SecurityGateway Release Notes

SecurityGateway for Exchange/SMTP v2.0 Release Notes

Developed with over 10 years of proven email security expertise, SecurityGateway provides affordable email security. It protects against spam, viruses, phishing, spoofing, and other forms of malware that present an ongoing threat to the legitimate email communications of your business.

SecurityGateway 2.0.4 - August 17, 2010

FIXES

[5736] fix to SPF resolver does not resolve returned CNAME records when performing A record test
[5493] fix to when a custom date range is specified for a report, only 24 hours of data is returned
[4885] fix to SMTP AUTH LOGIN is allowed over non SSL connection when "Allow Plain Text Passwords" option is disabled
[4801] fix to files in attachments directory may not be removed after database maintenance removes the related message from the database
[1515] fix to verify user feature does not delete users that were converted to aliases of another mailbox (Active Directory or Minger)

SecurityGateway for Exchange/SMTP v1.1 Release Notes

Click here to learn more about SecurityGateway for Exchange/SMTP.

SecurityGateway 1.1.4 - March 24, 2009

CHANGES

DKIM ADSP processing has been enabled by default for new installations and possibly for your installation as well. You should check Security | Anti-Spoofing | DKIM Verification to make sure ADSP processing is enabled. The state of the ADSP specification in IETF is firming up and it looks as if we're ready to start using this on a larger scale. ADSP allows you to reject or treat with suspicion messages which are missing a DKIM signature which should be present. You can configure what you want to happen using settings found at Security | Anti-Spoofing | DKIM Verification.
[3738] Added a "Delete All Messages" link to the quarantine report
[3739] Improved appearance and added "helpful text" to the quarantine report
[3720] Exposed option to delete log archive .zip files older than X days
[3721] Improved layout of logging maintenance options, added checkboxes to enable options

FIXES

[3746] fix to if the language of the user's browser is not supported, the language selection dropdown defaults to German. The language selection dropdown should default to English in this scenario.
[3654] fix to access denied returned when non administrator attempts to view message from quarantine or message log
[3718] fix to malformed DomainKey signature causes unhandled exception
[3719] fix to Top Spam Domains report is not displayed after upgrade from SG 1.0.0 to 1.1.3
[3757] fix to quarantine report email does not render properly with Outlook 2007
[3763] fix to :raw tag for sieve body test has no effect, only the body is searched not the entire RFC822 message
[3774] fix to unable to view blacklist or whitelist, if an entry contains a JavaScript escape character

SecurityGateway 1.1.3 - February 17, 2009

CHANGES

[3426] Updated DomainKeys verifier to improve compliance with RFC 4870
[3435] Associated "Insert" and "Delete" keyboard keys with "New" and "Delete" toolbar buttons
[3595] Local domains are now excluded from the "Top Spam Domains" report

FIXES

[1709] fix to domain administrator who has rights to multiple domains cannot view all messages in message log
[3434] fix to in Microsoft Internet Explorer all list views contain a horizontal scroll bar
[3438] fix to when running a beta, update checker does not detect that final release is available
[3446] fix to incorrect string displayed when message transcript is not available
[3452] fix to a specially crafted HTTP request causes process to terminate, a special thanks to Hamid Ebadi from Amirkabir University for reporting this
[3524] fix to when user clicks on link in quarantine report, the branding image is not displayed on quarantine confirmation page
[3594] fix to from header of system generated message which contains non-ascii characters is not properly encoded
[3598] fix to no records returned when exporting (CSV) domain specific whitelist or blacklist
[3609] fix to global administrator account may be deleted, if the user verification source returns that it is invalid
[3632] fix to ActiveDirectory password verification only works if Window's domain name is the same as the mail domain

SecurityGateway 1.1.2 - January 20, 2009

SPECIAL CONSIDERATIONS

The DNSBL entry for zen.spamhaus.org and the URIBL entry for sbl.spamhaus.org have been disabled. These may be re-enabled, via the web interface, if you are eligible to use them, please refer to http://www.spamhaus.org/organization/dnsblusage.html.

CHANGES

[3119] Login link in quarantine report now populates the Email Address field of the login form
[3363] Each DNSBL host may now be independently enabled/disabled
[1612] A log entry has been added to indicate when a message does not contain a DomainKeys or DKIM signature

FIXES

[3330] fix to unable to start on Windows 2000, cannot find DnsFree entry point in Dnsapi.dll
[3333] fix to NOD32 incorrectly reports securitygateway.exe as a virus
[3358] fix to language selection on login page may not default to correct language
[3361] fix to database query to determine if domain can have additional user counts negative cache entries
[3365] fix to NDR from address does not contain domain name (noreply@@)
[3366] fix to "Bayesian Auto Learning" SIEVE script is not loaded
[3391] fix to Backscatter Protection option "Exclude messages from whitelisted IP addresses and hosts" excludes all messages not just those from whitelisted IP addresses or hosts
[3412] fix to session log for message is truncated if multiple line response is returned from DomainKey lookup

SecurityGateway 1.1.1 - December 16, 2008

CHANGES

[3308] Updated ClamAV to version 0.94.2
[3174] Improved appearance of paging/status bar

FIXES

[1358] fix to SIEVE syntax checker needs to validate that "regex" is in the require statement if used in the script
[1399] fix to for system messages use "noreply@" for return path, if a NULL return path is not required
[1456] fix to quarantine view does not refresh after whitelisting message
[1516] fix to bounces (NDR) may be addressed to BATV encoded address
[1785] fix to SGDBTool.exe manifest file needs to request administrator access. This is necessary for Vista and Windows Server 2008.
[1788] fix to whitelisted addresses are subject to SPF test
[1798] fix to user verification source created by XML-RPC API is missing search filter
[3137] fix to HTTPS requests are not logged to HTTP log when debug logging is enabled
[3140] fix to AddUVSForDomain API method missing domain from UVS GUI page
[3141] fix to AddUVSForDomain API method may cause SecurityGateway.exe process to crash
[3154] fix to typo on software updates page
[3165] fix to link in activation reminder/warning email message is missing href attribute
[3169] fix to formating of quarantine report in SG 1.1.0 is difficult to read
[3170] fix to create non-existent domains when calling CreateAlias and EditAlias methods
[3189] fix to searching message log for subject with non-ASCII characters returns no results
[3190] fix to unable to search message log after receiving message where MAIL FROM value contains non-ASCII character
[3220] fix to user verification feature fails to display System log
[3236] fix to message may be rejected due to "RFC Compliance" when it is in fact compliant
[3237] fix to Ampersand in "Use Domain Keys & DKIM to verify senders" link should not be encoded
[3244] fix to CBV "Try NULL from address first" option has no effect
[3245] fix to SGDBTool.exe is unable to create configuration backup file
[3270] fix to German text "für" is displayed as " fÃ¼r" in the From: header of system generated messages
[3276] fix to administrator created during installation cannot login if user name or email address contains upper case letters
[3286] fix to logging configuration option "Overwrite existing log files ..." is not saved

SecurityGateway 1.1.0 - November 4, 2008

CHANGES

[541] SecurityGateway for Exchange/SMTP now provides an XML-RPC API to manage domains, users, administrators, aliases, domain mail servers, and user verification sources. Using a standard XML-RPC client or library, customers can automate many tasks and integrate with their custom software applications. Complete documentation and examples may be found here or in the /docs/API subdirectory of the installation directory.
[1475] Added automatic update checker. If enabled, each night at midnight, a check for software updates is performed. When an update is found, all global administrators are notified. The update can be downloaded and installed directly from the web interface.
[1353] Added the ability to manually manage aliases on a per-user basis
[1774] Added the ability to merge users. This is needed in instances where a user verification source mistakenly creates an alias as a user.
[1669] Added the ability to define custom branding images on a per-domain basis
[793] During installation, SMTP and HTTP ports are now validated to ensure that they are not in use by another application
[1679] Added uninstall survey. The user is asked during uninstall if they wish to provide feedback.
[1708] Updated ClamAV to version 0.94
[1113] Added option at end of installation, to specify if the system service should be started
[1756] SecurityGateway will mask out IP address, PTR lookup results, and local machine when the IP is local or the IP is that of a domain mail server, or when the message comes in on an authenticated session.
[1758] Updated FireBird database library to version 2.1.1
[1480] Exposed option to hide 'Forgot Password' link on login page
[1784] Added the ability to list global administrators to sgdbtool.exe
[1783] Added "Delete" link to quarantine summary email message
[1742] Updated DKIM verifier to ADSP (was formerly called SSP) final draft which is now in working group last call within the IETF process and we believe soon will be published unaltered as a industry standard RFC document. The current document can be found here: http://www.ietf.org/internet-drafts/draft-ietf-dkim-ssp-06.txt

If you have published an SSP (Sender Signing Practices) record in your DNS you should make note of the following. If you have not published an SSP record in your DNS then you can skip this section.

In order to conform to the final draft for ADSP some changes are required.

(a) First, the protocol name was changed from SSP (Sender Signing Practices) to ADSP (Author Domain Signing Practices). The term "SSP" was abandoned but the new ADSP is doing the same job.

(b) Second, the location in DNS where your ADSP record must be placed has changed from _ssp.domainkey.<domain> to _adsp.domainkey.<domain>. The older _ssp.domainkey.<domain> entry in your DNS can be removed (or left in place as legacy for older software for a few months and then removed).

(c) Third, the ADSP record syntax is different from the older SSP record syntax and so your ADSP record needs to be changed to one of the following (see the ADSP draft for complete information):

dkim=unknown - The domain might sign some or all email
dkim=all - All mail from the domain is signed
dkim=discardable - All mail from the domain is signed and receivers are
encouraged to discard unsigned mail

SecurityGateway no longer supports the older SSP record syntax or location in DNS.

Note that everything stated here applies to SSP or ADSP and NOT to DKIM key records. No changes are required or necessary to any DKIM key record.

FIXES

[1759] fix to when editing a content filter rule for a specific domain, the domain is reset to "global"
[1764] fix to message with subject over 1000 characters causes process to terminate
[1765] fix to unable to download backup file larger than 2GB from web interface
[1766] fix to invalid response to SPF DNS lookup may cause process to terminate
[968] fix to on restore page, text is truncated in list of backup files due to column sizes
[1698] fix to SGDBTool.exe requires CRT runtime files, needs to be statically linked
[1700] fix to incorrect port used in login links if host name option begins with https://
[1703] fix to possible DKIM exploit by inserting a FROM header
[1705] fix to unable to sort domain list by user count
[1706] fix to Outbreak Protection virus result = 3 is not flagged as a virus
[1707] fix to installer may not terminate clamd.exe process
[1712] fix to wrong domain name used in received header for outbound messages
[1743] fix to help link displays "not found" if help file has not been translated. The English help file is now displayed.
[1744] fix to BATV signature not removed from RCPT string when querying user verification source
[1697] fix to inbound messages should not be BATV signed
[1748] fix to BindDN and password needs to be optional for LDAP user verification sources
[1718] fix to Active Directory user verification requires SG machine to be a member of the domain
[1610] fix to aliases are not synchronized with user verification source
[1600] fix to potential SQL error in system log, during database maintenance when deleting expired users
[1773] fix to edit and delete buttons are always enabled for the list of URL Blacklist hosts
[1780] fix to installer may not terminate SGSpamD and ClamD processes
[1786] fix to crash occurs if a domain is deleted, while a member of that domain is logged in

SecurityGateway 1.0.5 - September 23, 2008

CHANGES

FIXES

[1720] fix to crash occurs during database maintenance if more than 5000 transcripts will be deleted
[1746] fix to crash may occur at startup if SMTP port is already in use
[1747] fix to when delivering mail to a domain mail server, SMTP AUTH is performed before STARTTLS
[1654] fix to after upgrade from 1.0.3 unable to activate due to invalid language code

SecurityGateway 1.0.4 - August 19, 2008

CHANGES

[1620] Added release dates to release notes
[1622] Added ability for domain to not use default user verfication sources
[1665] Improved performance of "Delete message transcripts every X days" data retention option
[1667] Delivery Status Notifications link to http://www.altn.com/dsn/
[1653] Web interface URL is mirrored to registry

FIXES

[1619] fix to unable to save Logging Configuration, error "Form field [LogChildInfo] not found"
[1614] fix to editing a content filter rule, with an alert action, adds an extra space to the end of the To, From, and Subject fields
[1621] fix to worker thread list of SIEVE alerts is not cleared between sessions. This may result in erroneous alerts for future SMTP sessions.
[1649] fix to CFV verification may query wrong host
[1654] fix to unable to activate due to invalid language code
[1657] fix to View Configuration does not display all settings
[1652] fix to landing pages display links for which domain administrators have no access
[1659] fix to unable to resolve domain name when bouncing a message
[1661] fix to if a crash dump cannot be created, a 0 byte file is still created
[1671] fix to domain specific greylisting interval is not honored
[1663] fix to unable to save Outbreak Protection when using HTTPS
[1658] fix to deleting a domain does not remove its records from the settings table
[1673] fix to with FireFox 3.0 input control border disappears when mouse cursor hovers over
[1674] fix to SMTP AUTH password verification via Active Directory fails
[1675] fix to session is orphaned when main socket is closed during CFV or CBV operation
[1676] fix to SpamAssassin score from previous session added when RCPT user has spam filtering disabled
[1462] fix to Active Directory User Verification Source created by installer does not have search path
[1680] fix to SG releases mail when blacklisting from user quarantine

SecurityGateway 1.0.3 - July 15, 2008

CHANGES

[1525] Updated ClamAV engine to version 0.93.1
[1524] Added the ability to send quarantine report every X hours
[1454] Added negative search options for message log
[1476] Added option to the web GUI to delete log files
[1527] Added ability to set default value for "Disable Spam Filtering for My Account" user option
[888] Added the ability to delete an IP address banned by Dynamic Screening
[118] A memory dump file will be created when an unhandled exception occurs. A "CrashDump" directory, which will be automatically created under the root SecurityGateway directory. Up to five crash dump files will be retained in this directory. ALT-N's technical support team may request these files to assist in troubleshooting.
[1551] Added exclusion options for Backscatter Protection. By default, messages from domain mail servers, authenticated sessions, white listed IP addresses, and white listed hosts will be excluded.
Updated images on the landing/task page for each section

FIXES

[735] fix to ClamAV update log has duplicated lines
[1522] fix to attachment stripped if message does not contain final MIME boundary or ends in CRLFLF
[1523] fix to "Reached XX% of your user license size" alert sent multiple times
[1526] fix to installer dialogs default to "company.mail", not the specified domain name
[1401] fix to bandwidth report may contain negative values
[1461] fix to IPs added to dynamic screening even though they are whitelisted
[1510] fix to IPs added to dynamic screening even though IP is a domain mail server
[1516] fix to return path for local NDR messages is BATV encoded
[1554] fix to reject string for RCPT that is rejected by DNBL, after a RSET command has occurred, is $RBLREASON$
[1555] fix to smtp.mail DNS lookup result buffer is not cleared by RSET command
[1599] fix to SMTP AUTH does not attempt to validate credentials against local user password
[1601] fix to AD password verification fails if user's domain name is not the same as the Window's domain
[1603] fix to unable to download log file from log file list using FireFox

SecurityGateway 1.0.2 - June 4, 2008

CHANGES

FIXES

[1508] fix to buffer overflow vulnerability related to 720+ character user name or password http://secunia.com/advisories/30497/
[1507] fix to service cannot be started if directory setting points to non-existent drive letter

SecurityGateway 1.0.1 - May 22, 2008

CHANGES

FIXES

[1443] fix to Dynamic Screening ban senders who cause this many failed RCPT attempts does not always work correctly
[1450] fix to beta expiration warning still sent in release version
[1451] fix to Dynamic screening may incorrectly ban an IP address
[1452] fix to Reverse lookup for HELO/EHLO is matched against the host blacklist, not the IP blacklist
[1457] fix to RFC 2047 encoded subjects which contain spaces are not properly decoded
[1487] fix to Firebird.msg file is not created by installer
[1495] fix to ClamAV reports Zip.ExceededFileSize as a virus
[1496] fix to legitimate addresses rejected with a 550 error when user count is at 100% of license size

SecurityGateway 1.0.0 - April 29, 2008

INTRODUCING SECURITYGATEWAY FOR EXCHANGE/SMTP

SecurityGateway (SG) is edge role email security and policy enforcement software which monitors and polices incoming and outgoing email traffic to and from your domain(s) and users.

Some highlights include:

Intuitive task-based user interface
Embedded and high performance SMTP server
Complete email anti-spam protection
- Heuristic message analysis
- Bayesian message analysis
- DNS blacklists (DNSBL)
- URL blacklists (URIBL)
- Greylisting
- Message certification
- Backscatter protection
- Whitelists/blacklists
Complete email anti-virus protection
- ClamAV module included, Kaspersky and others available
- Outbreak Protection module available
Complete email anti-spoofing protection
- Reverse lookups
- Inbound message DKIM verification
- Outbound message DKIM signing
- Sender Policy Framework (SPF) and Sender-ID
- SMTP "call back" verification
Complete email anti-abuse protection
- SMTP authentication
- IP shielding
- Dynamic IP blocking/screening
- Tarpitting
- Bandwidth throttling
Complete email content filtering capability
- Inbound/outbound message filtering
- Attachment filtering
Blacklists - block by email address, sending host, IP
Whitelists - allow by email address, sending host, IP
User and administrative levels of access
- Administrators can set policy globally or per-domain
- Users can self-manage select tasks
Users can manage their own settings, access and manage their own quarantine folder and whitelist/blacklist
Filtering engine based on SIEVE - a highly flexible and standards based filtering language
Provide services for any number of domains
Robust logging and reporting capability