Changes and New Features
Webmail
MDaemon supports the Web Authentication API (also known as WebAuthn), which Webmail users can utilize to have a secure, passwordless sign-in experience, by allowing them to use biometrics, USB security keys, Bluetooth, and more for authentication. WebAuthn can also be used for Two-factor Authentication (2FA), although if you are using both passwordless authentication and two-factor authentication then you can't use the same authentication method for both. You can find the WebAuthn settings on the Webmail Settings page.
Visit: webauthn.guide, for more information on WebAuthn and how it works.
As of MDaemon 23.5.0, the Pro theme in MDaemon's Webmail client includes various Artificial Intelligence (AI) features to help assist your users in managing their email and increasing productivity. With these features, in MDaemon Webmail you can use AI (specifically ChatGPT by OpenAI) to get a summary of the contents of an email message, suggest a reply to a message based on criteria you choose, and help you compose a new message based on some of your own text and other criteria.
Webmail's AI message features are disabled by default for all domains. They can be enabled by using the "Enable AI message features" option on the Webmail Settings page or the Domain Manager's Webmail page. Webmail's AI message features are also disabled per user by default. You can enable them per user on the Account Editor's Web Services page, or as part of a Group controlled by an Account Templates. When the Domain setting is disabled, that takes precedence over the user setting. Therefore, none of that domain's users will be able to use the AI message features regardless of their user setting.
See: Webmail's AI Message Features, for more information and cautions about using these features. Further, you can find MDaemon Technologies' AI Usage Policy at our Artifical Intelligence (AI) Information Page. On that same page there is also a link to OpenAI's Terms of Use.
Theme Improvements
•Pro and WorldClient: There is now an option to delete all attachments from a given message.
•Pro and WorldClient: Added a Description column to the Documents view.
•Pro: The Compose view contact picker now has a dialog for adding a contact with three fields (Name, Email, Mobile Phone).
•Pro: There are new Style options at: Settings | Personalize.
•Pro: Multiple event reminders are now supported.
Other Webmail Improvements
•Added a Public Schedule option, so that users can allow others to schedule a meeting.
•Separated the setup process for Two Factor Authentication email verification from the setup process for authenticator app verification.
•The Password Recovery feature now sends an email without revealing to the user where the email was sent. Two Factor Auth occurs after clicking the recovery link in the email.
•Changed how Webmail authenticates to MDaemon's SMTP server so the user's password is not needed.
•Added an option to "Mark deleted messages as read" at: Settings | Personalize.
•There is now an All Documents toggle button in the Documents view.
Remote Administration (MDRA)
There is now a Health Check page in MDRA at: Security | Health Check. This page provides a convenient list of important security settings consolidated onto a single page, and it displays each setting's current value and its default value. Where those values differ, the setting is highlighted so that Global Administrators can quickly review those particular settings and then restore any of them to their default values if desired. Each group of settings also has a shortcut icon next to it, so that you can jump to the page on which those settings are located. In addition, you can also view a list of all Health Check changes made during the current browser session, and undo any of those listed changes if necessary.
Other MDRA Improvements
•Added editor GUIs for all direct edit files.
•There is now an "X" icon that you can click to hide any given chart in the Traffic and Mailboxes summary report pages. To restore a hidden report, click your account name in the upper right corner of the page and then click the box next to the report you wish to restore.
•Added a Delete All button to the Mailing List Members page.
•As with Webmail, support for WebAuthn was added to MDRA, which gives users a secure, passwordless authentication method, and it can also be used as a Two Factor Authentication method. The WebAuthn options in MDRA are located on the Remote Admin Settings page. See: WebAuthn Support in the Webmail section above.
•The Public Folder Editor and Shared Folder Editor now has a Nest under option to choose the parent folder under which the selected public or shared folder will nest.
•Added some text to the Account Editor's Mailing Lists page to explain that a user might show up as a member of a mailing list due to membership in a Group.
•In the Message Search and Queues, added the ability to view the email message, in addition to being able to view its source. RAW messages are still only in text/plain.
•Added links to the Queues on the Status page.
•Added the ability to include multiple addresses (separated by commas) when adding new Access Rights to a Public Folder's Access Control page. You cannot add addresses when editing existing rights.
Security
•Added HTTPS support for Outbreak Protection.
•Updated ClamAV to 1.0.3.
•LetsEncrypt - Added support for TLS 1.3
•Updated SpamAssassin to 4.0.0.
XMLAPI
MDaemon 23.5.0 includes many additions and improvements to the XMLAPI. See the Release Notes for a complete list of these improvements.
Other
•Added an App Passwords option to delete an account's app passwords when the account's password is changed. The new option is on by default.
•Added a Restrictions page to the Account Templates. When an account is removed from a group with an account template that controls restrictions, the account's restrictions revert to their previous values, or possibly to another group's account template if the account is a member of multiple groups.
•The Location Screening option "SMTP connections are accepted but authentication is blocked" is now per country instead of global. Blocking SMTP connections prevents your server from receiving mail from a country. Allowing SMTP connections with authentication disabled lets your server receive mail from a country while blocking brute force / dictionary attacks from them. Protocols other than SMTP are not affected.
•Removed obsolete "Compose in new browser window" Webmail option from the UI.
•LetsEncrypt - Added support for TLS 1.3.
MDaemon Server Release Notes
For a comprehensive list of these and all other additions, changes and fixes included in MDaemon 23.5.0, see the Release Notes.
Changes and New Features
MDaemon Server
•(23.0.2) Added a MultiPOP option to send a notification email after multiple failures when checking a MultiPOP account. Since temporary failures are not uncommon, there is an option for how many consecutive failures it takes to trigger the notification. There is also an option for how many days to wait between notifications, to avoid sending too many of them. The content and recipients of the notification emails can be customized by editing \MDaemon\App\MPOPFailureNotice.dat. By default the notifications are sent after 5 failures, no more than once every 7 days, to the MultiPOP account owner.
•There is a new MultiPOP page under Server Settings. From this page you can enable/disable MDaemon's MultiPOP server, and use the "MultiPOP always deletes mail..." option (formerly located on the MultiPOP Collection page) to override the Leave a copy of message on POP server option for all users. This new page also contains OAuth 2.0 support options for MultiPOP mail collection from Gmail and Office 365.
MultiPOP OAuth 2.0 support for collecting mail from Gmail and Office 365 — OAuth 2.0 is modern authentication, which these services are now requiring as they disable support for legacy/basic authentication. In order for MDaemon's MultiPOP feature to use OAuth 2.0 to collect mail from Gmail or Office365 on behalf of your users, you must register your MDaemon server with Google or Microsoft, respectively, creating an OAuth 2.0 application using the Google API Console or Microsoft's Azure Active Directory. This is similar to the procedure required for using MDaemon's Dropbox Integration for your Webmail users. See the MultiPOP help topic for more information on configuring OAuth 2.0 support.
•MDaemon's IMAP server now supports keyword flags. This allows email clients such as Mozilla Thunderbird to store Message Tags on the server, which lets you see tags in one instance of a client that were set in another instance of the client.
| • | Improved the IMAP server's performance when opening large mail folders. |
Security
•(23.0.2) Added support for Spamhaus Data Query Service (DQS) to the Spam Filter. For more information on Spamhaus DQS, visit: https://info.spamhaus.com/getting-started-with-dqs
•There is a new Block Logon Policy Violations option on Dynamic Screening, that you can use if you wish to block any IP address that attempts to logon without using the full email address. This option is off by default. See the Systems page for more information on the corresponding option, "Servers require full email address for authentication".
•An Only for valid accounts option was added to expand the Ignore authentication attempts using identical passwords option on the Auth Failure Tracking page. Activate this option if you only wish to ignore the duplicate password authentication attempts when they are attempting to sign in to a valid account. This means that if, for example, a user updates his password in one client but another client is still running with the old password, that old client's sign-in attempts will still be ignored, since it will have the correct sign-in name. A bot trying random sign-in names with a similar password will not have that same benefit, and will be blocked as soon as it surpasses the auth failure threshold. This will help to defeat bots much quicker. The XML API DynamicScreen operation has also been updated to reflect these new features.
•A Content Filter » Attachments option was added to: "Add warning to top of message body if attachment is removed". When MDaemon removes an attachment from a message, for example because a virus was detected, it will add a warning message to the top of the message body. There is also a Warning button to use if you wish to review or modify that message's template. This option is enabled by default.
•Added the option to Exclude Trusted IPs from AntiVirus scanning.
•MDaemon sends a warning email to admins when SSL certificates configured for use by MDaemon, Webmail, or Remote Administration are about to expire.
| • | MTA-STS now has an exempt list, so problem domains can be made exempt instead of MTA-STS needing to be turned off when failures affect deliverability. |
•The ClamAV AntiVirus component was updated to version 0.105.2 (in MDaemon 23.0.1).
Webmail
•Google Drive Integration — Webmail can now be linked to your users' Google accounts to allow them to save message attachments directly to their Google Drive, and to edit and work with documents stored there. In order to enable this, an API Key, Client ID, and Client Secret are required. All are obtained directly from Google by creating an App using the Google API Console and registering your MDaemon with their service. An OAuth 2.0 authentication component is part of this app, which allows your Webmail users to sign-in to Webmail and then authorize access to their Google Drive account through MDaemon. Once authorized, users can view their folders and files that are in Google Drive. Further, they can upload, download, move, copy, rename, and delete files, as well as copy/move files to and from the local document folders. If the user wants to edit a document, clicking the option to view the file in Google Drive will allow the user to make edits to it in accordance with their permissions set in Google Drive. The Google Drive setup process is similar to MDaemon's Dropbox Integration and MultiPOP OAuth Integration features. See Google Drive Integration for more information.
•Added an option in all themes except Lite to "Enable Drag and Drop to move folders". The new option is located in Webmail on the Folders page under the Options menu, and it is enabled by default.
•Made the session cookie secure over HTTPS.
•Category changes notification now sent to MDaemon
•WorldClient no longer modifies the robots.txt file on startup.
•The built-in web server prevents the download of .dll files from the HTML directory.
•Added one to the maxlength of the new password input, so that the "Maximum of 15 characters" unmet requirement will show.
•Added reporting for sign-in attempts without a full email address, to support the new Dynamic Screening option to Block Logon Policy Violations.
•(23.0.2) Made the unsnooze option more visible with an orange highlight.
Pro Theme
•Added read receipts support.
•Added an option to disable the HTML editor context menu.
•Added the ability to resize the folder list.
Remote Administration (MDRA)
23.0.2
•Added AntiVirus option to "Exclude trusted IPs from AntiVirus scanning".
•Added the "Do not allow authentication on the SMTP port" option to SMTP Authentication.
•Added a Public Folder Manager option to specify an ActiveSync Display Name.
•Added four more filter options to the Account Manager: Admins Only, Non-Admins Only, Global Admins Only, and Domain Admins Only
•Added a page for the Spamhaus Data Query Service (DQS) to the Spam Filter. For more information on Spamhaus DQS, visit: https://info.spamhaus.com/getting-started-with-dqs
23.0.0
•In the Domain Manager, there is now a Webmail Setting to "Allow users to receive Two Factor Authentication verification codes over email", so that users can receive their verification code via an alternate email address rather than using the Google Authenticator app. This setting is enabled by default.
•Changed the default permissions when adding a new ACL entry to Lookup and Read.
•The Test buttons at: Spam Filter » DNS-BL » Hosts and Setup » Active Directory » Authentication are now disabled while the process is ongoing.
•The built-in web server prevents the execution and download of .dll files in the Templates directory.
•Users can now customize the appearance of the Remote Administration web-interface by clicking their user name (e.g. frank.thomas) in the top right corner of the window. There are options to switch the interface to Dark Mode, set the Font Size, and choose the preferred Language.
•Changed the account delete confirmation to use the custom confirmation feature.
•Added Dynamic Screening reporting for sign-in attempts without a full email address.
ActiveSync
•Added a Client Settings option to Block Sender when moving mail into Junk-Email folder. When enabled, upon a client moving an email to the account's Junk Email folder, the service will add the Sender or From address of that email to the Blocked Senders Contacts folder.
•You can now disable the Full Wipe button for ActiveSync clients if you choose, so that you can't do a remote Full Wipe on an ActiveSync device without first disabling the new Disallow Factory Reset Wipes option.
•Made BodyPreferences data human readable to make troubleshooting sync issues easier.
•Improve shutdown performance when clients are syncing huge mailboxes.
•Added the ability to define a custom display name for mailbox and public folders.
•Improved shutdown performance.
•ActiveSync clients can now send to Personal Distribution Lists in Contact folders.
•Changed layout of Client Settings Dialog in the GUI to add room for new settings.
Other
•(23.0.2) Content Filter - $LIST_ATTACHMENTS_REMOVED$ can be used in rule actions (e.g. "send note", "add warning...")
•In the MDaemon GUI, changed the default permissions when adding a new ACL entry to Lookup and Read.
•in the MDaemon GUI, added a warning pop-up if you attempt to set the Webmail, Remote Administration, or XMPP BOSH Server ports to have conflicting values.
•XMLAPI - Added Editor operation which can be used to edit MDaemon's various INI files
•Changed several plug-ins to allow newer versions to run so customers can test possible hotfix/patch versions.
•LetsEncrypt - Updated script to check orders that are ready or valid.
MDaemon Server Release Notes
For a comprehensive list of additions, changes and fixes included in MDaemon 23.0.2, see the Release Notes.
New in MDaemon 22.0
Changes and New Features
Webmail
Pro Theme
•While viewing a message, you can hover over the sender's name to open a pop-up, which contains options for adding the sender to your Contacts and Allowed or Blocked Senders folders.
•Compose, Message, Event, Contact, Task, and Note views can now open in a new window.
•You can now open the next unread message from the message preview pane and message view.
•Added message snippets to the message list when in multi-line mode.
•You can now make available an Edit Alias Display Names option for Pro theme users, located under Settings » Compose. This allows users to edit the display name of any alias associated with their account. Use the new "Allow users to edit their alias display names" Webmail Settings if you wish to allow this. Note: This option is only available in the MDaemon Remote Administration (MDRA) web-interface.
•Options and links that used to say "whitelist" or "blacklist" sender, now say "allow" or "block" sender. Additionally, the White List and Black List folders are now called "Allowed Senders" and "Blocked Senders".
•The Message List can be sorted by the Flag column.
•In the Tasks list, overdue tasks will now appear in red.
•Upgraded the XMPP client to version 4.4.0.
Other
•When strong passwords are required, there is now a list of password requirements that displays green and checked off as the user meets the requirements. Also added more descriptive error messages for what is wrong with an invalid password on submission.
•Compose Options now contains options for selecting the default "From:" address that will be used when composing, replying to, or forwarding a message.
•A "1 minute" setting was added to the List Refresh Time option, located on the Options » Personalize page.
•Added support for CSRFTokens on the Webmail Sign-in page. This is enabled when the "Use Cross-Site-Request-Forgery tokens" option is enabled on the Webmail Settings » Web Server page. If you are using custom templates for Webmail, add a hidden input to the Login form as follows: <input type="hidden" name="LOGINTOKEN" value=<$LOGINTOKEN$> />
•Public Calendar - Modified the List view to start on the current day and show the next 30 days.
•Added automatic conversion of URLs to hyperlinks in the message view.
•The names of default folders (Drafts, Sent Items, etc.) are translated into the Webmail user's language no matter which language of MDaemon is installed (previously only the English MDaemon did this).
•There is now an option to send Two Factor Authentication verification codes to a secondary email address.
•LookOut and WorldClient themes - Changed all list category display behavior to match.
•The Allowed Senders and Blocked Senders folders now have different icons to indicate that they are special folders.
Remote Administration (MDRA)
•Added a Two Factor Auth Exception IPs page in MDRA, located under the Main menu. This allows users to sign in to Remote Admin or Webmail without requiring 2FA, when connecting from one of the specified IP addresses.
•There is a new "Allow users to edit their alias display names" Webmail Settings option in MDRA. Activate this option if you wish to allow users to edit the display name of any alias associated with their account. They can do this by using the Edit Alias Display Names option, located in Webmail's Pro Theme.
•Changed autocomplete="off" to autocomplete="new-password" on password fields to stop Firefox from auto-completing passwords outside of the login page.
•Added the Notification Message Editor to the Content Filter's Notifications page.
•Added support for CSRFTokens on the Sign-in page. This is enabled when the "Use Cross-Site-Request-Forgery tokens" option is enabled on the Remote Administration Settings page in MDRA.
•Any remote or local Custom Queues you have created can be managed under the Messages and Queues section in MDRA.
Security
•MDaemon now supports TLS 1.3 on newer versions of Windows. Windows Server 2022 and Windows 11 have TLS 1.3 enabled by default. Windows 10 versions 2004 (OS Build 19041) and newer have experimental TLS 1.3 support that can be enabled for inbound connections by setting the following in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server
DisabledByDefault (DWORD) = 0
Enabled (DWORD) = 1
•MDaemon logs the cipher suite (e.g., TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) used by SSL/TLS connections.
•Added a Passwords option for strong passwords to require a special character. It is enabled by default for new installs and disabled by default for existing installs.
•AV Mailbox Scanner - When an infected message is found during mailbox scan MDaemon's infected counter will be incremented.
•AntiVirus - Updated ClamAV to version 0.104.3.
ActiveSync
•Improved FolderSync performance.
•The ActiveSync Connection Monitoring Dialog has a new right-click menu command to terminate a session and block a client.
•Added an option to the Client Settings dialog to allow Outlook to send mail using an alias. If Reply-To is set to a valid alias for the sending account, the message will be sent via that alias.
•Added support for EAS 16.1 Find command. Removed the protocol restriction preventing iOS from using EAS 16.1
Other
•Content Filter - Added support for $CONTACT...$ macros in the "Append a corporate signature" action. These macros can be used to personalize the signature with information from the sender's contact in their public contacts folder. See: Signature Macros for a full list of supported macros.
•Content Filter - Added an action to extract attachment and add attachment linking into the message.
•Summary Emails for the holding, quarantine, and bad queue may now have links to release, re-queue, or delete each message. This new "Include action link" option is enabled by default. Note: The Remote Administration URL must be set for the links to be generated.
•LetsEncrypt - Updated the script to work with PS 7.
•Added a Deferred Delivery Message Recall option to replace the 'Date:' header with the current date and time when a message is released from the Deferred Queue. It is disabled by default.
•MDaemon Connector has been updated to version 7.0.7.
•XMLAPI - Added support for forwarding scheduling.
MDaemon Server Release Notes
For a comprehensive list of additions, changes and fixes included in MDaemon 22.0, see the Release Notes.
New in MDaemon 21.5
Major New Features
App Passwords
App Passwords are very strong, randomly-generated passwords for use in email clients and apps, to help make your email apps more secure since they can't be protected by Two-Factor Authentication (2FA). 2FA is a secure way for a user to sign in to Webmail or MDaemon Remote Administration (MDRA), but an email app can't use it, because the app must be able to access your email in the background without you having to enter a code from your authenticator app. The App Passwords feature allows you to create strong, secure passwords for use in your apps, while still keeping your account password secured by 2FA. App Passwords can only be used in email apps, they cannot be used to sign in to Webmail or MDRA. This means that even if an App Password were somehow compromised, the unauthorized user still wouldn't be able to get into your account to change your password or other settings, but you, however, would still be able to sign in to your account with your account password and 2FA, to delete the compromised App Password and create a new one if needed.
App Password requirements and recommendations
•In order to create App Passwords, 2FA must be enabled for the account (although you can turn off this requirement if you choose).
•App Passwords can only be used in email apps—they cannot be used to sign in to Webmail or MDRA.
•Each App Password is displayed only once, when it is created. There is no way to retrieve it later, so users should be ready to enter it into their app when it is created.
•Users should use a different App Password for each email app, and they should revoke (delete) its password whenever they stop using an app or when a device is lost or stolen.
•Each App Password lists when it was created, when it was last used, and the IP address from which it last accessed the account's email. If a user finds something suspicious about the Last Used or Last IP data, the user should revoke that App Password and create a new one for his or her app.
•When an account password is changed, all App Passwords are automatically deleted—a user cannot continue using old App Passwords.
Requiring App Passwords for SMTP, IMAP, ActiveSync, and more
There is an account option on the Account Editor's Settings page that you can use to "Require app password to log in to SMTP, IMAP, ActiveSync, etc."
Requiring App Passwords can help protect an account's password from dictionary and brute force attacks via SMTP, IMAP, etc. This is more secure because even if an attack of this sort were to guess an account's actual password, it wouldn't work and the attacker wouldn't know, because MDaemon would only accept a correct App Password. Additionally, if your accounts in MDaemon are using Active Directory authentication and Active Directory is set to lock an account after a number of failed attempts, this option can help prevent accounts from being locked out, because MDaemon will only check the App Passwords, not try to authenticate to Active Directory.
Other New Features and Improvements
Pro Theme
•The Mobile theme is now called the Pro theme. It was expanded and improved to be responsive and adaptable for use on different kinds of devices and screen sizes, without sacrificing features.
•Added Cross-Site-Request-Forgery tokens for more secure transactions. The feature is disabled by default. To enable it through MDRA go to Main | Webmail Settings | Web Server and check "Use Cross-Site-Request-Forgery tokens".
•Added an option at Settings | Personalize to enable Dark mode, to display the Pro theme with a dark background.
•Added a link to "Track my package" in opened messages.
•Carrier tracking numbers being watched by default are: USPS, UPS, OnTrac, FedEx, and DHL.
•The default configuration file is at: \MDaemon\WorldClient\package_tracking.json
•Admins can add more carriers by creating the file: \MDaemon\WorldClient\package_tracking.custom.json, using the same format as the default package_tracking.json file. At least one service name, a tracking URL, and at least one valid regular expression is required. Include service names that may appear in a message to reduce the chances of false positive matches.
•Added the Message List Layout dialog to the smaller browser size. Only the Message List Density setting is displayed.
•Added a password strength meter.
•Added the image slideshow feature for the Message View.
•Added a card view for the Contacts list.
•Moved the "New item" button from the toolbar to the space above the folder list for desktop sizes.
•Added a plus icon next to "Personal" to create a new calendar in the calendar view.
•Added an event tooltip with Edit options and Send an Email to an Attendee option.
•Made the search bar always visible for browser window widths of 1200px or greater.
•Added a dialog to allow users to remove a contact from the the BlackList when adding them to the WhiteList and vice-versa.
•Added an error message when there is an error creating or renaming a folder.
•Added support for HTML notes in Events, Contacts, Tasks, and Notes.
•Replaced the current HTML editor (CKEditor) with Jodit.
•Changed the basic header view to show the From email address.
•Added the Voice Recorder.
Other Webmail Improvements
•Added an Unsubscribe link next to the From address when the List-Unsubscribe header exists in a message. This can be disabled in Webmail at Settings | Personalize.
•Added ability to import email into the current message list.
•Updated the Dropbox integration to use the refresh_token provided by Dropbox to reconnect users without interaction with the OAuth dialog. When the access_token expires, Webmail will attempt to use the refresh_token to get a new access_token. No longer necessary settings have been removed from the Cloud Apps page. The admin does NOT need to make any changes to the Dropbox app at Dropbox.com.
•Search All / Subfolders requests no longer search unsubscribed folders when unsubscribed folders are hidden.
•Added a checkbox named "Skip Search" to exclude specific folders from Search All / Subfolders requests.
•Added a setting in Remote Admin that allows the Two-Factor Authentication Remember Me checkbox to be hidden.
•Added a blur effect for the background when the user session is expired.
•Added an Automatic CC and BCC feature at Settings | Compose.
•Added an option to: WorldClient\Domains.ini [Default:Settings] PreventComposeWithAlias, to prevent composing messages with an alias. The setting is off by default.
•Lite theme - Added auto-save draft message to the Compose view.
•Added an option in the Options | Folders view to allow users to skip contact folders in auto-complete searches. Added the option in the right click menu as well.
•Added a Webmail log entry for the User-Agent when a user logs in.
•Added a notification in the Compose view if a local recipient has their autoresponder enabled.
•WorldClient theme - Added a paperclip icon to event tiles that have attachments.
•Maximum attachment size is set to 25 MB for new installs.
•Changed the "Delete All" folder action to "Empty Folder"
•WorldClient theme - Added "Change Password" and "Change Recovery Email" buttons to the Security page
Remote Administration (MDRA)
•Added the ability to drag and drop content filter rules. The copy, edit, and delete buttons are now on each respective rule.
•Added Cross-Site-Request-Forgery tokens for more secure transactions. The feature is enabled by default. To disable it go to: Main | Remote Admin Settings | Settings and uncheck "Use Cross-Site-Request-Forgery tokens".
•Added a password strength meter to some password fields.
•Added the option: "Enable Two-Factor Authentication Remember Me," to Setup | Domain Manager | Edit | Webmail Settings and Main | Webmail Settings | Settings.
•Added Blocked IPs and Refused IPs reports for Dynamic Screening.
•Added the Groups and Client Types views under ActiveSync.
•Updated the ActiveSync Diagnostics and Tuning pages.
•Added a browser usage by OS chart and table at Reports | Traffic | Webmail Login Statistics.
•Added buttons to open a Browse Users and Browse Groups pop-up, to add them to mailing lists, at: Main | Mailing Lists | Edit | New. Only Domain or Global Admins have access to the buttons.
•Added Account Only Wipe options at Main | My Account | ActiveSync Clients and at ActiveSync | Client Management.
•Change logging has been added. It will log every change that is made via Remote Administration.
•Updated Message Recall to match the MDaemon GUI.
•Added the "Extract attachments from winmail.dat" option at Security | Content Filter | Compression.
•Added Slovenian language to MDaemon Remote Administration.
Other MDaemon Improvements
•Added support for SMTP Command Pipelining (RFC 2920). MDaemon will send MAIL, RCPT, and DATA commands in batches instead of individually, which improves performance over high latency network links. SMTP pipelining is always enabled for inbound connections. It is enabled by default for outbound connections, but can be disabled at Setup | Server Settings | Servers & Delivery | Servers.
•Added support for SMTP CHUNKING (RFC 3030). CHUNKING allows non-line-oriented messages to be transferred. It is enabled by default for inbound connections, but disabled by default for outbound. Bare line feeds in received messages are converted to carriage return line feeds by default. These defaults can be changed by setting [Special] SMTPChunkingInbound=Yes/No, SMTPChunkingOutbound=Yes/No, and SMTPChunkingAllowBareLF=Yes/No in \MDaemon\App\MDaemon.ini.
•Content Filter - Updated the default restricted attachments list.
•Content Filter - Added rule action to add attachment to message.
•ActiveSync Server start/stop entries are written to MDaemon's System log.
•Clustering - Added support for synchronizing reminders from secondary nodes.
•Dynamic Screening - Added option to Log Locations using ISO-3166 Codes instead of names.
•XMLAPI - Added support for ActiveSync AlwaysSendMeetingUpdates setting.
•XMLAPI - Added support for semaphore file creation.
•XMLAPI - Added Support to report/modify settings from Setup/Server Settings/Logging.
•MDaemon Instant Messenger - Improved group chat feature by adding ability to multi-select chat buddies for group chat. Also added an option to auto-accept chat room requests.
•Location Screening has a new option to control whether or not the X-MDOrigin-Country header is added to messages. It is enabled by default.
•There is now an Accounts setting for whether to allow users to sign in using aliases, located at: Accounts | Account Settings | Aliases | Settings. It is enabled by default.
•MDaemon Connector has been updated to version 7.5.0.
•The default delivery confirmation message text (in \MDaemon\App\Receipt.dat) has been changed to use the $HEADER:X-RCPT-TO$ macro instead of $RECIPIENT$ to avoid disclosing the actual email address an alias resolves to.
MDaemon Server Release Notes
For a comprehensive list of additions, changes and fixes included in MDaemon 21.5, see the Release Notes.
New in MDaemon 21.0
Major New Features
Persistent Chat Rooms
MDaemon's XMPP server now supports persistent chat rooms, which do not need to be recreated every time all users leave the room. Configure them at: Setup | Web & IM Services | XMPP.
Virus/Spam Misclassification Reporting
When on the Quarantine, Bad, or Spam Trap queue screens in the MDaemon GUI, a right-click popup menu option was added to report messages to MDaemon.com as false positives or false negatives. Similar options have also been added to MDaemon Remote Administration. The messages will be analyzed and passed along to third-party vendors for corrective action.
ActiveSync Migration Client (ASMC) GUI
A GUI has been created to assist in running ASMC (ASMCUI.exe in MDaemon's \app\ folder). It allows you to store your options and recall them at a later time. ASMC supports migrating mail, calendars, tasks, notes, and contacts from ActiveSync servers that support protocol version 14.1. Documentation for it can be found in MDaemon's Docs folder, at: \MDaemon\Docs\ActiveSync Migration Client.html.
Webmail Mobile Theme Improvements
Greatly expanded and improved the Mobile Theme for Webmail users. See RelNotes.html located in MDaemon's \Docs\ folder for a complete list of the many features that have been added.
Clustering Improvements
A significant number of improvements have been made to MDaemon's Cluster Service:
•Added a Multi-Node Mail Routing option, where mail queues are shared between the cluster nodes. Having multiple machines process and deliver the messages allows them to split the work more evenly and prevents messages from being stuck in the queues of any machines that are down.
•SSL certificates are now replicated from the primary to secondary nodes.
•Queues on secondary nodes are frozen during the initial data replication, which improves responsiveness during startup.
•Replication is paused as soon as MDaemon shutdown starts, eliminating clustering-related shutdown delays.
•Cluster nodes may be added using IP address or DNS name.
•The shared network paths can now be managed more easily from the new Shared Network Paths screen.
•Logging and diagnostics tools are provided on the new Diagnostics screen.
Other New Features and Changes
Remote Administration (MDRA)
Dozens of options have been added to MDaemon's Remote Administration interface. For a complete list of these options and other changes to MDRA, see RelNotes.html located in MDaemon's \Docs\ folder.
Content Filter
Added ability to search for restricted files inside 7-Zip compressed files.
Autoresponders
Autoresponders now support Unicode (UTF-8), allowing the text to be in any language.
IMAP Filters
IMAP filtering rules can now search the message body for particular text.
Webmail
•You can now attach an event to a new email by right-clicking the event and choosing the "Send" option in the LookOut and WorldClient themes, and from the event preview in Mobile theme.
•All New Account Creation features have been removed.
•When you publish a calender (share a Public Access link to it), new options allow you set its default calendar view (e.g. month/week/day) and publish a Free/Busy calendar link.
•Added an option to skip the IP persistence check on a per user basis. In MDRA edit a user account, go to Web Services and check "Skip IP persistence check for Webmail sessions".
•Added ability to search the CC field in advanced search.
•Added Maximum Messages sent per day to the displayed quotas.
User Interface
•Setup | Mobile Device Management has been removed and replaced by the ActiveSync Management dialog at Setup | ActiveSync.
•The ActiveSync Client Settings screen has been removed. Customize client settings on the Tuning, Domains, Groups, Accounts, and Clients screens.
•The ActiveSync Client Type screen has menu commands to whitelist and blacklist client types.
•Added screens at Setup | Message Indexing for the configuration of real-time and nightly maintenance of the search indexes used by Webmail, ActiveSync, and Remote Administration.
•Several plugins now share a common Diagnostics configuration screen.
•The MDRA and Webmail browser-based help systems have been updated with a new responsive theme, to make them more useable across different types of devices.
XML API
•The appearance of the XML API documentation portal can be customized globally and by domain. See the "Changes and development notes" in the help portal (ie. http[s]://ServerName[:MDRAPort]/MdMgmtWS) or view the file \MDaemon\Docs\API\XML API\Help_Readme.xml on disk using Internet Explorer for more information. A sample company.mail directory is provided at \MDaemon\Docs\API\XML API\Samples\Branding.
•Added Alias operation to simplify Alias management, resolve and report aliases.
•Added FolderOperation Search action to search messages.
•Added support for the Cluster Service to QueryServiceState and ControlServiceState.
Archiving
•When a message is sent between local accounts, both "in" and "out" archive copies will be created if both "Archive inbound mail" and "Archive outbound mail" are enabled.
•The option to archive spam messages, which was removed in version 20.0, is back.
•Spam messages released from the Spam Trap are archived.
Component Updates
•MDaemon Connector has been updated to version 7.0.0.
•Spam Filter: updated to SpamAssassin 3.4.4. and removed deprecated settings in local.cf.
•AntiVirus: ClamAV updated to version 0.103.0, and Cyren AV engine updated to version 6.3.0.2.
•XMPP Server: Updated database backend to version SQLite 3.33.0.
MDaemon Server Release Notes
For a comprehensive list of additions, changes and fixes included in MDaemon 21.0, see the Release Notes.
New in MDaemon 20.0
MDaemon Cluster Service
MDaemon's new Cluster Service is designed to share your configuration between two or more MDaemon servers on your network. This makes it possible for you to use load balancing hardware or software to distribute your email load across multiple MDaemon servers, which can improve speed and efficiency by reducing network congestion and overload and by maximizing your email resources. It also helps to ensure redundancy in your email systems should one of your servers suffer a hardware or software failure. See: Cluster Service, for more information on setting up an MDaemon server cluster on your network.
New SMTP Extensions
The RequireTLS effort in IETF is finally finished, and support for this has been implemented. RequireTLS allows you to flag messages that must be sent using TLS. If TLS is not possible (or if the parameters of the TLS certificate exchange are unacceptable) messages will be bounced rather than delivered insecurely. RequireTLS is enabled by default, but the only messages that will be subject to the RequireTLS process are messages specifically flagged by a Content Filter rule using the new Content Filter action, "Flag message for REQUIRETLS...", or messages sent to <local-part>+requiretls@domain.tld (for example, arvel+requiretls@mdaemon.com). All other messages are treated as if the service is disabled. Additionally, several requirements must be met in order for a message to be sent using RequireTLS. If any of them fail, the message will bounce back rather than be sent in the clear. For more information about these requirements and how to set up RequireTLS, see: SMTP Extensions. For a complete description of RequireTLS, see: RFC 8689: SMTP Require TLS Option.
SMTP MTA-STS (RFC 8461) - Strict Transport Security
The MTA-STS effort in the IETF has finished, and support for this has been implemented. SMTP MTA Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers (SPs) to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate. MTA-STS support is enabled by default. See: SMTP Extensions for more information on setting this up, and MTA-STS is fully described in RFC 8461: SMTP MTA Strict Transport Security (MTA-STS).
TLS Reporting allows domains using MTA-STS to be notified about any failures to retrieve the MTA-STS policy or negotiate a secure channel using STARTTLS. When enabled, MDaemon will send a report daily to each STS-enabled domain that it has sent (or attempted to send) mail to that day. There are several options provided for configuring the information that your reports will contain. TLS Reporting is disabled by default and discussed in RFC 8460: SMTP TLS Reporting.
Domain/Company-wide MDPGP Encryption with a Single Key
MDPGP now supports encrypting messages between domains using a single encryption key for all users. For example, suppose 'Domain-a' and 'Domain-b' wish to encrypt all emails sent between them but do not wish to setup and police individual encryption keys for every user account within the domain. This can now be done as follows:
'Domain-a' and 'Domain-b' each provide the other with a public encryption key via any method they like. For example, they can email the keys to one another by right-clicking on an existing public key in the MDPGP UI and selecting 'Export & Email Key.' If they wish to create new keys dedicated for this purpose they can click the 'Create keys for a specific user' button and choose the '_Domain Key (domain.tld)_ <anybody@domain.tld>' item which has been put there for this purpose (although any key will work). Once each side has received the other's key they click the 'Import Domain's Key' button on the MDPGP UI and enter the domain name to which all emails will be encrypted using the provided key. The system does not create a key in the dropdown list for every one of your domains. You can use the key that is provided for all your domains or you can create domain specific keys yourself if you wish.
If either side already has a public key they wish to use and it is already on the key-ring they can right-click on the key in the MDPGP UI and select 'Set as a Domain's Key'. However, do not use a key for which you also have the corresponding private key. If you do, MDPGP will encrypt a message and then immediately see that the decryption key is known and promptly decrypt that very same message.
At this point MDPGP creates a Content Filter rule called 'Encrypt all mail to <domain>' which will invoke the encryption operation on every email sent to that domain. Using the Content Filter means that you can control this process by enabling or disabling the Content Filter rule. You can also tweak the rule to fine-tune the criteria you wish to employ before messages are encrypted (for example, maybe you want to do this same thing but for two domains or for only certain recipients within the domain). The Content Filter provides the flexibility to achieve this.
Encrypting Outbound Mail Based on the Receiving IP Address
MDPGP has a new checkbox and setup button where you can map IP addresses to specific encryption keys. Any outbound SMTP session delivering a message to one of these IPs will first encrypt the message using the associated key just prior to transmission. If the message is already encrypted by some other key no work is done. This is useful (for example) in situations where you want to make sure all messages sent to certain key partners, suppliers, affiliates, etc are always encrypted.
Macros for Mailing List Messages
The Mailing List Editor » Routing screen has some new options which will allow for macros to be used within the message body of list posts. This will allow you (for example) to personalize each list message. Macros have been supported for a long time in list mail header and footer files, but they have never been supported in the message body. Since the macros are related to individual list members, this option is only compatible with lists that are configured to "Deliver list mail to each member individually." Additionally, for security purposes you can set this option to require that the list's password be provided in order to use macros in the message body. If you choose not to require a password, then any list member who is allowed to post to the list will be allowed to use them. See the Mailing List Routing screen for more information, and for the list of macros that can be used.
Improved Hijack Detection System
Hijack Detection has some new options to help prevent accounts from being used to blast out spam due to their passwords being stolen. One common characteristic of spam email is that the messages are often sent to a large number of invalid recipients, due to the spammer attempting to send them to old email addresses or otherwise guess new ones. Therefore if an MDaemon account begins sending messages to a notable number of invalid recipients in a short amount of time, that is a good indication that the account has been hijacked and is being used to send spam. To prevent this, MDaemon can now track the number of times that an authenticated user tries to send an email to an invalid recipient. If this happens too many times within too short of a time frame, you can have MDaemon freeze the account (the postmaster will get an email about this and they can respond to re-enable the account). This can help to stop a hijacked account automatically, before it does too much damage. Note: As part of this work, the From Header Modification options were moved to their own From Header Screening page, to make room for the new Hijack Detection options.
Deferred Message Queue and Improved Message Recall
To help improve the efficiency of the Message Recall system and Deferred-Delivery header support, MDaemon now has a dedicated queue for deferred messages. Previously, the Inbound queue could become clogged with deferred messages, which could slow down the delivery of non-deferred mail. The new, Deferred queue helps to solve that problem. Messages in the Deferred queue are placed there by the system and have the date they are set to leave the queue encoded into the file name. MDaemon checks the queue once per minute and when it's time for messages to leave the queue they are moved to the Inbound queue and subject to normal message processing/delivery.
Additionally, MDaemon now tracks the Message-IDs of the most recent email sent by each authenticated local user, which means users can now recall the last message they sent (but only the last message they sent) simply by putting RECALL (alone by itself) as the Subject in a message sent to the mdaemon@ system account. There is no need to find and paste the Message-ID of the message you want to recall when it was the last message sent. Recalling any other message still requires the Message-ID be included in the Subject text or the original message from the users SENT folder attached to the recall request.
In addition to remembering the most recent email sent by each authenticated user, MDaemon also remembers the locations and Message-IDs of the last 1000 emails sent by all authenticated users. Consequently, this makes it possible to recall messages right out of user mailboxes even after they've been delivered. So, messages will disappear from user mail clients and phones if they are recalled. Note: this is of course only possible for messages sent to other local users; once MDaemon has delivered a message to some other server it is no longer under MDaemon's control and therefore cannot be recalled.
Authentication Failure Log
There is a new Authentication Failures log file that contains a single line with details for every SMTP, IMAP, and POP logon attempt that fails. The information includes the Protocol used, the SessionID so you can search other logs, the IP of the offender, the raw Logon value they tried to use (sometimes this is an alias), and the Account that matches the logon (or 'none' if no account matches).
Authentication When Forwarding/Routing Mail
There are several forwarding options in MDaemon where you can now add authentication credentials. This means that several files in the \APP\ folder (e.g. forward.dat, gateways.dat, MDaemon.ini, and all Mailing List .grp files) that now have the potential to contain obfuscated logon and password data in a weakly encrypted state. As always, you should therefore use the operating system tools at your command, as well as any other measures you choose, to secure the MDaemon machine and directory structure from unauthorized access. Authentication credential options were added to: Unknown Mail, Mailing List Routing, Gateway Editor » Forwarding, Gateway Editor » Dequeuing, and Account Editor » Forwarding.
Host Authentication
Host Authentication is a new screen where you can configure port, logon, and password values for any host. When MDaemon sends SMTP mail to that host the associated credentials found here will be used. Please note that these credentials are a fallback and are only used when other more task-specific credentials are unavailable. For example, if you configure an Auth logon/password using the new Account Editor » Forwarding or Gateway Manager » Dequeuing options, then those credentials are used and they supersede what is configured here. This feature works with host names only (not IP addresses).
Improved Custom Queues and Message Routing
You can now specify a host, logon, password, SMTP return-path, and port for any remote queue. If provided, all messages in the queue are delivered using these new settings. However, by design it still remains possible for individual messages within the queue to have their own unique delivery data, which will take priority over these new settings. Additionally, you can now set up as many remote queues as you want, filter mail into them using the Content Filter based on whatever criteria you choose, give to each queue its own delivery schedule, and have completely different routing take place based on your wishes.
Improved Domain Sharing
For some time Domain Sharing has performed lookups on SMTP MAIL sender values as needed. However, messages were often refused with 'Authentication Required' and yet there is no way authentication can be performed when the sender account resides on a different server. This has been addressed and MDaemon can accept mail without requiring authentication from accounts that are found to exist on other servers. This can be disabled with a new Security Manager option at: Sender Authentication » SMTP Authentication. If you would rather not perform Domain Sharing lookups on the SMTP MAIL sender at all you can completely disable that with a Domain Sharing option.
Domain Sharing also has a new option that enables sharing of mailing lists. When a message arrives for a mailing list a copy is created for each Domain Sharing host that also keeps a version of that list (a query is made to check). When these hosts receive their copies they will make delivery to all the members of that list which they serve. In this way mailing lists can be split across multiple servers with no loss in functionality. For this to work each Domain Sharing host must include the other hosts' IP addresses in their Trusted IPs configuration.
Finally, Domain Sharing has an Advanced button that opens a file where you can configure domain names that are allowed to use Domain Sharing. When nothing is in this file (the default condition) then all your domains can use Domain Sharing. See the instructions at the top of the file for more information.
Improved Control Over Message Forwarding
Preferences » Miscellaneous has a new option that allows administrators to prevent account mail forwarding from sending emails outside the domain. If a user configures mail forwarding for their account to send to a foreign domain the message will be moved to the Bad Message queue. This setting only applies to messages that are forwarded using the mail forwarding options for the account.
Account Editor » Forwarding has a new Schedule button that will let accounts configure a schedule for when forwarding starts and stops. This is also included on the corresponding Account Templates screen. These settings configure the date and time forwarding starts and the date and time that it stops, but forwarding will only happen on the days of the week you select.
The Forwarding Address field in the New Accounts Template now works with account macros. The only macros with data at the point of new account creation however are those related to the account user's full name, domain, mailbox, and password values. So (for example) if you want every new account to forward to the same email address but at a different domain you can put this in the Forwarding Address field: $MAILBOX$@example.com. Macros also work in the Send As, AUTH Logon, and AUTH Password fields.
Forwarding a message now updates the forwarding account's last access time. This means that accounts which do nothing else but forward mail are no longer potentially deleted for inactivity. Note: The forwarding must actually occur and not be defeated by other configuration options such as restrictions on where the forwarder can send mail or being 'off-schedule'. Just having a forwarding address configured will not automatically flag the account as active.
Improved SMTP Authentication
Sender Authentication » SMTP Authentication has two new options. First, the "Do not allow authentication on the SMTP port" option will completely disable AUTH support over the SMTP port. AUTH will not be offered in the EHLO response and will be treated as an unknown command if provided by the SMTP client. The other option is to "...add their IP to the Dynamic Screen if they attempt it anyway." This option will add to the Dynamic Screen the IP address of any client that attempts to authenticate when AUTH is disabled. The connection will also be immediately terminated. These settings are useful in configurations where all legitimate accounts are using the MSA (or other) port to submit authenticated mail. In such configurations the assumption is that any attempt to authenticate on the SMTP port must be from an attacker.
Improved Account Management
The Account Manager's filtering options have been expanded. You can now also choose to display accounts based on whether or not they are Enabled, are using MultiPOP, are near quota (70%), are near quota (90%), or are not forwarding. You can also search the account description field for any text you want and select accounts based on that. Further, the shortcut/right-click menu has new options to add or remove all the selected accounts from or to mailing lists and groups. It also has an option to Copy an existing account in order to create a new one. All settings of the existing account are copied to the new account except Full Name, Mailbox, Password, and Mail Folder. Finally, the Account Editor's IMAP Filters screen has a new button called Publish for adding a new rule to the account being edited and to every other account in that account's domain. This can save some time when a new rule is needed for everyone.
Enable "Do Not Disturb"for Entire Domain
The Domain Manager's Host Name & IP screen has a new setting that lets you enable "Do Not Disturb" for a domain. When active, the domain will refuse all connections from all users for all services, but it will still accept incoming messages from the outside world. Further, you can schedule when 'Do Not Disturb' starts and stops. For example, if you configure May 1, 2020 to June 30, 2020 from 5:00pm to 7:00am, Monday thru Friday, then that means no mail services will be available for that domain's users on those days of the week beginning at 5:00pm and resuming at 7:01am, so long as the current date falls between May 1 and June 30, 2020. Erasing the scheduled start date deactivates the schedule and has the effect of putting the domain on 'Do Not Disturb' forever.
Improved Archiving
MDaemon's simple message archiving system has been changed to be more efficient and consistent. Archiving now work as follows: When a message is delivered from the Local Queue(s) to a user's mail folder an archive copy will be created at that time (in the 'IN' folder of the recipient, if so configured). When a message is picked up from the Remote Queue(s) for SMTP delivery (whether delivery succeeds or not) an archive copy will be created at that time (in the 'OUT' folder of the sender, if so configured). You will see lines like "ARCHIVE message: pgp5001000000172.msg" in the Routing log or you might see lines like "* Archived: (archives)\company.test\in\frank@company.test\arc5001000000023.msg" in the Routing log when Local and Remote mail is processed. Further, a 'ToArchive' queue now exists as a system queue (not exposed in the UI). This queue is checked at regular intervals for messages which have been dropped there (manually, or by a plugin, or otherwise). When messages are found there they are immediately archived and deleted. If messages are found which are not eligible for archiving then they are simply deleted. The name of the queue is \MDaemon\Queues\ToArchive\. The Routing screen/log will show details whenever a message is successfully archived. Also, Archiving of encrypted messages is now handled more consistently. By default unencrypted copies of encrypted messages are stored in the archive. If a message can't be decrypted, the encrypted form will be stored instead. If you would rather have encrypted versions stored, then there is an option to allow you to do so. Additionally, there is now an option to archive messages sent to public folder submission addresses, which is enabled by default. Finally, the following types of messages are never archived: Mailing List traffic, Spam (the option to do so has been deprecated and removed), messages with viruses, system-level messages, and autoresponders.
More Efficient Logging
MDaemon no longer creates empty log files. When items are disabled on the Settings screen their associated log file will not be created at startup. Log files that may already exist when an item is disabled are left in place (not removed). If a log file is missing when an item is enabled then the required log file will be created instantly. This change applies to all log files that the core MDaemon engine manages. Log files for Dynamic Screening, Instant Messaging, XMPP, WDaemon, and WebMail run external to MDaemon and therefore haven't changed. Several other logging-related changes include: making ATRN session logs look correct, making all logs consistent in colors and how they log Session and Child IDs, and the MultiPOP server no longer tears-up and tears-down sessions for accounts that are already over quota and therefore there is no longer wasteful logging in these cases. Finally, the Router log was only logging INBOUND and LOCAL queue message parsing. It now also logs REMOTE queue parsing when delivery attempts are made. This way you don't have to search the Router log and the SMTP(out) logs to see when a message was processed.
Improved Active Directory Integration
You can now configure MDaemon's Active Directory integration feature to create an MDaemon account when you add someone to an Active Directory group, and when you remove someone from an Active Directory group their corresponding MDaemon account will be disabled (but not deleted). To utilize this functionality, you must use an alternative Active Directory search filter. See: Active Directory » Authentication, for more information.
On Active Directory's Authentication screen there is now a separate "Contact search filter" option for contact searches. Previously, contact searching was done using the user search filter. There's also a separate test button for the contact search filter. Active Directory searches have been optimized so that when the search filters are identical a single query updates all data. When they are different two separate queries are necessary.
The following fields have been added to the ActiveDS.dat file templates, so that they are included in contact records when Active Directory monitoring creates or updates address books: abTitle=%personalTitle%, abMiddleName=%middleName%, abSuffix=%generationQualifier%, abBusPager=%pager%, abBusIPPhone=%ipPhone%, and abBusFax=%FacsimileTelephoneNumber%.
Public folder contacts are now deleted by default when the associated account is deleted from Active Directory. However, the contact is only deleted if it was created by the Active Directory integration feature. The setting to control this is located on the Active Directory Monitoring screen.
When the Active Directory monitoring system creates or updates an account and finds a mailbox value that is too long to fit in MDaemon's limited space for the mailbox value, it will truncate the mailbox value as before but now it will also create an alias using the full size mailbox value. Also, when an account or alias is created, the note's section of the account's Administrative Roles screen is updated for auditing purposes.
The Mailing List Manager's Active Directory screen now allows you to enter an Active Directory attribute for the full name field of list members.
Changes to account properties in Active Directory can trigger the recreation of an MDaemon account, even when the account was previously deleted within MDaemon. To keep accounts from being recreated in this way, a new option was added to Active Directory Monitoring. By default, accounts will not be recreated when they were manually deleted within MDaemon.
Improved From Header Screening
The "From Header Modification" options were moved from the Hijack Detection screen to their own From Header Screening screen, and new options were added. Such as, From Header Screening can now check "From:" header display-names for anything that looks like an email address. If one is found and it does not match the actual sending email address then the displayed address can be replaced with the actual email address. For example, if you are using this feature and the "From:" header looks like this: "From: 'Frank Thomas <friend@friend.test>' <enemy@enemy.test>" then it would be changed to: "From: 'Frank Thomas <enemy@enemy.test>' <enemy@enemy.test>".
Check for Compromised Passwords
MDaemon can now check a user's password against a compromised password list from a third-party service. It is able to do this without transmitting the password to the service, and if a user's password is present on the list it does not mean the account has been hacked. It means that someone somewhere has used the same characters as their password and it has appeared in a data breach. Published passwords may be used by hackers in dictionary attacks, but unique passwords that have never been used anywhere else are more secure. See Pwned Passwords for more information.
On the Security Settings' Passwords screen, MDaemon now has an option to prevent an account's password from being set to one that is found in the compromised passwords list. It can also check a user's password every certain number of days when they log in, and if it is found, send a warning email to the user and postmaster. The warning emails can be customized by editing message template files in the \MDaemon\App folder. Since instructions for how a user should change their password may depend on whether the account is using a password stored in MDaemon or using Active Directory authentication, there are two template files, CompromisedPasswordMD.dat and CompromisedPasswordAD.dat. Macros can be used to personalize the message, change the subject, change the recipients, etc.
Additional Features and Improvements
With over 250 new features and improvements included in MDaemon 20, there are many not listed in this section. For a comprehensive list of additions, changes and fixes included in MDaemon 20.0, see the Release Notes.
New in MDaemon 19.5
New Webmail Mobile theme
Webmail's Mobile theme has been replaced with a more modern GUI with more features. Message list features now include personalized categories, message snooze, sort by flagged/unread/snoozed, sort columns, and message recall. Calendar features now include Import/Export events as csv or ics files, add external calendars, private access links, publish calendar, and view multiple calendars at one time. Compose features now include deferred delivery, multiple signatures, text/html messages, and email templates. Other features include drag and drop email filters, multiple signatures editor, more folder management options, notifications, drag and drop column management, drag and drop categories management, and more. If running Webmail in IIS, additional configuration steps are needed to utilize the new mobile theme. See Knowledge Base article 1236 for more information.
Client signature management
You can now configure an email signature to be pushed to Webmail and MDaemon Connector for your users. A Default Client Signature can be set or it can be set per domain on the Domain Manager's Client Signatures screen. Use signature macros such as $CONTACTFULLNAME$, $CONTACTEMAILADDRESS$, to personalize the signature with data pulled from the user's contact in the domain's Public Contacts folder. Use the $ATTACH_INLINE:filename$ macro for inline images in the HTML signature. After entering signature text, it will appear in Webmail's Compose options as the "System" signature, and will become the user's default signature. It can be enabled/disabled for Webmail by default under the Webmail Settings, or per domain on the Domain Manager. For MDaemon Connector, the signature's name and related settings can be configured on the MC Client Settings' Signature screen. This feature requires MDaemon Connector 6.5.0 or newer, and Push client settings to MC users to be enabled. The $CLIENTSIGNATURE$ macro can be used in other mail clients to have the server add the client signature to messages.
Categories Page
MDaemon's Remote Administration (MDRA) interface now has a Categories page under the Webmail options, for configuring Domain Categories and default Personal Categories.
Additional MDRA Improvements
Many options that previously could only be managed through MDaemon's application interface have been added to MDRA. For a complete list, see the Release Notes.
New in MDaemon 19.0
TLS Server Name Indication (SNI) support
MDaemon now supports the Server Name Indication (SNI) extension to the TLS protocol, which allows a different certificate to be used for each of your server's host names. MDaemon will look at the active certificates and choose the one that has the requested host name in its Subject Alternative Names field (you can specify the alternate names when creating the certificate). If the client does not request a host name, or if no matching certificate is found, then the default certificate is used.
XML-API for Folder and Item Management
The XML-API has been expanded to include the ability to manage mailbox folders and items in the folders. Folders can be created, deleted, renamed, and moved using the API. Item operations support email, calendar, contacts, tasks, and notes. Items can be created, deleted, and moved using the API. Full documentation can be found in the MDaemon\Docs\API\XML-API\ folder.
Remote Administration Improvements
MDaemon's Remote Administration (MDRA) web interface has been further expanded to include access to features that formerly could only be administered using a Configuration Session (i.e. MDaemon's application interface), and there are now several options that can only be accessed via MDRA. Consequently, for new MDaemon installations, the "Start MDaemon" Start Menu shortcut will now open a browser to MDaemon Remote Administration by default rather than opening an MDaemon Configuration Session. If you wish to change this, edit \MDaemon\App\MDaemon.ini and set [MDLaunch] OpenConfigSession=Yes/No and OpenRemoteAdmin=Yes/No. Set the Remote Administration URL at Setup » Web & IM Services » Remote Administration » Web Server if the auto-generated URL does not work or if MDRA runs in an external web server. If a working URL cannot be determined, a Configuration Session will be opened instead. Finally, under the Windows Start menu, in the MDaemon program group, there are now shortcuts to Open MDaemon Configuration Session and Open MDaemon Remote Administration.
Webmail Improvements
•Webmail users with their Show Saved Search Folders option enabled (located in Webmail under Options » Folders) will now be asked if they wish to add an "All Unread" and an "All Flagged" Saved Search folder to their list. They will be asked only one time, the first time they sign-in. If a user chooses "No", he or she can still easily create those Saved Searches manually by clicking the Create All Unread Saved Search and Create All Flagged Saved Search buttons (also located under Options » Folders). Administrators can prevent Webmail from asking users if they wish to create those searches by adding DefaultSavedSearchesCheck=Yes under [Default:UserDefaults] in the MDaemon\WorldClient\Domains.ini file.
•Modified some WorldClient theme icons to make them easier to see.
•Added "(EXPIRED)" to the browser tab title when the session expires, so that if a user is not in the Webmail tab the user will still know that the session expired.
•Added a delete icon for removing common contacts from the autocomplete list.
New in MDaemon 18.5
Signature Macros
MDaemon signatures now support macros that insert the sender's contact information into the signature, taken from the sender's contact located in its domain's Public Contacts folder. This allows default and domain signatures to be personalized with the sender's information. $CONTACTFULLNAME$, for example, inserts the sender's full name, and $CONTACTEMAILADDRESS$ inserts the sender's email address. Use Webmail, MDaemon Connector, or ActiveSync to edit the public contacts. Blank values are used if no contact exists for the sender. Available macros are listed on the Default Signatures page.
Users can also control the placement of MDaemon signatures in their messages by using the $SYSTEMSIGNATURE$ macro to place the default/domain signature and $ACCOUNTSIGNATURE$ to place the account signature.
MDaemon Instant Messaging in Webmail
The WorldClient and LookOut themes now feature a browser-based XMPP client that lets users instant message without needing to run the MDaemon Instant Messenger desktop application or some other XMPP client application. Users can enable it from Webmail's Options | Personalize screen, using the "Enable MDaemon's Instant Messaging feature in browser" option. Admins can enable or disable instant messaging per domain using the Domain Manager, per account using the Account Editor, or per group using the Group Manager.
MDaemon includes a new BOSH server to support instant messaging in Webmail. Its settings can now be configured on the XMPP screen (new in 18.5.1).
Exempt Webmail from Location Screening
Added a user option in Webmail to exempt Two Factor Authentication logins from Location Screening. If a user has BypassLocationScreeningTFA=Yes in the [User] section of their User.ini file, and Two Factor Auth is enabled for the user, Location Screening is bypassed. This allows users to login to Webmail in countries that would normally be blocked by Location Screening.
Improved AD Integration
Users whose accounts are set to use Active Directory (AD) authentication can now change their AD password in Webmail if the "AllowADPasswordChange" setting is enabled in \MDaemon\WorldClient\Domains.ini. It is disabled by default.
MDRA Expanded
MDaemon's Remote Administration (MDRA) web interface has been expanded to include access to many features that formerly could only be administered using MDaemon's graphical user interface.
New in MDaemon 18.0
DNSSEC
The new DNSSEC (DNS Security Extensions) option allows MDaemon to act as a Non-Validating Security-Aware Stub Resolver, which is defined in RFCs 4033 and 4035 as "an entity that sends DNS queries, receives DNS responses, and is capable of establishing an appropriately secured channel to a security-aware recursive name server that will provide these services on behalf of the security-aware stub resolver." What this means is that during MDaemon's DNS queries in can request DNSSEC service from your DNS servers, setting the AD (Authentic Data) bit in the queries and checking for it in the answers. This can provide an additional level of security during the DNS process for some messages, although not all, because DNSSEC is not yet supported by all DNS servers or for all top-level domains.
When enabled, DNSSEC service is only applied to messages that meet your selection criteria; it can be requested or required as broadly or narrowly as you choose. Simply designate any "Header Value" combinations you choose on the DNSSEC screen and MDaemon will request DNSSEC service for any messages matching that criteria whenever performing a DNS query. When the DNS results fail to include authenticated data then no negative consequences result; MDaemon simply falls back to normal DNS behavior. If, however, you wish to require DNSSEC for certain messages, add "SECURE" to the header/value combination (e.g. To *@example.net SECURE). For those messages, when the DNS results fail to include authenticated data, the message will be bounced back to the sender. Note: Because DNSSEC lookups take more time and resources, and because DNSSEC is not yet supported by all servers, MDaemon is not configured to apply DNSSEC to every message delivery by default. However, if you wish to request DNSSEC for every message you can do so by included "To *" in your criteria.
AntiVirus Mailbox Scanning
There is a new Scan all messages every [n] day(s) option under Security » AntiVirus that can be used to scan all stored messages periodically, to detect any infected message that may have passed through the system before a virus definition update was available to catch it. Infected messages will be moved to the quarantine folder and have the X-MDBadQueue-Reason header added, so that you can see an explanation when viewed in MDaemon. Messages that cannot be scanned will not be quarantined. There is also a Configure mailbox scan option to specify how often you wish to scan the messages and whether you wish to scan all message or only those that are less than a certain number of days old. You can also manually run a mailbox scan immediately.
Exempt Known ActiveSync Devices from Location Screening
Enable the new Exempt from Location Screening option on an ActiveSync client's settings screen if you want the device to be able to bypass Location Screening. This makes it possible for a valid user to continue to access his or her account via ActiveSync when, for example, traveling to a location that is otherwise blocked from authentication attempts. In order to exempt the device it must have connected and authenticated using ActiveSync within the time-frame configured in the Remove inactive clients after this many days setting located on the Tuning screen. When exempting a device from Location Screening, there is also an option to whitelist the remote IP address from which it is connecting. This can be useful for allowing other clients that might be connecting from the same IP address.
New Webmail and MDRA Features
Remember Me
You can now add a "Remember Me" checkbox to the sign-in pages of MDaemon Webmail and MDaemon Remote Administration (MDRA), via options located on the Webmail Settings screen and MDRA Web Server screen, respectively. When this option is enabled, users who sign-in via the https port will see the checkbox. If users check this box then their credentials will be remembered for that device. Then any time they use that device to connect to Webmail or MDRA in the future they will be signed in automatically, until such time that they manually sign out of their account or their Remember Me token expires. The Remember Me option is disabled by default and applies to all of your domains. If you wish to override this setting for specific Webmail domains then use the Remember Me setting located on the Domain Manager's Webmail screen in MDaemon's desktop interface.
By default, users' credentials will be remembered for 30 days before they are forced to sign-in again, but you can use the Expire Remember Me tokens after this many days option (located in MDRA) to designate a different number of days if you choose. You can set this option up to 365 days. Note: Two-Factor Authentication (2FA) has its own Remember Me expiration key (TwoFactorAuthRememberUserExpiration=30), located in the [Default:Settings] section of the Domains.ini file, located in the \MDaemon\WorldClient\ folder. Therefore 2FA will again be required at sign-in when the 2FA Remember Me token expires, even if the regular token is still valid.
In MDRA there is also a Reset Remember Me button that you can use if you suspect that an account may have had a security breach. This will reset the Remember Me tokens for all users, causing them to have to sign-in again.
Email Snooze
In MDaemon Webmail you can now snooze an email in your message list. A snoozed message will be hidden from you for a designated period of time. To snooze a message, right click on it and choose the "Snooze for..." option in the context menu. Then choose how long you wish to snooze the message. The "Choose a date and time" option is only available for browsers that support the date and time inputs. Hidden messages can be viewed in the LookOut theme by clicking the "View Snoozed Messages" icon in the toolbar and the WorldClient theme by choosing "view snoozed" from the view drop-down menu in the toolbar. This feature is on by default. To turn off the feature, go to Options | Personalize in Webmail and find the Inbox Settings. Uncheck the "Enable Message Snooze" box. There are no snooze controls in Lite and Mobile theme, but snoozed messages are still hidden.
Public Calendars
In MDaemon Webmail users can now publish a calendar to a publicly accessible link, and they have the option to password-protect the calendar. To publish a calendar, in Webmail's LookOut or WorldClient theme go to Options | Folders and click the "Share Folder" button next to the calendar you wish to publish. Then, open the Public Access tab and, if desired, fill in the display name or require a password, then click the "Publish Calendar" button. A confirmation dialog will be displayed, and after clicking OK an alert will display the new URL where the calendar is available. There will also be a link displayed on the page once the calendar has been published. To unpublish the calendar, click the "Unpublish Calendar" button. To change the password or the display name, click the "Update" button.
If you wish to disable this globally, change the value of the EnablePublicCalendars key to No in the [Default:Settings] section of the Domains.ini file. To disable it on a per user basis, add CanPublishCalendars=No to a user's User.ini file.
New in MDaemon 17.5
Location Screening
Location Screening is a geographically based blocking system that you can use to block incoming SMTP, POP, IMAP, Webmail, ActiveSync, AutoDiscovery, XML API, Remote Administration, CalDAV/CardDAV, XMPP, and Minger connections from unauthorized regions of the world. MDaemon determines the country associated with the connecting IP address and then blocks that connection if it is from a restricted location, and adds a line to the Screening log. For SMTP, Location Screening can optionally block only connections using AUTH. This is useful, for example, if you have no users in a specific country but still wish to be able to receive mail from there. That way you would only block those attempting to log in to your server.
The \MDaemon\Geo\ folder contains database files that serve as the master country IP database. The files were provided by MaxMind (www.maxmind.com), and updates can be downloaded from their site if desired.
Dynamic Screening for All Protocols and Services
MDaemon's Dynamic Screening system has been greatly expanded to operate with SMTP, POP, IMAP, Webmail, ActiveSync, AutoDiscovery, XML API, Remote Administration, CalDAV/CardDAV, XMPP, and Minger. Authentication failures are tracked across all of these services and IPs addresses can be blocked for all of them. Dynamic Screening can be configured on its new, multi-tabbed dialog under the Security menu.
PIM Attachments
PIM (calendar, contact, tasks, notes) items now support attachments. Attachments can be added to a PIM item via Webmail, Outlook Connector, or CalDAV/CardDAV. When scheduling a meeting, any attachments will be sent to the meeting attendees.
PGP Key-exchange During SMTP
The MDPGP dialog contains a new option to enable the automatic transmission of public keys as part of the SMTP message delivery process. To do so, MDaemon's SMTP server will honor an SMTP command called RKEY. When sending an email to a server that supports RKEY, MDaemon will offer to transmit the sender's current, preferred public-key to the other host. That host will respond indicating that it either already has that key ("250 2.7.0 Key already known") or that it needs that key, in which case the key is immediately transferred in ASCII armored form ("354 Enter key, end with CRLF.CRLF") just like an email message. Keys that are expired or revoked are never transmitted. If MDaemon has multiple keys for the sender it will always send the key that is currently marked as preferred. If no key is preferred then the first one found is sent. If no valid keys are available then nothing is done. Only public-keys that belong to local users are offered.
Public-key transfers happen as part of the SMTP mail session that delivers the message from the user. In order for the public-keys transmitted in this way to be accepted, the public-key must be sent along with a message that has been DKIM signed by the domain of the key owner with the i= set to the address of the key owner, which also must exactly match the From: header address of which there can be only one. The "key owner" is taken from within the key itself. Also, the message must arrive from a host in the sender's SPF path. Finally, the key owner (or his entire domain via use of wildcards) must be authorized for RKEY by adding an appropriate entry to the MDPGP rules file (instructions are in the rules file for this) indicating that the domain can be trusted for key exchange. All this checking is done automatically for you but you must have DKIM and SPF verification enabled or no work can be done.
The MDPGP log shows the results and details of all keys imported or deleted, and the SMTP session log also tracks this activity. This process tracks the deletion of existing keys and the selection of new preferred keys and updates all participating servers it sends mail to when these things change.
Manage Outlook Add-ins for Outlook Connector Users
Using the new Add-ins screen on the OC Client Settings dialog, you can manage the state of the Outlook Add-ins used by your Outlook Connector users. You can allow any or all of the add-ins to be used normally, or you can disable any that you choose. This feature can be especially useful in cases where you know of a specific add-in that conflicts with the Outlook Connector Client, allowing you to disable that add-in to avoid problems. The Add-ins feature requires Outlook Connector 5.0 or newer.
Webmail Changes
Import/Export Groups/Distributions Lists
In the LookOut and WorldClient themes, an option was added to export and import Groups/Distribution Lists from and to a contact folder in Webmail. The format is MDaemon Webmail specific, since Outlook does not support exporting and importing Groups. The format is as follows:
Columns: Group GUID, Group Name, GUID, Full Name, Email
Each line that contains either a Group Name or a Group GUID is considered the beginning of a new group. Any GUID, Full Name or Email on that line is considered the first member of the group/list.
Example from Excel:
Group GUID |
Group Name |
GUID |
Full Name |
|
|---|---|---|---|---|
The Jedis |
Anakin Skywalker |
ani@jedi.mail |
||
Leia Organa |
leia.organa@jedi.mail |
|||
Luke Skywalker |
luke.skywalker@jedi.mail |
|||
Yoda |
yoda@jedi.mail |
|||
The Siths |
Darth Maul |
darth.maul@sith.mail |
||
Darth Vader |
darth.vader@sith.mail |
|||
Emperor Palpatine |
emperor.palpatine@sith.mail |
When importing, the Group GUID is replaced with a freshly generated GUID. If no Group Name is included, the name will be displayed without translation as "ImportedFromCSV_%GUID%", where %GUID% is replaced with the first five characters of the GUID. Leaving the cells to the right of a group name empty will result in the next line being the first member of the group/list. The Email field is required for a member to be added.
Voice Recorder
Voice Recording was added to the Lookout and WorldClient themes. This feature requires a microphone and is only available in certain browsers. It can be disabled by the admin on a per user basis by adding EnableVoiceRecorder=No to the User.ini. Users are limited to five tracks of five minutes each. Attempting to record more than five tracks in a Voice Recorder session will result in either the selected track or the first track being replaced by the new recording (the user will be prompted). After recording is stopped (either automatically or by the user), the track is converted to an mp3 and uploaded to the server. Users have four options regarding each track:
•Save to the desktop
•Save to default WorldClient documents folder
•Send in an email using a quick dialog that only includes To, CC, BCC, Subject, and a plain/text Message Body
Only the To is required. There are generic Subject and Message Body phrases used when no Subject or Message Body is input by the user.
•Open a new Compose view with the track attached
Users can only act on one track at a time. For example, only one track can be attached to a message. If a user wants to attach multiple tracks to a message, the user will need to save each track to the default documents, and do the attaching from there.
New Folder Management Features
The LookOut and WorldClient themes have new folder management features in the Options » Folders view and in the main folder list view.
In the folder list view (left pane):
•Users can drag and drop to move folders from one parent folder to another.
•Users can rename folders and give favorites nicknames by clicking on them a second time (shortly after folder selection)
•Show Folders by Type is now available in the LookOut theme
•If there is already at least one favorite folder (because favorites are hidden until one is added), users can drag and drop a folder to favorites in order to add it (dragging a folder out of the favorites does nothing).
•The new folder and rename folder dialogs were added to the LookOut theme
In the Options » Folders view, the folder tree is now collapsible, and the New Folder dialog has been moved to an external window like in the WorldClient theme.
New in MDaemon 17.0
XMPP support for WorldClient Instant Messenger (WCIM)
WCIM now uses the XMPP protocol for instant messaging instead of WorldClient's proprietary protocol. This allows the WCIM desktop client to communicate not only with other WCIM clients, but any third-party XMPP clients (including mobile clients) connected to your MDaemon's XMPP server. Additionally, WCIM now has two types of connections: "WCMailCheck" and "WCIMXMPP." WCMailCheck connects to WorldClient for new mail notifications and message counts. WCIMXMPP connects to the XMPP server for instant messaging. Consequently, WCIM users will now have an entry for each type of connection listed on the Connections screen of the client (e.g. "Example.com Mail" and "Example.com WCIM"). When updating to version 17, WCIM will automatically create a WCIMXMPP connection to go with your already existing WCMailCheck connection, and it will migrate your IM contacts from the old system to XMPP. The look and feel of the new WCIM client is essentially the same, but there are some differences, such as how contacts and group chats are managed. See the WCIM client's Help system for more info about what has changed.
WorldClient Dropbox Integration
WorldClient is new equipped with direct support for Dropbox, which allows your users to save file attachments to their Dropbox accounts, and to insert direct links to Dropbox files in outgoing messages. To provide this feature to your WorldClient users, you must set up your WorldClient as a Dropbox app on the Dropbox Platform. This is a simple process, requiring you only to sign in to a Dropbox account, create a unique name for an app with Full Dropbox access, specify the Redirect URI to WorldClient, and change one default setting. Then, you will copy and paste the Dropbox App Key and App Secret from there to the options on Dropbox screen in MDaemon. After that your users will be able to link their Dropbox accounts to WorldClient when they next sign in to WorldClient. For step-by-step instructions on how to create your Dropbox app and link it to WorldClient, see: Creating and Linking Your Dropbox App.
When you create your Dropbox app it will initially have "Development" status. This allows up to 500 of your WorldClient users to link their Dropbox accounts to the app. According to Dropbox, however, "once your app links 50 Dropbox users, you will have two weeks to apply for and receive Production status approval before your app's ability to link additional Dropbox users will be frozen, regardless of how many users between 0 and 500 your app has linked." This means that until you receive production approval, Dropbox integration will continue to work but no additional users will be able to link their accounts. Obtaining production approval is a straightforward process to ensure that your app complies with Dropbox's guidelines and terms of service. For more information, see the Production Approval section of the Dropbox Platform developer guide.
Once your WorldClient app is created and configured properly, each WorldClient user will be given the option to connect their account to their Dropbox account when they sign in to WorldClient. The user is required to log in to Dropbox and grant permission for the app to access the Dropbox account. Then the user will be redirected back to WorldClient using a URI that was passed to Dropbox during the authentication process. For security that URI must match one of the Redirect URIs you specified on your app's info page at Dropbox.com. Finally, WorldClient and Dropbox will exchange an access code and access token, which will allow WorldClient to connect to the user's Dropbox account so that the user can save attachments there. The exchanged access token expires every seven days, meaning that periodically the user must reauthorize the account to use Dropbox. Users can also manually disconnect their account from Dropbox, or reauthorize it when necessary, from the Cloud Apps options screen within WorldClient.
Integration with Let's Encrypt via PowerShell script
To support SSL/TLS and HTTPS for MDaemon, WorldClient, and Remote Administration, you need an SSL/TLS Certificate. Certificates are small files issued by a Certificate Authority (CA) that are used to verify to a client or browser that it is connected to its intended server, and that enable SSL/TLS/HTTPS to secure the connection to that server. Let's Encrypt is a CA that provides free certificates via an automated process designed to eliminate the currently complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites.
To support using Let's Encrypt's automated process to manage a certificate, MDaemon includes a PowerShell script in the "MDaemon\LetsEncrypt" folder. A dependency of the script, the ACMESharp module v2, requires PowerShell 5.1 and .Net Framework 4.7.2, which means the script will not work on Windows 2003. Additionally, WorldClient must be listening on port 80 or the HTTP challenge cannot be completed and the script will not work. You will need to correctly set the execution policy for PowerShell before it will allow you to run this script. Running the script will set up everything for Let's Encrypt, including putting the necessary files in the WorldClient HTTP folder to complete the http-01 challenge. It uses the SMTP host name of the default domain as the domain for the certificate, retrieves the certificate, imports it into Windows, and configures MDaemon to use the certificate for MDaemon, WorldClient, and Remote Administration.
If you have an FQDN setup for your default domain that does not point to the MDaemon server, this script will not work. If you want to setup alternate host names in the certificate, you can do so by passing the alternate host names on the command line.
Example usage:
..\LetsEncrypt.ps1 -AlternateHostNames mail.domain.com,wc.domain.com -IISSiteName MySite -To "admin@yourdomain.com"
You do not need to include the FQDN for the default domain in the AlternateHostNames list. For example, suppose your default domain is "example.com" configured with an FQDN of "mail.example.com", and you want to use an alternate host name of "imap.example.com". When you run the script, you will only pass "imap.example.com" as an alternate host name. Further, if you pass alternate host names, an HTTP challenge will need to be completed for each one. If the challenges are not all completed then the process will not complete correctly. If you do not want to use any alternate host names then do not include the –AlternateHostNames parameter in the command line.
If you are running WorldClient via IIS, you will need to pass this script the name of your site using the -IISSiteName parameter. You must have Microsoft's Web Scripting tools installed in order for the certificate to be automatically setup in IIS.
Finally, the script creates a log file in the "MDaemon\Logs\" folder, called LetsEncrypt.log. This log file is removed and recreated each time the script runs. The log includes the starting date and time of the script but not the date and time stamp for each action. Also, notification emails can be sent when an error occurs. This is done using the $error variable, which is automatically created and set by PowerShell. If you do not wish to have email notifications sent when an error occurs, do not include the –To parameter in the command line.
Option to store mailbox passwords using non-reversible encryption
There is a new Password option to store mailbox passwords using non-reversible encryption. This protects the passwords from being decrypted by MDaemon, the administrator, or a possible attacker. When enabled, MDaemon uses the bcrypt password hashing function, which allows for longer passwords (up to 72 characters), and for passwords to be preserved yet not revealed when exporting and importing accounts. Some features, however, are not compatible with this option, such as weak password detection and APOP & CRAM-MD5 authentication, because they depend on MDaemon being able to decrypt passwords. Non-reversible passwords is enabled by default.
ActiveSync Client Approval
There is a new ActiveSync setting that you can use to require that "New clients must be authorized by an administrator prior to synchronizing" with an account. The Clients list indicates any clients awaiting authorization, and the administrator can authorize them from the same screen. This option is available on the Global and Account client settings screens. The global option is Off by default and the account option is set to "Inherit."
ActiveSync Notifications
Two types of administrative notifications have been added to ActiveSync: Sync Rollback Notifications and Corrupt Message Notifications.
Sync Rollback Notifications
The ActiveSync Service can now notify the administrators if a client is repeatedly/frequently sending expired Sync Keys in Sync operations.
These merely inform the admin that the server issued a rollback for a given collection because a client made a sync request with the most recently expired Sync Key. The subject states "ActiveSync Client Using expired Sync Key". This could occur because of a network issue or something about the content previously sent to the client in that collection. In some cases, the item ID will be there, it merely depends upon whether or not the previous sync on that collection sent any items.
Rollback warnings do not mean the client is out of Sync, it means that the client has the potential to go out of Sync and our internal system detected it. Rollback warnings are issued for a collection no more than once per 24 hour period. The following keys can be edited under the [System] header in the \MDaemon\Data\AirSync.ini file:
•[System] SendRollbackNotifications=[0|1|Yes|No|True|False] (Default is disabled)
•[System] RollbackNotificationThreshhold=[1-254] : The number of rollbacks that must occur on a given collection prior to a notification being sent to the admin. We recommend a value of at least 5 here, since Network hiccups play a part in this. (Default is 10)
•[System] RollbackNotificationCCUser=[0|1|Yes|No|True|False] : Whether or not to CC the user whose client sent that expired Sync Key. (Default is disabled)
ActiveSync Corrupt Message Notifications
The ActiveSync Service can now notify the administrators if a particular message cannot be processed. These are sent in real time to inform the admin of a mail item that could not be parsed and that further action on this item is not possible. The subject states "Corrupt message notification". These items, in previous versions, could lead to a crash. In most cases, the content of the msg file will not be MIME data. If it is MIME data, it is likely corrupt. You can choose to CC the affected user of these notifications with the CMNCCUser key so that they are aware that an email has arrived in their mailbox that is un-readable. The appropriate action for these is to move the designated msg file from the user's mailbox and analyze it to determine both why it is not able to be parsed and how it came to exist in the state that it is in. The following keys can be edited under the [System] header in the \MDaemon\Data\AirSync.ini file:
•[System] SendCorruptMessageNotifications=[Yes|No|1|0|True|False] (Default is Enabled)
•[System] CMNCCUser==[0|1|Yes|No|True|False] (Default is Enabled)
New in MDaemon 16.5
MDPGP Improvements
Key Server Support
WorldClient
WorldClient can now act as a basic public-key server. Enable the new MDPGP option to "Send public-keys over HTTP (WorldClient)" and WorldClient then will honor requests for your users' public-keys. The format of the URL to make the request looks like this: "http://<WorldClient-URL>/WorldClient.dll?View=MDPGP&k=<Key-ID>". Where <WorldClient-URL> is the path to your WorldClient server (for example, "http://wc.example.com") and <Key-ID> is the sixteen character key-id of the key you want (for example, "0A1B3C4D5E6F7G8H"). The key-id is constructed from the last 8 bytes of the key fingerprint - 16 characters in total.
DNS (PKA1)
Enable the new MDPGP option to "Collect public-keys from DNS (pka1) and cache for [xx] hours" if you want MDPGP to query for message recipient public-keys over DNS using PKA1. This is useful because it automates the process of obtaining some recipients' public keys, preventing you or your users from having to obtain and import them manually in order to send encrypted messages. When PKA1 queries are made, any key URI found is immediately collected, validated, and added to the key-ring. Keys successfully collected and imported to the key-ring using this method will automatically expire after the number of hours specified in this option or according to the TTL value of the PKA1 record that referred them, whichever value is greater.
Key Handling
Tracking Keys
MDPGP now always tracks keys by their primary key-ids rather than sometimes by the key-id and other times the sub-key-id. Consequently, the MDPGP dialog's list of keys was cleaned up to remove two unnecessary columns. Further, MDPGP now more strictly controls the contents of its "exports" folder. As a result you will always find exported copies of local user keys there. Even though the private keys are encrypted, for extra security you should use OS tools to protect this folder (and indeed the entire PEM folder structure) from unauthorized access.
Preferred Keys
Previously, when multiple different keys for the same email address were found in the key-ring, MDPGP would encrypt messages using the first one that it found. Now you can right-click on any key and set it as preferred, so that MDPGP will use that key when multiple keys are found. If no preferred key is declared, MDPGP will use the first one found. When decrypting a message MDaemon will try each one.
Disabled Keys
Disabled and deleted keys are now tracked in a new file called oldkeys.txt. Previously, disabled keys were tracked in the plugins.dat file.
MDPGP Signature Verification
MDPGP can now verify embedded signatures found within messages that are not encrypted. Previously it was not able verify signatures unless the message was both signed and encrypted. When viewing a message with a verified signature in WorldClient, a new icon is displayed to indicate it was verified. Signature verification is enabled by default for all non-local users, or you can specify exactly which email addresses can and cannot use the service (see: "Configure exactly who can and can not use MDPGP services" on the MDPGP dialog).
XMPP Instant Messaging Server
MDaemon is now equipped with an Extensible Messaging and Presence Protocol (XMPP) server, sometimes called a Jabber server. This allows your users to send and receive instant messages using third-party XMPP clients, such as Pidgin, Gajim, Swift and many others. Clients are available for most operating systems and mobile device platforms. MDaemon's XMPP instant messaging system is completely independent of MDaemon's WorldClient Instant Messenger chat system; the two systems cannot communicate with each other and do not share buddy lists.
The XMPP server is installed as a Windows service, and the default server ports are 5222 (SSL via STARTTLS) and 5223 (dedicated SSL). The XMPP server will use MDaemon's SSL configuration if it is enabled in MDaemon. Also, some XMPP clients use DNS SRV records for auto-discover of host names. Please refer to http://wiki.xmpp.org/web/SRV_Records for more information.
Users sign-in through their chosen XMPP client using their email address and password. Some clients, however, require the email address to be split into separate components for signing in. For example, instead of "frank@example.com," some clients require you to use "frank" as the Login/Username and "example.com" as the Domain.
For multi-user/group chat service, clients typically display this as "rooms" or "conferences." When you want to start a group chat session, create a room/conference (giving it a name) and then invite the other users to that room. Most clients don't require you to enter a server location for the conference; you only need to enter a name for it. When you are required to do so, however, use "conference.<your domain>" as the location (e.g. conference.example.com). A few clients require you to enter the name and location together in the form: "room@conference.<your domain>" (e.g. Room01@conference.example.com).
Some clients (such as Pidgin), support the user search service, allowing you to search the server for users by name or email address, which makes adding contacts much easier. Usually you will not have to provide a search location, but if asked to do so, use "search.<your domain>" (e.g. search.example.com). When searching, the % symbol can be used as a wildcard. Therefore you could use "%@example.com" in the email address field to display a list of all users with an email address ending in "@example.com."
Centralized Management of OC Client Settings
Use the OC Client Settings dialog to centrally manage the client settings of your Outlook Connector users. Configure each screen with your desired client settings and MDaemon will push those settings to the corresponding client screens as necessary, each time an Outlook Connector user connects to the server. The OC Client Settings are only sent to clients when one of the settings has changed since the last time the client connected and received them. If you enable the provided option to "Allow OC users to override pushed settings," users can override any pushed settings on their individual clients. If that option is disabled, then all of the client screens are locked; Outlook Connector users can make no changes.
To allow for certain settings that must be different for each user or domain, OC Client Settings supports macros such as $USERNAME$, $EMAIL$, and $DOMAIN$. These macros will be converted to data specific to the user or domain when pushing settings to a client. Take care not to place any static values in any fields that should use a macro, such as putting something like "Frank Thomas" in the Your Name field. To do so would cause every Outlook Connector user who connects to MDaemon, to have his or her name set to "Frank Thomas." For your convenience there is a Macro Reference button on the General screen, which displays a simple list of the supported macros.
For those using MDaemon Private Cloud (MDPC), there is another OC Client Settings dialog on the Domain Manager, for controlling the Outlook Connector client settings on a per domain basis.
This feature is disabled by default, and works only for those using Outlook Connector client version 4.0.0 or higher.
"From:" Header Protection/Modification
This new security feature modifies the "From:" header of incoming messages to cause the name-only portion of the header to contain both the name and email address. This is done to combat a common tactic used in spam and attacks where the message is made to appear to be coming from someone else. When displaying a list of messages, email clients commonly display only the sender's name rather than the name and email address. To see the email address, the recipient must first open the message or take some other action, such as right-click the entry, hover over the name, or the like. For this reason attackers commonly construct an email so that a legitimate person or company name appears in the visible portion of the "From:" header while an illegitimate email address is hidden. For example, a message's actual "From:" header might be, "Honest Bank and Trust" <lightfingers.klepto@example.com>, but your client might display only "Honest Bank and Trust" as the sender. This feature changes the visible portion of the header to display both parts, with the email address given first. In the above example the sender would now appear as "lightfingers.klepto@example.com -- Honest Bank and Trust," giving you a clear indication that the message is fraudulent. This option only applies to messages to local users, and it is disabled by default.
Improved IP Screening
The IP Screen now contains an Import button that you can use to import IP address data from an APF or .htaccess file. MDaemon's support for these files is currently limited to the following:
•"deny from" and "allow from" are supported
•only IP values are imported (not domain names)
•CIDR notation is allowed but partial IP addresses are not.
•Each line can contain any number of space-separated or comma-separated IP addresses. For example, "deny from 1.1.1.1 2.2.2.2/16", ""3.3.3.3, 4.4.4.4, 5.5.5.5", and the like.
•Lines starting with # are ignored.
Automatic Installation of Product Updates
Using the Automatic Updates features you can configure MDaemon to inform the postmaster whenever an update is available for one of your installed products, or you can download and install updates automatically. This includes MDaemon, SecurityPlus, and Outlook Connector. Automatically installing updates can be controlled separately for each product, and a server reboot is required each time an update is installed. Installer files are downloaded when the update is detected, but the installation and reboot occur later at whichever hour you have designated. All installation activity is logged in the MDaemon system log, and the postmaster is informed after an update has occurred. See the Updates dialog for more information.
WorldClient Changes
WorldClient supports categories for email in the LookOut and WorldClient themes. Users can add the Categories column to the message list by going to "Options » Columns" and checking "Categories" in the Message List section. To select categories for one or multiple messages, select the messages and right-click one of them. Use the context menu to set the category.
•Administrators can create custom categories. There are two files for this purpose: DomainCategories.json and PersonalCategories.json.
•Domain Categories are enabled globally by default. To disable them open MDaemon\WorldClient\Domains.ini, and in the [Default:Settings] section change the value of "DomainCategoriesEnabled=" from "Yes" to "No".
•Users are able to add and edit their own categories by default. If you wish to disable this option, you can do so per user or globally by changing the value of "CanEditPersonalCategories=" from "Yes" to "No". The user option is located in the [User] section of the User.ini file and the global option is in the Domains.ini file under the [Default:UserDefaults] section.
•If Domain Categories are enabled, and a user is not allowed to edit personal categories, the user will only see the categories listed in DomainCategories.json.
•If Domain Categories are disabled, and a user is not allowed to edit personal categories, the user will see the categories listed in PersonalCategories.json.
•The file CustomCategoriesTranslations.json is used to support your custom category names in multiple languages. Add any necessary custom category translatations to that file to make it possible for WorldClient to recognize a category saved to an event, note, or task in one language as the equivalent category in another language.
For more detailed information relating to the files mentioned here, see: MDaemon\WorldClient\CustomCategories.txt.
You can now hide the White List and Black List folders for WorldClient users by default. To do so, open MDaemon\WorldClient\Domains.ini, and under [Default:UserDefaults] change the value of "HideWhiteListFolder=" or "HideBlackListFolder=" from "No" to "Yes". You can hide or show these folders for specific users by editing those same keys in the User.ini file under the [User] section.
Check for Attachments
In the LookOut and WorldClient themes there is now an option to check a composed message for attachments before sending, when attachments are mentioned in the subject or body of the message. This can help you avoid accidentally sending a message without an attachments when it is supposed to include one.
You can now control whether or not accounts are allowed to use or required to use Two-Factor Authentication (2FA). There are two new options on the New Accounts template for controlling the default settings for new accounts, and there are corresponding options on the Web Services screen for controlling 2FA for individual accounts.
New in MDaemon 16.0
MDaemon Remote Administration (MDRA) UI Update
The user interface for MDRA no longer uses frames and has been updated to use a mobile first responsive design. Browser support is limited to IE10+, the latest Chrome, the latest Firefox, and the latest Safari on Mac and iOS. Android stock browsers have been known to have issues with scrolling, but Chrome on Android devices works well.
This design is based entirely on the size of the window being used. Whether the user is on a phone, tablet, or PC, the appearance is the same for the same window size. The most important change here is the menu. From 1024 pixels width and below, the menu is hidden on the left side of the browser. There are two methods that can be used to display the menu. If a touch device is in use, swiping to the right will show the secondary menu. Whether or not the device is in use, there is also a "menu" button in the top left corner that will display the secondary menu. Tapping or clicking the menu title with the left arrow next to it at the top of the menu will display the primary menu. The help, about, and sign out menu in the top right corner changes based on the width of the screen as well. From 768 pixels and above, the words Help, About, and Sign Out are displayed. From 481 pixels to 767 pixels, only the icons are displayed. 480 pixels and below displays only a "gear" icon which when clicked or tapped will display a drop down menu with the Help, About, Sign Out options. List views with more than one column have column on/off buttons that are accessed by clicking or tapping the gray right arrow button on the far right of the toolbar container. The settings pages are no longer designed to be exact copies of the MDaemon GUI, but are instead designed to reposition and resize based on the width/height of the browser.
Spambot Detection
A new feature called Spambot Detection tracks the IP addresses that every SMTP MAIL (return-path) value uses over a given period of time. If the same return-path is used by in an unusual number of IP addresses in a short period of time, this may indicate a spambot network. Although it could still be a legitimate use of the mail system, experimentation has shown that this can be effective in limited cases at detecting a distributed spambot network as long as the same return-path is utilized throughout. If a spambot is detected, the current connection to it is immediately dropped and the return-path value is optionally blacklisted for a length of time you specify. You can also optionally blacklist all the spambot IPs then known for a user-defined period.
CardDAV
MDaemon now supports synchronizing contacts via the CardDAV protocol. MDaemon's CardDAV server allows an authenticated CardDAV client to access the contact information that is stored in MDaemon. Notable CardDAV clients are Apple Contacts (included with Mac OS X), Apple iOS (iPhone), and Mozilla Thunderbird via the SOGO plugin. For more information on CardDAV and configuring CardDAV clients, see: CalDAV & CardDAV.
Two Factor Authentication for WorldClient and Remote Administration
MDaemon now supports Two Factor Authentication (i.e. 2-Step Verification) for users signing into WorldClient or MDaemon's Remote Administration web-interface. Any user who signs into WorldClient via HTTPS can activate Two Factor Authentication for the account on the Options » Security screen. From then on the user must enter a verification code when signing into WorldClient or Remote Administration. The code is obtained at sign-in from an authenticator app installed on the user's mobile device or tablet. This feature is designed for any client that supports Google Authenticator.
ActiveSync Protocol Migration Client
MDaemon now includes an ActiveSync protocol based Migration Client (ASMC.exe). It supports migrating mail, calendars, tasks, notes, and contacts from ActiveSync servers that support protocol version 14.1. Documentation for it can be found in the \MDaemon\Docs folder.
XML API for Management Tasks
MDaemon now ships with an XML over http(s) based API. The result of this is that MDaemon Management clients can be written using any language on any platform that can make http(s):// post requests to the server. In MDaemon, this is only available to authenticated Global Admins, but in MDaemon Private Cloud a subset of the available operations is accessible to authenticated domain admins as well. The API also produces a website with documentation on the API specification. The installation default is to have it installed at http://servername:RemoteAdminPort/MdMgmtWS/, however, this can be set to any url for the sake of additional security.
The available operations include:
•Help
•CreateDomain
•DeleteDomain
•GetDomainInfo
•UpdateDomain
•CreateUser
•DeleteUser
•GetUserInfo
•UpdateUser
•CreateList
•DeleteList
•GetListInfo
•UpdateList
•AddDomainAdministrator
•DeleteDomainUsers
•GetDomainList
•GetVersionInfo
•GetQueueState
•GetServiceState
•SetAddressRestriction
•GetAddressRestriction
At this time, command line management clients have been written/tested in Javascript, Powershell, VBScript, C, C++ and Visual Basic. A simple HTML and Javascript test site has been used as a proof of concept for a web based management console that operates within several popular browsers. While not tested yet, it is fully expected that this API should work fine from web servers using PHP, Perl, and other development platforms.
See:
