Special Considerations
•9.0.2 — Cyren Anti-Virus has been replaced with IKARUS Anti-Virus. Cyren recently announced its plans to discontinue operations with little warning. This necessitated the need for us to find a new anti-virus partner. After a thorough evaluation, IKARUS Anti-Virus stood out for its excellent detection rate and speed. It offers reliable protection from malicious and potentially hostile programs, and it combines traditional anti-virus defense methods with the latest proactive technologies. IKARUS Anti-Virus automatically updates its definitions every 10 minutes.
•9.0.2 — Cyren Outbreak Protection been removed. Cyren recently announced its plans to discontinue operations with little warning. We are actively researching and considering viable anti-spam technologies as suitable additions to the existing anti-spam mechanisms found in our software products.
•9.0.0 — By default, mailbox names that contain a plus character (+) will now be considered to be subaddressed. The user verification process will consider the subaddress to be an alias. For example, user+folder@example.com will resolve as user@example.com and an alias where user+folder@example.com = user@example.com. New users for which the mailbox name contains a plus character cannot be created. Existing users for which the mailbox name contains a plus character are not automatically removed. They can be fixed up (renamed or merged) by running the Verify Users process on the User Verification Sources page. An option to restore the previous behavior (called "Allow user mailbox name to contain plus (+) character") has been added to the User Options page. When enabled, these mailbox names will not be considered aliases/sub-addresses. For example, user+folder@example.com will be considered its own user and not an alias of user@example.com.
Major New Features
A new From Header Screening page was added to the Anti-Spoofing section under Security, to help expose fraudulent (spoofed) "From:" headers in messages sent from spammers, that could potentially trick users into believing a message was sent from a legitimate source.
Web Interface Usability Enhancements
•Changed the Search dialogs to use a "Show/Hide Search" tools paradigm, and added a Cancel Search button in the main toolbar.
•Added the ability to include up to four additional search Header patterns, Results, and Reasons on Message pages. Header patterns can be separated by AND/OR using a button toggle. Results and Reasons are always separated by OR.
•There is now a basic Search option on the toolbar of the Domain List and User List.
•You can now resize, move, or maximize pop up windows.
•Added a mobile friendly list editor.
•Previous/Next buttons were added to the archived message view.
•A "Message(s) Restored" status message was added to the bottom right hand corner of the Search Archive pages.
Administrative Dashboard Page Improvements
•Available disk space is now displayed to global admins on the Dashboard page, and on the Disk Space page under Setup/Users | System.
•Active SMTP inbound and outbound sessions were added to the Dashboard.
•The count of messages in the administrative and user quarantine queues was added to the Dashboard page for global administrators.
•You can now freeze the inbound and remote delivery queues from the Dashboard.
Additional Features and Changes
•The Setup | System | HTTP Server page now has options to include an HTTP Strict Transport Security (HSTS) header with HTTPS responses. This option is enabled by default. When a browser that supports HSTS receives an HSTS header and the SSL certificate is valid, any future HTTP requests made to the same domain will be automatically upgraded to HTTPS.
•SecurityGateway now supports TLS 1.3 on newer versions of Windows. Windows Server 2022 and Windows 11 have TLS 1.3 enabled by default. Windows 10 versions 2004 (OS Build 19041) and newer have experimental TLS 1.3 support that can be enabled for inbound connections by setting the following in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server
DisabledByDefault (DWORD) = 0
Enabled (DWORD) = 1
•Added an option to allow users to view their messages listed in the quarantine report. Global Admins can enable it at: Setup/Users » Mail Configuration » Quarantine Configuration or Main » My Account » Settings.
•A "Do not remember me on this device/browser" option will now appear on a user's My Account » Settings page whenever the Remember Me option is active for their current device or browser. They can click that link to deactivate the Remember Me status on that device, and then the link will disappear. They can still use the Remember me on this device option the next time they sign in to SecurityGateway. This option will also be available to Secure Messaging users when Remember Me is currently active.
•There are new options on the Accounts » User Options and Secure Messaging » Recipient Options pages to allow you to add some administrator contact info to SecurityGateway's Sign-in and Secure Messaging Sign-in pages respectively.
•Added a "Save and Test" button to the User Verification Source editor.
•Added a CSRFToken to the sign-in page and added a secondary session ID to web interface URLs, to mitigate CSRF attacks.
•Added a public/private key verification method as part of the Remember Me feature.
•Updated the secure message notification emails with styles and slightly different language.
•Reduced number of database transactions. This helps prevent the database from growing in size.
•The VBR certification host "vbr.emailcertifcation.org" has been deprecated and removed from Message Certification settings.
•Added an option to the Archiving » Compliance page to "Only delete messages from active archive stores". The option controls whether or not older archived messages in inactive archive stores will be deleted along with those in active stores. This option is enabled by default, meaning that only the older messages in active stores will be deleted. This behavior is unchanged from previous versions.
•SMTP socket connection is now disconnected for SIEVE actions "error" or "reject" if they occur during the IP phase.
•At startup, locked messages in the inbound queue are now moved to the CrashDumps\InboundQueue directory. Messages in the inbound queue are unlocked when a response is sent to the sender. Locked messages may be orphaned in the inbound queue if the SecurityGateway process crashes or is terminated before it has a chance to shut down. Since the sender did not receive a response to the SMTP DATA command, they should send the message again. Delivering the message may result in the recipient receiving multiple copies. However, the content of these messages may be helpful for debugging crashes. Any messages moved to this directory are automatically deleted after 30 days.
•LetsEncrypt - Changed the Log function to use add-content instead of out-file. Add-content uses the default system code page which should enable the log file to be viewed in SecurityGateway. No change will be made to the encoding of the log file until a new log file is created.
For a complete list of all changes and bug fixes, see the Release Notes located in the SecurityGateway program group under the Windows Start Menu.
New in Version 8.5.0
Special Considerations
32bit builds and support for 32bit operating systems has been discontinued. Starting with SecurityGateway 8.5.0, only 64bit builds will be distributed. This allows for us to streamline development and testing and utilize libraries that are only available as 64bit. If you are currently running a 32bit build on a supported 64bit operating system, you can simply download the 64bit build and install on top of the existing installation.
Major New Features
SecurityGateway's new Secure Messaging feature provides a way for your users to send secure message to recipients outside their domain but in such a way that the message never leaves the SecurityGateway server. It does this by utilizing a secure messaging web portal. When the message is sent, the recipient receives an email notification that a secure message for them is available, with a link to create a Secure Message Recipient account so that they can view the message located on your SecurityGateway server. The secure message is accessed via the recipient's browser, and end-to-end encryption is maintained between the SecurityGateway server and the recipient via HTTPS encryption. Secure messaging requires a valid SSL certificate and that HTTPS is enabled (see also: HTTPS Server). Recipients can view and reply to the messages within the SecurityGateway portal, and they can optionally compose new secure messages to a designated list of users. See: Recipients and Recipient Options for more information on secure message recipient accounts.
User-based Mail Routing
•Using a new Mail Delivery section on the User Edit page, you can choose a specific domain mail server to use for the user's mail, rather than it using the default mail servers assigned to the domain.
•A new option has been added to the domain properties dialog: "Do not use this mail server to deliver domain mail, only make available to assign to specific domain users".
•These settings allow for a hybrid deployment where the mailboxes for some local users are hosted in the cloud while others are on site. This also makes it possible for you to use a single domain and a single SecurityGateway server to route mail to mail servers running at each location of your business.
SecurityGateway now provides various Performance Counters for use in the Windows Performance Monitor, which allow you to monitor SecurityGateway's status in real time. There are counters for the number of active inbound and outbound SMTP sessions, the number of messages queued for delivery, how many messages are quarantined, how long SecurityGateway has been running, the domain and user counts, and so on.
Additional Features and Changes
•Added an option on the User Options page to require strong passwords. This option can be disabled per user on the User Edit page.
•The dashboard and registration pages will now display if a service provider/private cloud registration key is used.
•Recipient whitelists for attachment filtering. A list of recipient addresses, including support for wildcards, may be defined for both attachment blocking and quarantining that bypass the relevant filtering.
•Lets Encrypt - the script will no longer delete the log file on each run.
For a complete list of all changes and bug fixes, see the Release Notes located in the SecurityGateway program group under the Windows Start Menu.
New in Version 8.0.0
Major New Features
•SecurityGateway now supports active/active database replication in your Clustering environment, but it requires an external replication tool and its configuration is beyond the scope of this help file. For a discussion on its requirements and instructions on configuring your cluster to use active/active replication, see the PDF document: SecurityGateway: Configuring Active-Active Database Replication.
•Data Leak Prevention - Search for medical terminology. A list of medical terms may be defined and a score assigned to each. Messages are scanned for matching terms and the sum of the scores for all terms found is calculated. The specified action is performed on messages for which the calculated score exceeds the defined threshold.
•Added ability to run a custom process/script during message processing and select an action based on the result of the script.
•The script must be placed in the "Sieve Executable Path" directory which can be configured from Setup » System » Directories.
•The "execute" sieve keyword has been added which may be used as an action and a test.
•First parameter is the name of the script. At this time, .bat, .exe, and PowerShell are supported.
•The second parameter is arguments that will be passed to the process. The message_filename is populated with the full path to the RFC822 source of the message being currently processed.
•For example... if execute "Test.ps1" "-msg '${message_filename}'" { }
•Added the ability to export all archived messages for a domain.
•Change/Audit logging - Added a new log file which logs changes to the configuration and who made them.
•Added the ability to send user and administrative quarantine reports on a defined schedule.
•Added an option for emailed quarantine reports to include only new messages that have been quarantined since the last time the quarantine report email was sent. A quarantine report will not be generated if there are no new messages to include in the report.
Additional Features and Changes
•Updated the "Forgot Password" process to send an email with a link to change the user's password.
•LetsEncrypt - Updated script to look for the new Issuer being used by LetsEncrypt.
•Updated DKIM Signing to use SHA256 hash.
•Added GetServerSetting and PutServerSetting methods to XMLRPC API and PowerShell module.
•Added the SMTP connection and protocol timeouts to the Setup » Mail Configuration » Email Protocol page.
•Added the ability to download attachments from the Message Log » Message Information » Message tab.
•Updated the alert, confirm, and prompt message boxes.
•Added several example PowerShell scripts to the docs\API\PowerShell Samples directory for reference.
•The HELO Domain Name value (Setup » Mail Configuration » Email Protocol) is now a per-server setting in clustered environments. The value may be set to a unique value on each server in the cluster.
•Added the ability to manually execute an SQL statement against the database from the web interface. This feature should only be used on the instruction of technical support and it is recommended that a database backup be performed first.
•Added option to include "Blacklist Domain" link in the quarantine report email.
For a complete list of all changes and bug fixes, see the Release Notes located in the SecurityGateway program group under the Windows Start Menu.
New in Version 7.0.0
Special Considerations
•On the Email Protocol page (at Setup » Mail Configuration » Email Protocol), two options have been removed: Use ESMTP whenever possible and Hide ESMTP SIZE command parameter. Both options are now always advertised and ESMTP is used whenever possible.
•Because of changes to and deprecation of many settings in clamd.conf, the installer will now overwrite the existing clamd.conf. If you have customized your clamd.conf you may need to review and make changes to it after installation.
•The Logging Configuration option to "Create log files based on the day of the week" has been removed. If this option was selected, it will be changed to "Create a new set of log files each day" by the upgrade process.
New Features and Changes
Clustering
SecurityGateway's new Clustering feature is designed to share your configuration between two or more SecurityGateway servers on your network. This makes it possible for you to use load balancing hardware or software to distribute your email load across multiple SecurityGateway servers, which can improve speed and efficiency by reducing network congestion and overload and by maximizing your email resources. It also helps to ensure redundancy in your email systems should one of your servers suffer a hardware or software failure. Here are a number of key points to know about SecurityGateway's Clustering feature (for more detailed information and setup instructions, see: Clustering):
•Clustering allows multiple active SecurityGateway instances/servers to share a single database.
•An external Firebird version 3 database server must be manually installed and configured.
•An option has been added to the installer that allows external Firebird server parameters to be specified during an initial installation. An existing installation may be configured to connect to an external Firebird database server via the sgdbtool.exe command line tool.
•Shared storage is required and shared directories must be set to a UNC path that all servers in the cluster can access. This may require changing the user account for the SecurityGateway Windows Service.
•The primary server is responsible for scheduled maintenance tasks.
•Each server in the cluster must have its own unique registration key.
Firebird 3 Database Upgrade
•Firebird 2 and 3 runtimes are included and installed in SecurityGateway 7.0.
•New installations of SecurityGateway 7.0 or later will use Firebird 3.
•When updating an existing SecurityGateway installation to SecurityGateway version 7 or later, Firebird 2 will continue to be used.
•Using the new Clustering feature requires a Firebird 3 database.
•Upgrading the database so that it is compatible with Firebird 3 requires that it be backed up using the 2.x runtime and restored using the 3.x runtime. The Administrator may upgrade an existing database from version 2 to 3 by using the sgdbtool.exe command line tool, located in the \SecurityGateway\App folder. To convert the database, stop the SecurityGateway service, open the Command Prompt, and run: "sgdbtool.exe convertfb3".
Two Factor Authentication
Under User Options, Administrators may allow and require Two Factor Authentication (2FA) globally or per domain. If 2FA is required, the user is presented with a Setup 2FA page the first time they sign in. Otherwise the user can go to Main » My Account » Two Factor Authentication to setup 2FA.
Check for Compromised Passwords
SecurityGateway can check a user's password against a compromised password list from a third-party service, and it is able to do this without transmitting the password to the service. If a user's password is present on the list, it does not mean the account has been hacked. It means that someone somewhere has used an identical password before and it has appeared in a data breach. Unique passwords that have never been used anywhere else are more secure, as published passwords may be used by hackers in dictionary attacks. See Pwned Passwords for more information.
Domain Administrators Can Create New Domains
There is a new option on the Edit Administrator page that allows you to give a Domain Administrator permission to create new domains. The administrator will be automatically added as a Domain Administrator for any domains that they create. There is also an option to set a limit on how many domains the administrator is allowed to create.
New SMTP Extensions
The RequireTLS effort in IETF is finally finished, and support for this has been implemented. RequireTLS allows you to flag messages that must be sent using TLS. If TLS is not possible (or if the parameters of the TLS certificate exchange are unacceptable) messages will be bounced rather than delivered insecurely. RequireTLS is enabled by default, but the only messages that will be subject to the RequireTLS process are messages specifically flagged by a Content Filter rule using the new Content Filter action, "Flag message for REQUIRETLS...", or messages sent to <local-part>+requiretls@domain.tld (for example, arvel+requiretls@mdaemon.com). All other messages are treated as if the service is disabled. Additionally, several requirements must be met in order for a message to be sent using RequireTLS. If any of them fail, the message will bounce back rather than be sent in the clear. For more information about these requirements and how to set up RequireTLS, see the Enable REQUIRETLS (RFC 8689) option. For a complete description of RequireTLS, see: RFC 8689: SMTP Require TLS Option.
SMTP MTA-STS (RFC 8461) - Strict Transport Security
The MTA-STS effort in the IETF has finished, and support for this has been implemented. SMTP MTA Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers (SPs) to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate. MTA-STS support is enabled by default. See the Enable MTA-STS (RFC 8461) option for more information on setting this up. SMTP MTA-STA is fully described in RFC 8461: SMTP MTA Strict Transport Security (MTA-STS).
TLS Reporting allows domains using MTA-STS to be notified about any failures to retrieve the MTA-STS policy or negotiate a secure channel using STARTTLS. When enabled, SecurityGateway will send a report daily to each STS-enabled domain to which it has sent (or attempted to send) mail that day. There are several options provided for configuring the information that your reports will contain. TLS Reporting is disabled by default and discussed in RFC 8460: SMTP TLS Reporting.
Additional Features and Changes
•Updated the SecurityGateway GUI with a more modern appearance.
•Updated the FusionCharts graphing component.
•Added ability to exclude specific senders from virus scanning.
•Added option for whitelist to take precedence over blacklist.
•LetsEncrypt will now check the version of PowerShell running on the machine and return an error if the correct version has not been installed.
•LetsEncrypt will now check the PSModulePath environment variable to make sure the SG module path is included, if it is not, it will be added for the session.
•LetsEncrypt will now delete and recreate the account when changing between the staging and live LetsEncrypt systems.
•LetsEncrypt will now retrieve errors from LetsEncrypt when a challenge fails and write the data to the log and to the screen.
•LetsEncrypt has a new -Staging switch that can be passed on the command line. If this switch is passed the script will use the LetsEncrypt staging system to request a certificate.
•Updated JSTree library to version 3.3.8.
•Added ability to specify which user account the SecurityGateway Windows Service runs under.
•Added support for SIEVE Variables Extension RFC-5229.
•Added :eval modifier to SIEVE Variables Extension, which allows you to do simple computations.
Example:
require "securitygateway";
require "variables";
require "fileinto";
if header :matches "from" "*" {
set :length "length" "${1}";
set :eval "fileintovar" "${length} * 25 - 1 / 8+3";
fileinto "${fileintovar}";
}
•The "Create log files based on the day of the week" option has been removed. If this option was selected, it will be changed to "Create a new set of log files each day" by the upgrade process.
•Added an option to toggle viewing a password when it's being typed. A new access control option added to the User Options page allows this feature to be disabled.
•Changed Cyren AV updater to use TLS when downloading virus definitions.
•Added an option to include the computer name in the log file name. This option is required if the log directory is set to a UNC path and allows multiple servers in a cluster to log to the same location.
•Added option to the installer to specify external Firebird server parameters during initial installation.
•Updated Chilkat library to verson 9.5.0.82.
•Added a logging option to not log SMTP or HTTP connections from specified IP addresses. Incomplete and rejected SMTP messages from a specified IP address will also not be added to database. If the message is accepted for delivery it will be added to the database.
•Added Sieve action "changesender" to allow the SMTP envelope sender that SG will use to deliver the message to be changed/specified
•Updated Cyren AV engine to 6.3.0r2
•Updated ClamAV engine to version 0.102.4
For a complete list of all changes and bug fixes, see the Release Notes located in the SecurityGateway program group under the Windows Start Menu.
New in Version 6.5.0
Special Considerations
The LetsEncrypt functionality has been updated to use ACME v2. This update is required because LetsEncrypt is discontinuing support for ACME v1. PowerShell 5.1 and .Net Framework 4.7.2 are now required in order to use LetsEncrypt.
New Features and Changes
•Updated ClamAV to version 0.102.0
•Updated Cyren AV engine to version 6.2.2.
•Added support to scan RAR archives for attachment filtering.
•Added an Archiving option to send a Journaling Report with a copy of internal messages, external messages, or all messages to a specified email address.
•Added the ability to remove the subject tag used to trigger RMail processing.
•Added the ability to exclude calendar invitation messages from RMail processing.
•Added support to host the database on a standalone external Firebird server. A "-setdbconnect" parameter has been added to sgdbtool.exe to specify the IP address, database path/alias, username, and password to use when connecting to the database.
•The "Include 'Blacklist' link in quarantine email" option has been renamed to "Include 'Blacklist' option in quarantine list and email" and also applies to the user's quarantine list view in the web interface.
•Added XML API functions to manage Sieve scripts.
•Added XML API functions to enable archiving and manage archive stores.
•All settings related to DKIM ADSP have been deprecated and removed.
•Added ability to scan TNEF (winmail.dat) files for restricted attachments.
•Messages from a domain mail server will now be DKIM signed (if enabled) even if SMTP session has not authenticated.
•Added option to detect macros in documents during virus scanning.
•Disabled registry reflection, the "64bit Windows Registry" is always used even with the 32bit build running on a 64bit operating system. Existing registry keys and values that may exist in the Wow6432bit node are copied to the non-reflected location HKEY_LOCAL_MACHINE\SOFTWARE\ALT-N Technologies\SecurityGateway.
•For a complete list of all changes and bug fixes, see the Release Notes located in the SecurityGateway program group under the Windows Start Menu.
New in Version 6.1.0
Changes and New Features
Archiving Compliance
This new Archiving screen contains settings for controlling how long archived messages must be protected from deletion and how long they will be retained before automatic deletion. There is also a Forget Contact option for deleting archived messages that were sent from (and optionally to) specific users, and a Legal Hold option for preventing any archived emails from being deleted, regardless of any other settings or user privileges set elsewhere in SecurityGateway.
Other New Archiving Features
•Under Accounts » User Options » Access Control, a new option was added to "Allow users to delete archived messages addressed to or from their account." This option is disabled by default.
•There is a new link on the User Settings page that allows you to delete all archived messages sent or received by the user. A confirmation box will open before deleted the messages.
Office 365/Azure AD User Verification
You can now utilize Office 365/Azure Active Directory as a user verification source. This allows SecurityGateway to query Office 365/Azure Active Directory directly to verify users, obtain associated aliases, and verify user passwords. In order to query Office 365/Azure Active Directory you must first grant permission following the steps outlined here: https://www.altn.com/Support/KnowledgeBase/KnowledgeBaseResults/?Number=1229.
Other Changes
•Added the ability to search white and black lists.
•Added the ability to sort the quarantine report by score. The messages with the lowest spam score, and more likely to be false positives, will appear at the top of the report.
•LetsEncrypt now includes an option to delete certificates that were issued by LetsEncrypt, have a subject the same as the FQDN in SecurityGateway and with an expiration date over 30 days ago. To use this option pass -RemoveOldCertificates as a command line parameter.
•LetsEncrypt: By default PowerShell only supports SSLv3 and TLS1.0. Code was added to enable TLS1.0, 1.1, and 1.2 for the active session. PowerShell also honors the operating system settings for client SSL/TLS protocol support, so if you disable support for TLS 1.0 as a client protocol in the operating system, PowerShell will not attempt to use it.
•Updated Chilkat library to version 9.5.0.78
New in Version 6.0.0
SPECIAL CONSIDERATIONS
SecurityGateway now requires at least Windows Vista or Windows Server 2008. Due to the discontinuation of security patches from Microsoft, and the lack of required functionality, Windows XP and Windows 2003 are no longer supported.
New Features
Message Archiving
Added support for long term email archiving. Archived messages are fully searchable, and the archived messages are stored in configurable archive stores.
64bit Version
A 64-bit version of SecurityGateway is now available for installation on 64-bit operating systems. The 64-bit version can handle a higher number of active sessions before running out of memory.
Improved Data Leak Prevention
Over sixty additional data leak prevention rule templates are now available.
Additional Changes and Features
•Improved support for Google G Suite. If a domain mail server is configured to deliver mail to Google G Suite (aspmx.l.google.com), connections from any Google G Suite mail server will be treated as from a domain mail server. This facilitates SecurityGateway being used as an outbound mail gateway with Google G Suite.
•The options to refuse messages that are not RFC compliant or incompatible with DMARC do additional checks for invalid syntax in the From header
•Updated inbound/outbound icons in the message log view
•Added support for TLS Server Name Indication (SNI) which allows a different certificate to be used for each domain without requiring them to be on different IP addresses. Multiple certificates can be active, and SecurityGateway will use whichever one has the requested host name in its Subject Alternative Name field.
•Self-signed certificates can now be created with larger key sizes, use SHA2 instead of SHA1, and automatically include the main host name in the Subject Alternative Name field.
•Updated Cyren AV engine to version 6.2.0r2. This version fixes a few reported scanning errors.
•SMTP Callback Verification now supports encrypted connections utilizing STARTTLS
•Updated ClamAV to version 0.101.1
