityGateway server, this script will not work. If you want to setup alternate host names in the certificate you can do so. You need to pass the alternate host names on the command line.
Example usage:
.\SGLetsEncrypt.ps1 -UserName admin@domain.com -Password Password1 -AlternateHostNames mail.domain.com,imap.domain.com,wc.domain.com -ErrorEmailTo admin@domain.com
You do not need to include the FQDN for the default domain in the AlternateHostNames list. For example, suppose your default domain is "example.com" configured with an FQDN of "mail.example.com", and you want to use an alternate host name of "imap.example.com". When you run the script, you will only pass "imap.example.com" as an alternate host name. Further, if you pass alternate host names, an HTTP challenge will need to be completed for each one. If the challenges are not all completed then the process will not complete correctly.
If you do not want to use any alternate host names then do not include the –AlternateHostNames parameter in the command line. If you do not want to have email notifications sent when an error occurs do not include the –ErrorEmailTo parameter in the command line.
Other Changes
•Updated Cyren Anti-Virus engine to version 5.4.28-r1
•Updated to version 8.00.0125 of the Cyren Outbreak Protection SDK
•Updated SpamAssassin engine (SGSpamD.exe) to include Encode module for charset conversion and normalization
•Changed the write mode for the Firebird database from asynchronous to synchronous as this should resolve some instances of database corruption. This change does come with a performance cost, but it will not be an issue for most installations. A new Configuration page was added to the Database section under the Setup/User menu, to specify the database write mode. Synchronous write mode is only recommended when the performance of synchronous write mode is not sufficient. It is critical that the system be protected by a reliable UPS and that database backups are maintained.
•The built-in crash memory dump generation code was replaced with code that creates registry entries for Windows Error Reporting. This functionality requires Windows Server 2008/Windows Vista or later. A memory dump file should be created in the "CrashDumps" folder if the securitygateway.exe process crashes. The location of this folder may be changed from Directories page, located under the System section of the Setup/Users menu.
•Added "Result" column to the Queued for Delivery view
•Implemented Sieve extension "proximity" tag for "allof" test. This allows for scripts where multiple search terms must exist within a proximity of a specified number of characters of each other.
•Added GetSetting and PutSetting methods to the XML-RPC API
•Added option to Setup » Mail Configuration » Email Protocol to "Hide software version identification in responses and 'Received:' headers". This option is disabled by default.
•SecurityGateway may report the version of the OS on which it is running when it requests an updated license file from MDaemon Technologies. This information is helpful as we make decisions about which operating systems to support. If you do not wish to report such information, disable the "Include optional usage and environment data in license request" option on the Setup » Registration page.
•Added options to Security » Anti-Spam » Backscatter Protection to specify IP addresses and domain names of sites that are exempt from Backscatter Protection return-path signing.
•Added a per-domain option for the Maximum acceptable SMTP message size.
•For a complete list of all changes and bug fixes, see the Release Notes located in the SecurityGateway program group under the Windows Start Menu.
New in Version 4.0
Web Interface Updated to use a Mobile First Responsive Design
The web interface has been updated to use a mobile first responsive design. Browser support is limited to IE10+, the latest Chrome, the latest Firefox, and the latest Safari on Mac and iOS. Android stock browsers have been known to have issues with scrolling, but Chrome on Android devices works well.
This design is based entirely on the size of the window being used. Whether the user is on a phone, tablet, or PC, the appearance is the same for the same window size. The most important change here is the menu. From 1024 pixels width and below the menu is hidden on the left side of the browser. There are two methods that can be used to display the menu. If a touch device is in use, swiping to the right will show the secondary menu. Whether or not a touch device is in use, there is also a "menu" button in the top left corner that will display the secondary menu. Tapping or clicking the menu title with the left arrow next to it at the top of the menu will display the primary menu. The help, about, and sign out menu in the top right corner changes based on the width of the screen as well. At 768 pixels and above, the words "Help," "About," and "Sign Out" are shown. From 481 pixels to 767 pixels, only the icons are displayed, and 480 pixels or less displays a "gear" icon, which when clicked or tapped will display a drop down menu with the Help, About, and Sign Out options. List views with more than one column have column on/off buttons.
DMARC
Domain-based Message Authentication, Reporting & Conformance (DMARC) is a specification designed to help reduce email message abuse, such as incoming spam and phishing messages that misrepresent their origins by forging the message's From: header. DMARC makes it possible for domain owners to use the Domain Name System (DNS) to inform receiving servers of their DMARC policy, which is how they want those servers to handle messages that purport to be sent from their domain but cannot be authenticated as having actually come from it. This policy, which is retrieved by the receiving server via a DNS query while processing the incoming message, can state that the server should quarantine or reject messages that do not align with the policy, or take no action at all (i.e. let the message proceed normally). In addition to the policy, the domain's DMARC DNS record can also contain requests for the server to send DMARC reports to someone, outlining the number of incoming messages purporting to be from that domain and whether or not they passed or failed authentication, and with details about any failures. DMARC's reporting features can be useful for determining the effectiveness of your email authentication procedures and how frequently your domain name is being used in forged messages.
Under Security » Anti-Spoofing, there are three screens for configuring SecurityGateway's DMARC verification and reporting features: DMARC Verification, DMARC Reporting, and DMARC Settings.
Bind Domain to an IP address
For servers that have multiple IP addresses assigned, each domain may be bound to a specific IP address. Mail from the domain will be sent from this IP address. An SMTP Hostname may also be specified for the domain. This value is the Fully Qualified Domain Name (FQDN) that will be used in the SMTP HELO/EHLO instruction when sending mail for the domain. For incoming connections, this value will be used unless multiple domains are bound to the IP address, in which case the FQDN used will be the one that is associated with the domain that is first in alphabetical order.
Other Changes
•All support for the original DomainKeys message authentication system was removed. DomainKeys is obsolete and was replaced by the acceptance and adoption of DKIM, which SecurityGateway continues to support. Consequently, some web interface dialogs related to DKIM were reorganized, and the options related to DomainKeys were removed. The install process remove DomainKeys.dll.
•All support for Sender-ID was removed. This technology never caught on and is obsolete.
•You can now choose when to display the statistics graphs on the Dashboard and Landing Pages. The Settings are located on the My Settings page and the User Options page. You can choose Automatic, Always, Manual, or Never.
•The Disk Space monitoring page now displays values in MB instead of KB, and the default values have changed.
•Added the ability to filter the message log by sender IP using CIDR notation, simply enter the CIDR pattern as the IP address in the filter dialog.
•For a complete list of all changes, see the SecurityGateway Release Notes, located in the SecurityGateway program group under the Windows Start menu.
New in Version 3.0
New Features
•Outbreak Protection and CYREN AntiVirus are now included in SecurityGateway! Consequently, the ProtectionPlus add-on is no longer needed to add an additional layer of antivirus and spam protection to SecurityGateway.
Other Changes
New in 3.0.3
•Compressed archive files (.zip and .rar) are now scanned for restricted attachments. Archive files are recursively scanned up to a depth of 16 levels.
•The Encryption page now contains STARTTLS Whitelist and STARTTLS Required List options, for exempting or requiring STARTTLS for specific IP addresses, hosts, or domains.
•The Encryption page contains a new option to allow you to temporarily white list hosts that encounter an SSL error during an SMTP session. The white list is reset every hour.
•SecurityGateway now supports TLS 1.1 and 1.2. Requires Windows 7 / Server 2008 R2 or newer.
•Updated Outbreak Protection SDK to version 8.0.110
•The dashboard and reporting charts no longer require Adobe Flash.
•There is now a User Option to "Send an alert to global administrators when a new user is created."
•Added a "Delete All" button to Bad Messages queue. Clicking the "Delete" dropdown menu will allow the user to delete the selected messages or to delete all messages.
•Updated SpamAssassin to version 3.4.1
•Added an option to My Settings and Quarantine Configuration to control how the quarantine report email is sorted. By default the quarantine report is sorted by the date the listed messages were received, but it can now also be sorted by sender or subject.
•Updated Cyren Antivirus to version 5.4.6-r1
•Updated to latest version of libdkim library
New in 3.0.2
•You can now exempt specific file names from the Quarantine messages that cannot be scanned feature. This allows SecurityGateway to receive password protected files with a known file name.
•Support for RFC 3848 (SMTP and LMTP Transmission Type Registration) has been added. This governs the value of the "WITH" clause in Received headers. This means you will see "ESMTP" for unauthenticated non-SSL sessions, "ESMTPA" for authenticated sessions, "ESMTPS" for SSL sessions, or "ESMTPSA" for authenticated & SSL sessions.
•Added ...unless message is from a whitelisted IP address or host exemption option for SMTP Authentication.
New in 3.0.0
•Kaspersky AV integration, which was previously provided via the ProtectionPlus add-on, has been replaced with CYREN AntiVirus built in to SecurityGateway.
•Commtouch® is now CYREN, therefore the interface has been changed in various places to reflect the name change.
•For a complete list of all changes and bug fixes, see the Release Notes located in the SecurityGateway program group under the Windows Start Menu.
New in Version 2.0
Version 2.0 of SecurityGateway for Email Servers has a number of new features, changes, and bug fixes. The following is a list of the major new features and changes. For a complete list of all changes and bug fixes, see the Release Notes located in the SecurityGateway program group under the Windows Start Menu.
New Features
•Scheduled Statistics Report—This is a general statistical report that can be used to quickly ascertain the status and filtering effectiveness of the server. It can be sent on a nightly or weekly basis to the global administrators, domain administrators, and a manually defined list of email addresses. For domain administrators, the report will only contain statistics for the domains over which the administrator has administrative rights.
•Disclaimers (Headers / Footers)—SecurityGateway can now add headers and footers to incoming, outgoing, and local messages. You could use this feature, for example, to add "--- Message scanned by SecurityGateway for Email Servers ---" to the bottom of your messages.
•Extract text from attachments—Content filter rules and custom sieve scripts can perform actions based upon the content of an attachment. The sieve body test "text" tag automatically extracts text from several popular attachment formats.
The iFilter interface is used to extract plain text from Microsoft Office and PDF documents. In order to search PDF documents, Adobe Reader must be installed on the SecurityGateway server. Office 2007 documents require the 2007 Office System Converter: Microsoft Filter Pack to be installed.
•Dashboard for domain administrators—When domain administrators log in to their SecurityGateway account, they will now see a Dashboard with statistics for the domains over which they have administrative access.
•Collect mail from a POP3 mailbox—Use the Remote POP Accounts option to configure SecurityGateway to use the POP3 protocol to download mail from a remote POP mailbox for redistribution to a given domain's users. Once collected, the messages are parsed according to the settings provided on the Edit POP Account screen and then delivered to any valid users, just as if the messages had arrived at the server using conventional SMTP transactions.
•Domain aliases—Aliases can now be defined for your domains. All of the domain's users are assumed to be valid for each domain alias. This is useful if a domain has registered multiple domain names, e.g. altn.com, altn.us, altn.biz, etc.
•Define multiple search strings for a single content filter condition—The content filter is a graphical interface for building Sieve Scripts. Multiple search strings may now be defined for a single condition. The user may specify if the condition must match any or all or the defined strings. This is useful for searching a message header or body against a list of keywords.
•Added statistical charts to the "My Account" page—The My Account page now contains four statistical reports for users. This is similar to the administrator Dashboard, displaying account statistics for the past 24 hours.
•Improved heuristic rule update process—The heuristic rule update process now has the ability to pull updates from updates.spamassassin.org in addition to updates from MDaemon Technologies. This ensures that your SpamAssassin rule-sets are always kept current. The SGSpamD Configuration UI has a new check box that governs this option.
Other Changes
•Added option to redeliver messages from the Message Log. This option requires that the content of the message has not been deleted from the database.
•Added a per user language option. System generated messages sent to the user will be translated to this language. A default value may be applied on a server and individual domain basis.
•Added the ability for SGDBTool.exe to create a global administrator. This is useful in cases where the global administrator account created during installation is not accessible.
•Added the ability for SGDBTool.exe to promote a user to a global administrator.
•Updated SGSpamD, ClamAV, and CommTouch Outbreak Protection engines.
•There is now an Add to Message Score content filter action.
•Greylisting is now supported for Sieve Scripts that run during the DATA event. While it is preferred to greylist at RCPT, before the message is transferred, conditional greylisting in response to the DATA command can be a useful tool. This may be an attractive alternative to quarantining mid scoring messages. With the flexibility of Sieve, large messages can be excluded.
•Added "Total" summary line for numerical reports.
•For a complete list of all changes and bug fixes, see the Release Notes located in the SecurityGateway program group under the Windows Start Menu.
