MDaemon Server v22.0 Release Notes

MDaemon 22.0.4 - April 18, 2023

SPECIAL CONSIDERATIONS

[16456] Hosted email options with MDaemon Private Cloud are now available. To learn more, please visit: http://www.altn.com/Products/MDaemon-Private-Cloud/.

[26765] Cyren Anti-Virus has been replaced with IKARUS Anti-Virus. Cyren recently announced its plans to discontinue operations with little warning. This necessitated the need for us to find a new anti-virus partner. After a thorough evaluation, IKARUS stood out for its excellent detection rate and speed. The IKARUS Anti-Virus automatically updates its definitions every 10 minutes. Scanning with IKARUS is disabled if your AntiVirus license is expired.

[26802] Cyren Outbreak Protection been removed. Cyren recently announced its plans to discontinue operations with little warning. We are actively researching and considering viable antispam technologies as suitable additions to the existing antispam mechanisms found in our software products.

CHANGES

• [26738] Updated ClamAV to version 0.105.2.

FIXES

• [26380] fix to ActiveSync - crash when client downloads particular message
• [26492] fix to security vulnerability in Webmail
• [26827] fix to WorldClientAPI does not respond with 404 Not Found for bad origins
• [26856] fix to possible crash in MDUser.dll

MDaemon 22.0.3 - August 30, 2022

FIXES

• [26292] fix to AntiVirus - update notifications may have blank FROM header
• [26297] fix to Active Directory monitoring corrupts non-ASCII text in the Comment field of public contacts
• [26299] fix to Pro theme - When HTML Compose is disabled, "Loading" is displayed when composing
• [26289] fix to Content Filter - Some extended characters not recognized during filtering
• [26293] fix to AntiVirus - Changed ClamAV definition update notification to 7 days by default
• [26300] fix to AntiVirus - ClamAV will not run on older systems without proper runtime libraries
• [26345] fix to Content Filter - Non-ASCII characters in attachment filenames may be corrupted

MDaemon 22.0.2 - July 26, 2022

FIXES

• [26222] fix to MDRA - Access Denied errors given accessing Account Editor views
• [26225] fix to AntiVirus - gibberish line in AV log when Cyren AV is disabled
• [26206] fix to Spam Filter - changed sa-update.exe to use the next mirror in the list if mirror failed with verification
• [26224] fix to possible crash in WebAdmin.dll
• [26230] fix to ActiveSync - Gmail app crashes when opening a particular meeting request
• [26234] fix to Pro theme - Spell check not working in HTML editor
• [26235] fix to MDRA - Using the log filter, opening a result that contains umlauts results in an empty window
• [26250] fix to AntiVirus - reverted Cyren AV back to version 6.5.2r2
• [26249] fix to Pro theme - folder list cached from previous login
• [26256] fix to MDRA - When double clicking a session at Main | Active Sessions an iframe with an error appears
• [26259] fix to MDRA - Unable to add an account to the list of ActiveSync Accounts at ActiveSync | Account Management
• [26258] fix to MDRA - Unable to revoke all accounts at ActiveSync | Account Management
• [26261] fix to MDRA - Unable to save gateway forwarding changes
• [26262] fix to AntiVirus - possible fix to ClamAV "init-error" when scanning messages
• [26273] fix to AntiVirus - Cyren threat lookup disabled by default in UI when it should not be

MDaemon 22.0.1 - July 5, 2022

CHANGES AND NEW FEATURES

• [24735] MDRA - Added ability to resize and move the dialog popups.
• [26010] MDRA - Added a Delete All button for Queues, and added the ability to use CTRL + A to select all items in a Queue.
• [24811] MDRA - Added a table of each user's thirty most recent Webmail sign-ins at Main | Account Manager | Edit account.
• [26042] AntiVirus - Added an option to enable/disable Cyren's Threat Lookup at AntiVirus | Virus scanning | Use the Cyren... | Configure
• [25817] MDRA - Added a new mobile-friendly list control to replace the multi-select list
• [24782] A client signature can now be set per group. The client signature will be pushed to members that use Webmail or MDaemon Connector. A group client signature overrides a domain client signature, which overrides the default client signature. In the MDaemon GUI go to Accounts | Groups & Templates to edit a group and set its client signature. Clear the text in the editor to remove a client signature.
• [26069] Pro theme - Switched from Jodit to TinyMCE HTML editor.
• [25958] Pro theme - Added "Message Window Closes on Delete" feature.
• [25957] Pro theme - The message window will close when deleting the last message in a folder.
• [26158] Spam Filter - Added an option to log Spam Filter updates at Security | Spam Filter | Updates.
• [26193] AntiVirus - Updated Cyren AV to version to 6.5.4r21.

FIXES

• [26017] fix to EDNS0 is not being used for outbound SMTP and POP connections
• [26029] fix to MDRA - Unable to save changes after changing content filter rule condition
• [21966] fix to Content Filter - restricted attachments not being applied to nested RAR files
• [26054] fix to AntiVirus - possible lock up during virus scanning
• [26048] fix to Content Filter - restricted attachments not being applied to nested 7zip files
• [25993] fix to Webmail - Published Calendar - Event that spans two days between two months causes empty list view
• [25750] fix to possible crash in WorldClient.dll
• [26103] fix to Pro theme - Message List - When there is no message preview, double-clicking a message opens three instances
• [25950] fix to Webmail - Remember Me often lost when upgrading the MDaemon server
• [26140] fix to AntiVirus - wrong version of ClamAV included
• [26143] fix to AntiVirus - possible crash if debug logging is enabled for ClamAV
• [23762] fix to XMPP Server - possible crash during shutdown
• [26157] fix to MDRA - Reflected Cross Site Scripting (XSS) vulnerabilities reported by Pankaj Kumar Thakur from Green Tick Nepal Pvt. Ltd.
• [26156] fix to MDRA - Compression Exempt list entries are written to the CFCompress.dat file on a single line
• [26169] fix to MDRA - Minger - Shared Secret password is limited to 10 characters
• [26174] fix to Pro theme - Cannot send a message with only BCC recipients
• [26175] fix to Pro theme - Inline images are not working in the Compose view
• [26177] fix to Pro theme - Password Recovery page does not work when 2FA is enabled
• [26159] fix to Pro theme - IIS - When message view is set to 500, messages remain when deleting a full page
• [24677] fix to Content Filter - header line not MIME-encoded back after being modified
• [26144] fix to ActiveSync - all day events may span two days
• [26127] fix to MDIM - MDMailCheck - If a user logs out of Webmail and tries to use MDMailCheck to open Webmail the login page will be shown
• [26197] fix to Webmail - Logging in from MDIM goes to an error page if 2FA is enabled

MDaemon 22.0.0 - May 17, 2022

SPECIAL CONSIDERATIONS

[25771] 32-bit MDaemon has been discontinued. MDaemon 22.0 and newer will only be available in 64-bit. If you are currently running a 32-bit version on a supported 64-bit operation system, you can simply install the 64-bit version on top of the existing installation.

[23752] The minimum length for strong passwords must now be at least 8 characters. If your minimum length was set to fewer than 8 characters before updating to MDaemon 22, it will be changed to 8. The default minimum length for strong passwords on new installs is now 10.

[25215] MDaemon is moving away from using the terms "whitelist" and "blacklist". In many cases, they are now "allow list" and "block list". Features that had a "white list" to exempt IPs, addresses, etc., now have an "exempt list". The per-user spam filter contacts folders are now named "Allowed Senders" and "Blocked Senders". The folders for all accounts will be renamed when MDaemon 22 starts up for the first time.

CHANGES AND NEW FEATURES

WEBMAIL

• [25278] When strong passwords are required, there is now a list of password requirements that displays green and checked off as the user meets the requirements. Also added more descriptive error messages for what is wrong with an invalid password on submission.
• [25418] Pro theme - Added a contact hover popup in the message views that gives options to add a contact (if it does not exist), send a message, add to allow sender or add to block sender.
• [16458] Added a Two Factor Auth Exception IPs view in Remote Admin. Exception IPs apply to both Webmail and Remote Admin.
• [19670] Added options to set a default from address on reply and forward at Settings | Compose.
• [25670] Pro theme - Added support for external compose, message, event, contact, task, and note views over HTTP connections.
• [25394] Pro theme - Added an option to open the next unread message from the message preview pane and message view.
• [25608] Added a 1 minute option to the List Refresh Time at Options | Personalize.
• [24147] Added HTTP Strict Transport Security as a default response header.
• [25431] Pro theme - Added message snippets to the message list when in multiline mode.
• [17531] Pro theme - Added the ability to edit the Display Name of an alias at Settings | Compose. Disabled by default. Can be enabled in MDRA at Main | Webmail Settings | Settings | "Allow users to edit their alias display names".
• [25805] Added support for CSRFTokens on the Sign-in page. Enabled when "Use Cross-Site-Request-Forgery tokens" is enabled in MDRA at Main | Webmail Settings | Web Server. If you are using custom templates for Webmail, add a hidden input to the Login form as follows: <input type="hidden" name="LOGINTOKEN" value=<$LOGINTOKEN$> />
• [25796] Public Calendar - Modified the List view to start on the current day and show the next 30 days.
• [25744] Added automatic conversion of URLs to hyperlinks in the message view.
• [25845] Pro theme - Added the Flag column to the mail list sort options.
• [16750] The names of default folders (Drafts, Sent Items, etc.) are translated into the Webmail user's language no matter which language of MDaemon is installed (previously only the English MDaemon did this).
• [25751] Added an option to send Two Factor Auth verification codes to an email address.
• [25923] Pro theme - Added red color to overdue tasks text in the Tasks list.
• [25922] LookOut and WorldClient themes - Changed all list category display behavior to match.
• [24576] Pro theme - Upgraded the XMPP client to version 4.4.0.
• [25215] The Allowed Senders and Blocked Senders folders now have different icons to indicate that they are special folders.
• [25951] Added Content-Security-Policy and Referrer-Policy as default response headers.
• [26006] Webmail - Upgraded CKEditor to v4.18

REMOTE ADMINISTRATION (MDRA)

• [16458] Added a Two Factor Auth Exception IPs view in Remote Admin. Exception IPs apply to both Webmail and Remote Admin.
• [25612] Changed autocomplete="off" to autocomplete="new-password" on password fields to stop FF from autocompleting passwords outside of the login page.
• [25137] Added the Notifcation Message Editor at Security | Content Filter | Notifications.
• [24147] Added HTTP Strict Transport Security as a default response header.
• [25805] Added support for CSRFTokens on the Sign-in page. Enabled when "Use Cross-Site-Request-Forgery tokens" is enabled in MDRA at Remote Admin Settings | Settings.
• [25868] Added ability to view and manage custom remote and local queues.
• [25951] Added Content-Security-Policy and Referrer-Policy as default response headers.

SECURITY

• [25242] Support for Cyren's threat lookup service has been added to the Cyren AV engine. When the AV engine detects a suspicious file that is not classified by the virus definitions it will generate a hash of the file and query Cyren's threat lookup service. Cyren’s threat lookup service is a 100% cloud-based solution that allows MDaemon to conduct a file integrity check and get up-to-moment classification of malware threats based on Cyren’s global threat intelligence.
• [25649] MDaemon now supports TLS 1.3 on newer versions of Windows. Windows Server 2022 and Windows 11 have TLS 1.3 enabled by default. Windows 10 versions 2004 (OS Build 19041) and newer have experimental TLS 1.3 support that can be enabled for inbound connections by setting the following in the registry:

              HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server
                  DisabledByDefault (DWORD) = 0
                  Enabled (DWORD) = 1

• [25430] MDaemon logs the cipher suite (e.g., TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) used by SSL/TLS connections.
• [22820] Added an option at Accounts | Account Settings | Other | Passwords for strong passwords to require a special character (!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~). It is enabled by default for new installs and disabled by default for existing installs.
• [24900] AV Mailbox Scanner - When an infected message is found during mailbox scan MDaemon's infected counter will be incremented.
• [26076] AntiVirus - Updated ClamAV to version 0.104.3.

ACTIVESYNC

• [25872] Improved FolderSync performance.
• [25756] The ActiveSync Connection Monitoring Dialog has a new right-click menu command to terminate a session and block a client.
• [25843] Added the ability for Outlook to send mail using an alias. If Reply-To is set to a valid alias for the sending account, the message will be sent via that alias.
• [24846] Added support for EAS 16.1 Find command. Removed the protocol restriction preventing iOS from using EAS 16.1

OTHER

• [21284] Content Filter - Added support for $CONTACT...$ macros in the "Append a corporate signature" action. These macros can be used to personalize the signature with information from the sender's contact in their public contacts folder. Search the documentation for "Signature Macros" for a full list of supported macros.
• [24180] Content Filter - Added an action to extract attachment and add attachment linking into the message.
• [17799] Summary Emails for the holding, quarantine, and bad queue may now have links to release, re-queue, or delete each message. This option is enabled by default. It can be disabled at Queues | Mail Queues / DSN | Mail Queues | Holding Queue. The Remote Administration URL must be set for the links to be generated.
• [25708] LetsEncrypt - Updated the script to work with PS 7.
• [24330] Added a Deferred Delivery option at Setup | Server Settings | Message Recall to replace the 'Date:' header with the current date and time when a message is released from the Deferred Queue. It is disabled by default.
• [25860] MDaemon Connector has been updated to version 7.0.7.
• [25770] XMLAPI - Added support for forwarding scheduling.

FIXES

• [23799] fix to DSN messages are not DKIM signed
• [16896] fix to settings for the 'Everyone' and 'MasterEveryone' mailing lists are reset at startup
• [25677] fix to Pro theme - does not save language settings from login
• [25785] fix to Pro theme - Disabling HTML Compose prevents message composition
• [25799] fix to Pro theme - Messages with no body do not finish loading
• [25828] fix to Pro theme - relative URLs in emails are being converted to absolute paths in the plain/text part
• [25830] fix to Pro theme - When Auto-Cancel Saved Search is unchecked searches are still canceled when switching between folders
• [25835] fix to Pro theme - Saved Searches do not show up in the folder list if there are none
• [25841] fix to spam released from trap/holding queue going to junk mail folder
• [25848] fix to CalDAV - invalid iCalendar generated from event with HTML comments
• [25948] fix to disabling Dynamic Screening via the configuration property sheet does not work as expected
• [25851] fix to Webmail - Text not translated on Folder Options page
• [25852] fix to MDRA - Upload Custom Image not working
• [25856] fix to Pro theme - Cannot copy or move an entire page of messages to another folder
• [25878] fix to SMTP server closes connection when it receives a BDAT 0 LAST command
• [25880] fix to MDRA - Browse Users and Browse Groups buttons may not work when running in IIS
• [25813] fix to ActiveSync - attachments in meeting events may not be shown
• [25836] fix to ActiveSync - memory leaks
• [25777] fix to ActiveSync - SendMail operations from a particular client fail with a bad request error
• [25873] fix to ActiveSync - BlackBerry Hub unable to sync mail
• [25671] fix to ActiveSync - BlackBerry Hub doesn't show attachment
• [25870] fix to XMLAPI - not validating the format of date/time values
• [24801] fix to MDRA - incorrect German translation of From and To in the Reports section
• [25901] fix to Webmail - In the Task list, printable ASCII symbols are displayed in their HTML-encoded form
• [25891] fix to Active Directory monitoring Windows domains limited to 17 characters
• [25925] fix to MDRA - account data is not moved to new location when mail folder is changed
• [25934] fix to SMTP response code mismatch when "Send heuristic results to SMTP clients" is enabled
• [25971] fix to possible crash in WorldClient.dll
• [25975] fix to Attachment Linking - when logged into WebMail with HTTPS attachment link will not work
• [25990] fix to Webmail - XSS vulnerability
• [14404] fix to mailing list headers and footers may not be applied to messages with attachments or inline images
• [25991] fix to Content Filter not expanding $MESSAGEID$ macro properly for a particular message
• [26004] fix to Pro theme - deleting a message from the message preview results in the wrong message being selected next
• [26007] fix to Pro theme - Possible to double click on Save in Contact, Event, Task, and Note editors and create multiple items
• [25750] fix to possible crash in WorldClient.dll
• [26058] fix to ActiveSync - iOS clients can delete public contacts without having the required permissions