English
Chinese (Simplified)
French
German
Italian
Japanese
Russian
Spanish
Vietnamese
SecurityGateway 10.0.0 has been released
-
Matthew StaffSecurityGateway 10.0.0 has been released and is live on the website and update checker now.
SecurityGateway 10.0.0 - May 14, 2024
MAJOR NEW FEATURES
- [27462] Added the ability to create custom charts/reports for the administrative dashboard.
- [25127] CPU and memory counters have been added to the administrative dashboard for the SecurityGateway, SpamAssassin, Ikarus AV, and ClamAV processes.
- [27148] "QRshing" Protection - SecurityGateway can detect and take action if a QR code image is attached to a message. QR Code Detection can be enabled and configured at "Security | Anti-Abuse | QR Code Detection".
- [19951] "Setup | System | Encryption | Select Certificate" now includes a new option titled "Configure Let's Encrypt". This option allows you to automate a PowerShell script that downloads SSL certificates from Let's Encrypt. Let's Encrypt is a Certificate Authority that offers free certificates through an automated process. This process is designed to simplify the traditionally complex procedure of manual creation, validation, signing, installation, and renewal of certificates.
- [27357] Added support for Abusix Mail Intelligence at Security | Anti-Spam. For more information on Abusix Mail Intelligence visit https://www.mdaemon.com/mdaemon-abusix-trial-sign-up.
CHANGES AND NEW FEATURES
- [27073] A new option has been added (enabled by default): "Automatically detect and activate newer certificates". When this option is enabled, the system will perform a check during its nightly maintenance process. For each active certificate, it will check if there's another certificate on the system that expires later, is for the same hostname, and includes all alternative hostnames. If such a certificate exists, the system will automatically make it the active certificate. This feature is particularly useful when there's a scheduled task on the system that automatically updates the certificate, such as Let's Encrypt.
- [26409] A warning email is now sent to global administrators when an SSL certificate configured for use is about to expire.
- [27606] A Secure Message Recipient can use the "Forgot Password" link on the login page, even if they have not completed the setup process. In this scenario, the account setup invitation message will be resent.
- [23357] Added a new log file that logs failed authentication attempts.
- [24248] Updated the default "Security | Filtering | Attachments | Attachments to Block" list for new installations. A new action link, "Block recommended files" allows these extensions to be applied to upgraded installations.
- [26593] The Location Screening option "SMTP connections are accepted but authentication is blocked" is now per country instead of global. Blocking SMTP connections prevents your server from receiving mail from a country. Allowing SMTP connections with authentication disabled lets your server receive mail from a country while blocking brute force / dictionary attacks from them. Configure this at "Security | Anti-Abuse | Location Screening".
- [27665] Updated Acme-PS PowerShell module used by the Let's Encrypt PowerShell script to version 1.5.9
- [26924] ESMTP support for AUTH is not advertised if not allowed by location screening policy
- [27493] The domain SMTP AUTH Password now matches any user of the domain for the "Security | Anti-Abuse | SMTP Authentication | Authentication credentials must match those of the email sender" requirement.
- [27581] "Setup / Users | Accounts | User Options | Access Control" has a new option "Allow users to view message transcripts". If this option is disabled, only administrators will be able to view the transcript details for a message in their message log or quarantine. This option is enabled by default for upgrades, but disabled for new installations.
- [27668] The properties dialog for creating or editing a domain administrator has a new option "Can view the source of domain user's messages". This option applies to messages that SecurityGateway has retained according to the "Setup / Users | Database | Data Retention" settings. Messages that are queued for delivery to a Domain Mail Server and messages that are quarantined are always retained. This option does not apply to archived messages.
- [24747] Increased default size of "Message Information" (View Message) window.
- [27578] Updated ClamAV to version 1.0.6
- [27763] "Security | Anti-Abuse |SMTP Authentication" has a new option "Do not allow authentication on the SMTP port". If enabled AUTH will not be offered in the EHLO response and will be treated as an unknown command if provided by the SMTP client. This setting is useful in configurations where all legitimate accounts are using the MSA or other port to submit authenticated mail. In such configurations the assumption is that any attempt to authenticate on the SMTP port must be from an attacker.
FIXES
- [27556] fix to when upgrading the country is changed to "United States (US)" in "Setup / Users | Registration | License Information"
- [27201] fix to after restarting the system service all users are logged out of the web interface
- [26496] fix to self-signed certificates generated by SecurityGateway cannot be trusted by recent versions of Chrome and Android
- [14014] fix to deleting the last active SSL certificate and creating a new one disables SSL
- [27182] fix to "Setup | System | Encryption" unchecking the "Active" checkbox for an SSL certificate immediately deactivates the certificate
- [27660] fix to possible crash if external Firebird database server cannot be reached
- [27619] fix to IP addresses being looked up on Spamhaus DBL. The Spamhaus DBL only supports querying domain names.
- [27620] fix to URIBL result codes matching pattern they should not match
- [27621] fix to URIBL engine is reversing numeric URIs even though they are not IP addresses
- [27622] fix to URIBL engine incorrectly parsing URIs that contain a port number
- [27594] fix to external administrator account is unable to configure two factor authenticator application due to "access denied" error
- [27501] fix to exceptionally large values in the "Maximum acceptable SMTP message size" setting result in a negative size attribute in the EHLO response
- [27613] fix to "ReadDataFilterHostProcess failed" error attempting to extract text from attachments
- [27561] fix to if the SPF DNS lookup result contains a CNAME record that points back to the queried domain, it could cause the thread to hang and consume excessive CPU time
- [19111] fix to "Setup | Database | Restore" the displayed size for database backup files larger than 2GB is incorrectly shown as a negative value
- [27492] fix to "May be forged" returned in EHLO response even if EHLO DNS lookup was not performed
- [27016] fix to no action is taken when the Account Hijack Detection threshold is reached. When this occurs, a database error "multiple rows in singleton select" is logged to the system log file.
- [27676] fix to access denied error when domain administrators access "Security | Anti-spoofing" and "Security | Anti-abuse" menus
- [27677] fix to potential SQL exception related to "violation of foreign key constraint". This issue can occur when sending quarantine reports if a user is deleted during the report generation process.
- [27369] fix to "Message Log | Message Information | Transcript" is partially hidden in Dark Mode
- [27453] fix to the pipe character "|" cannot be used in the mailbox portion of an email address
- [27768] fix to if the logging level is set to "Debug" Administrative Quarantine Summary Reports may not be sent to all administrators
- [27736] fix to quarantine reports may not be sent or include the wrong messages if the "only include new messages" option is enabled
- [27771] fix to SpamAssassin temp folder left on disk
-
Great relase on 10.0!
I think I found a logic problem with regards to the new Abusix; if you enable Abusix, it automatically creates and enabled entries in the DNSBL list, one of which is the "Whitelist" entry with a -1.0 score. So far so good, BUT, if you have the "If the sending server of a message is listed:... refuse the message" option selected, then the entries being on the Whitelist cause SecurityGateway to drop the connection and refuse the message.
I started getting calls about mail not arriving and after a little troubleshooting discovered that the Abusix whitelist was causing this because of the abovementioned setting also being enabled.
-
The web interface is not using the correct (default) certificate, I have logged a case but no response. I cannot find a way to change it.
-
Matthew Staff
@Adam are you able to log into the SecurityGateway web interface? If you are, how many active certificares are listed at Setup / Users | System Encryption? Does this page show the correct default certificate? I would try making a change, then revert the change, and then save the encryption settings,
-
Matthew Staff
@Bill this is a bug, thank you for the feedback. I will get this fixed for the next release.
-
@Matthew I am able to log in, but only by IP address due to HSTS.
I have two active certificates and have tried multiple ways to resolve the issue. If I disable all certificates and then enable only the one I want for the web interface (enable & set as default), it works correctly. However, as soon as I enable a second certificate, even with the default option unchecked, I am incorrectly presented with wrong certificate when logging in via HTTPS.
Another issue I have noticed is that even though I have specified an IP address in the "Bind sockets to these IPs (comma delimited):" field, the software still binds to all IP addresses on the server instead of the single IP address entered, and any ports entered in "HTTP Ports (comma delimited):" are in use on all IP addresses.
I also noticed that the server is binding to port 80 even when it is not in the list of ports selected.
-
Matthew Staff
@Adam Lovegrove I was able to reproduce the issue with the correct SSL certificate not being returned. Could you please test this patched version of SecurityGateway.exe.
https://mdaemon.sharefile.com/d-sbe33acbe31ad4f3f8c6d0e5c680bc6ccI have logged the issue with HTTP port binding as a bug to investigate. I do not believe that this is a new issue to 10.0.0.
-
Thanks, I will test and let you know. On another note, I made two support requests on the website for this issue and received no reply. Very disappointing.
-
@Matthew The patched exe works, thank you. Do you have any update on the other issues I raised:
1) Despite specifying an IP address in the "Bind sockets to these IPs (comma delimited):" field, the software binds to all IP addresses on the server instead of the single IP address entered. Additionally, any ports entered in "HTTP Ports (comma delimited):" are in use on all IP addresses.
2) The server is binding to port 80 even when it is not in the list of ports selected.
-
Matthew Staff
@Adam I have been able to reproduce the first issue. I will have a patch available for this in the next day or two.
I have not been able to reproduce the second issue. If you make a change to the HTTP port list, change it back, and then Save, does the SecurityGateway web service still accept connections on port 80?
