SecurityGateway 4.0.1 - July 26, 2016
CHANGES AND NEW FEATURESS
-  SPF will now only honor the global IP whitelist. This prevents an
issue where SPF lookups are not performed if the sender's address is on a whitelist.
-  fix to users are re-verified against the user verification source for each
message received. The "flag users for re-verification after X hours"
is not honored.
-  fix to the Configuration and Defaults settings on the User Options page
are not be saved when specifying them per domain
-  fix to when creating or editing an SMTP user verification source the password
is not hidden
-  fix to when the operating system's codepage for non-Unicode application
is set to a multi-byte codepage (i.e. Japanese or Chinese) , and the logged in user's
language is Japanese or Chinese, report graphs may not be displayed. The SecurityGateway
system service may also terminate when the above is true and a report is requested.
-  fix to subject of automated messages may contain additional whitespace around
-  fix to German language Disclaimer List page does not load and displays pop-up
-  fix to unable to save "When SPF processing returns a PASS result add
points to message score" option
-  fix to database configuration backup fails if any Remote POP Accounts
SecurityGateway 4.0.0 - June 14, 2016
MAJOR NEW FEATURES
 Web Interface Updated to use a Mobile First Responsive Design
The web interface has been updated to use a mobile first responsive design.
Browser support is limited to IE10+, the latest Chrome, the latest Firefox, and
the latest Safari on Mac and iOS. Android stock browsers have been known to
have issues with scrolling, but Chrome on Android devices works well.
This design is based entirely on the size of the window being used. Whether
the user is on a phone, tablet, or PC, the appearance is the same for the same window
size. The most important change here is the menu. From 1024 pixels width
on down the menu is hidden on the left side of the browser. There are two
methods that can be used to display the menu. If a touch device is in use,
swiping to the right will show the secondary menu. Whether or not a touch
device is in use, there is also a "menu" button in the top left corner
that will display the secondary menu. Tapping or clicking the menu title with
the left arrow next to it at the top of the menu will display the primary menu.
The help, about, and sign out menu in the top right corner changes based on the
width of the screen as well. From 768 pixels up shows the words Help, About,
and Sign Out, from 481 pixels to 767 pixels only displays the icons, and 480 pixels
or less displays a "gear" icon which when clicked or tapped will display
a drop down menu with the Help, About, Sign Out options. List views with more
than one column have column on/off buttons.
Support for DMARC (Domain-based Message Authentication, Reporting, and Conformance)
has been added. DMARC defines a scalable mechanism by which a mail sending organization
can express, using the Domain Name System, domain level policies and preferences
for message validation, disposition, and reporting, and a mail receiving organization
can use those policies and preferences to improve mail handling. The DMARC specification
and full details about what it does and how it works can be found here:
DMARC allows domain owners to express their wishes concerning the handling of messages
purporting to be from their domain(s) but which were not sent by them. Possible
message handling policy options are "none" in which case SecurityGateway
takes no action, "reject" in which case SecurityGateway refuses to accept
the message during the SMTP session itself, and "quarantine" in which
case SecurityGateway places the following header into each message for easy filtering
into your user's Junk E-mail folder: "X-SGDMARC-Fail-policy: quarantine".
This header is only added when the result of the DMARC check is "fail"
and the resulting DMARC policy is something other than "none." It
is possible to configure SecurityGateway to accept messages even though DMARC requests
that they be rejected. In fact, this is the default operational mode.
In these cases SecurityGateway will place an "X-SGDMARC-Fail-policy: reject"
header into the message in case you want to filter more seriously on that.
DMARC supersedes ADSP and the message disposition features of SPF. However,
you can still use all of them together with DMARC. ADSP and SPF message
rejection now takes place after DMARC processing if DMARC verification is enabled.
DMARC depends in part upon the use of a "Public Suffix List." A "Public
Suffix" is one under which Internet users can directly register names. Some
examples of public suffixes are .com, .co.uk and pvt.k12.ma.us. A "Public Suffix
List" is a list of all known public suffixes. SecurityGateway uses the one
maintained for the community by the Mozilla Foundation that is found here: https://publicsuffix.org/.
A copy of this list is installed into your \App\ folder as effective_tld_names.dat.
There is currently no comprehensive or single authoritative source for such a list
which is an issue the Internet community should address. Over time this file will
grow obsolete and must be replaced by downloading it afresh from https://publicsuffix.org/list/effective_tld_names.dat
and saving it to your \App\ folder. SecurityGateway will periodically and automatically
download and install this file as part of the daily maintenance event approximately
once every two weeks. Various controls to govern this can be found on the
new DMARC configuration screens. The DMARC log and the new DMARC window within
the Security tab inside the main UI will contain the results of the update and all
other DMARC processing operations. You can set a different file download URL
if needed but the data downloaded must conform to the format specified by Mozilla
for their file. You can read about this at the URL mentioned above. SecurityGateway
strictly follows the parsing algorithm specified by Mozilla. Create a (possibly
empty) file called "PUBLICSUFFIX.SEM" and place it in SecurityGateway's
\App\ folder if you replace or edit the effective_tld_names.dat file yourself and
need SecurityGateway to reload it without a reboot.
To use DMARC as a mail sender you must publish a DMARC TXT record within your domain's
DNS setup. Information on how this record is defined and structured can be
found at http://www.dmarc.org. When you publish
a DMARC record to your DNS you may begin receiving DMARC reports from many different
sources via email. These reports are provided as a compressed XML file whose format
is governed by the DMARC specification. Consuming these reports is outside the scope
of SecurityGateway's DMARC implementation. However, the data within these reports
can provide important insight into a domain's mail flow, improper domain use,
DKIM signing integrity, and SPF message path accuracy/completeness. The addresses
to which these reports are sent is configured by you when you create your DMARC
When setting up a DMARC record for one or more of your domains take care with use
of p=reject. Take particular care if your domain provides email accounts for
general use by human users. If such users have signed up for any mailing lists,
make use of a mail forwarding service, or expect to use common things like "share
this article with a friend" you should know now that a DMARC p=reject policy
could make those things entirely impossible and if so you'll hear about it.
DMARC p=reject is perfectly appropriate and useful but only when it is applied to
domains that control how their email accounts are used (for example, transactional
mail, automated (i.e. non-human) accounts, or to enforce corporate policies against
use of the account outside organizational boundaries).
In order to support DMARC aggregate reporting SecurityGateway will store data which
it will need later in order to generate aggregate reports according to the DMARC
specification. SecurityGateway ignores the DMARC "ri="; tag and only produces
DMARC aggregate reports that cover from 00:00:00 UTC to 23:59:59 UTC for a given
day. At midnight UTC (which is not necessarily midnight local time) SecurityGateway
consumes this stored data to generate the reports. SecurityGateway needs to be running
at this time or the stored data could grow and grow and never be consumed. Therefore,
if you do not run your SecurityGateway 24/7 you should not enable DMARC aggregate
reporting. DMARC aggregate reporting is disabled by default.
In order to support DMARC failure reporting RFC 5965 "An Extensible Format
for Email Feedback Reports", RFC 6591 "Authentication Failure Reporting
Using the Abuse Reporting Format", RFC 6652 "Sender Policy Framework (SPF)
Authentication Failure Reporting Using the Abuse Reporting Format", RFC 6651
"Extensions to DomainKeys Identified Mail (DKIM) for Failure Reporting",
and RFC 6692 "Source Ports in Abuse Reporting Format (ARF) Reports" have
been fully implemented. Failure reports are created in real-time as the incidents
which trigger them occur. SecurityGateway implements DMARC AFRF type failure
reports and not IODEF type reports. Therefore, only values of "afrf"
in the DMARC "rf=" tag are honored. See the DMARC specification
for complete details. Multiple failure reports can be generated from a single
message depending upon the number of recipients in the DMARC record's "ruf="
tag and upon the value of the "fo=" tag times the number of independent
authentication failures which were encountered by the message during processing.
When the DMARC "fo=" tag requests reporting of SPF related failures SecurityGateway
sends SPF failure reports according to RFC 6522. Therefore, that specification's
extensions must be present in the domain's SPF record. SPF failure reports
are not sent independent of DMARC processing or in the absence of RFC 6522 extensions.
When the DMARC "fo=" tag requests reporting of DKIM related failures SecurityGateway
sends DKIM and ADSP failure reports according to RFC 6651. Therefore, that
specification's extensions must be present in the DKIM-Signature header field
and the domain must publish a valid DKIM reporting TXT record in DNS and/or valid
ADSP extensions in the ADSP TXT record. DKIM and ADSP failure reports are
not sent independent of DMARC processing or in the absence of RFC 6651 extensions.
See the various specifications referenced herein for complete details. DMARC
failure reporting is disabled by default.
Important Note: A DMARC record can specify that reports should be sent to
an intermediary operating on behalf of the domain owner. This is done when the domain
owner contracts with an entity to monitor mail streams for abuse and performance
issues. Receipt by third parties of such data may or may not be permitted by your
review and understand if your own internal policies constrain the use and transmission
of DMARC reporting and if so you should disable DMARC reporting as appropriate.
DMARC requires use of STARTTLS whenever it is offered by report receivers however
there's no way to predict or police this. However, you should enable STARTTLS
if you haven't already (see Setup | System | Encryption).
The Authentication-Results header has been extended to include DMARC processing
results. Note that Authentication-Results includes some data in comments for debugging
purposes including the DMARC policy requested by the domain owner which is not necessarily
the action taken on the message. For example, when the result of a DMARC check is
"pass" it does not matter what the DMARC policy states as policy is only
applied to DMARC checks which "fail". Similarly, when the result of a
DMARC check is "fail" and the policy is "reject" the message
may be accepted anyway for local policy reasons. Use of this header for filtering
should take all this into account. Alternatively, filter for "X-SGDMARC-Fail-policy:
quarantine" or "X-SGDMARC-Fail-policy: reject" to filter these messages
into spam folders or whatever you want to do. SecurityGateway strips out the
"X-SGDMARC-Fail-policy:" header from every incoming message.
Messages must conform to DMARC section 15.1 with respect to the RFC 5322 From header
or they are not processed which basically means that the absence of a single (one
and only one) properly formed (according to RFC specifications) RFC5322 From field
renders the message invalid generally and therefore invalid for DMARC processing.
Several new screens have been added at Security | Anti-Spoofing where you can set
various options related to DMARC use.
DMARC requires SPF and/or DKIM verification to be enabled as it is based upon the
verified identities that those two mechanisms provide. You can't make
productive use of DMARC for inbound mail without one or both of those technologies
enabled. The UI will try to enforce this.
 Bind Domain to an IP address
For servers that have multiple IP addresses assigned, each domain may be bound
to a specific IP address. Mail from the domain will be sent from this IP address.
A SMTP Hostname may also be specified for the domain. This value is the Fully Qualified
Domain Name (FQDN) that will be used in the SMTP HELO/EHLO instruction when sending
mail for the domain. For incoming connections, this value will be used unless multiple
domains are bound to the IP address, in which case the FQDN used will be the one
that is associated with the domain that is first in alphabetical order.
CHANGES AND NEW FEATURESS
-  Updated ClamAV engine to version 0.99.2
-  Updated to version 8.00.0122 of the Cyren Outbreak Protection SDK
-  All support for the original DomainKeys message authentication system has
been removed. DomainKeys is obsolete and has been replaced by the acceptance
and adoption of DKIM which SecurityGateway continues to support. Some web
interface dialogs related to DomainKeys and DKIM found within Security | Anti-Spoofing
have been reorganized as a result and options related to DomainKeys removed and
the remaining options better consolidated. The install process will remove
-  All support for Sender-ID has been removed. This technology never
caught on and is obsolete.
-  All references to "company.mail" have been changed to "company.test"
to comply with RFC 6761
-  Updated the look of the quarantine report emails to match the new SG GUI
-  Added check boxes to lists that allow the selecting of multiple list items
-  Added an option to decide when to display the charts on the Main and My
Account landing pages to Main -> My Account -> Settings and to Setup / Users
-> Account -> User Options. The 4 choices are "Automatic" (default),
"Always", "Manual", and "Never".
-  Added X-Frame-Options: SAMEORIGIN header to HTTP responses
-  Added X-XSS-Protection: 1 header to HTTP responses
-  The Free Disk Space Monitoring page has been changed to display values in
MB instead of KB. The default "low disk space value" (the value
below which SecurityGateway believes the disk is running low and starts complaining
about it) was changed from 10MB to 1000MB. Likewise, the "auto-shutoff
value" (the value below which SecurityGateway will disable mail services due
to critically low disk space) was changed from 1MB to 100MB. Please check
and change the values at Setup|System|Disk Space if they present a problem for you.
-  Added description for system service, when viewed from the services manager
-  The "... unless message is TO a local account" exclusion for the
"Only domain mail servers can send local mail" Relay Control option is
now disabled by default
-  Added the ability to filter the message log by sender IP using
CIDR notation, simply enter the CIDR pattern as the IP address in the filter
-  Removed the "Blacklist" link from the quarantine report email
by default. Added a "Confirm as Spam" link that will learn the message
as spam if Bayesian learning is disabled and delete the messages from the user's
quarantine. The "Blacklist" link can be restored via an option in
Setup | Mail Configuration | Quarantine Options.
-  fix to Host, Addresses Blacklist and Address Whitelist dialogs are cut off
at bottom when using Firefox
-  fix to outbound SMTP session hangs if server returns that it supports AUTH
but lists no AUTH methods
-  fix to message that contains embedded NULL characters is corrupted
-  fix to message collected from remote POP accounts may be discarded if case
does not match
-  fix to if quarantine_report.xsl is found custom_admin_quarantine_report.xsl
is also assumed to exist
-  fix to cannot change a local admin to an external admin
-  fix to cannot edit an external administrator
-  fix to DKIM will not sign messages if the sender's domain name specified
in the SMTP session contains upper case letters
-  fix to Message Log "Subject Starts With" search condition returns
no results when using "NOT"
-  fix to Security->Anti-Spam->Greylisting unable to click "Exclude
messages from domain mail servers"
-  fix to Unable to "Delete All" quarantined messages when using
a filter with a date range set
-  fix to subject tag based upon the message's score is not added if the
message is also quarantined due to its score
-  fix to no result feedback message is displayed after using the Spam/Not
Spam toolbar buttons from the Quarantined (Admin) view.
-  fix to the sending of Administrative Quarantine reports are not logged to
-  fix to mouse cursor is not changed to a pointer when hovering over enabled
paging bar icons that can be clicked
-  fix to no VBR certifiers are trusted when multiple values are specified
for "Host name(s) of certification services that I trust"
-  SPF verifier ignoring CIDR pattern for A and MX policies
-  fix to Outbreak Protection queries may fail with "Unable to comply
with the request because you are not licensed for the antispam or VOD service"
after registration key is updated until SecurityGateway service is restarted
SecurityGateway 3.0.3 -
November 17, 2015
CHANGES AND NEW FEATURES
-  Compressed archive files (.zip and .rar) are now scanned for restricted attachments.
Archive files are recursively scanned up to a depth of 16 levels.
-  Added "STARTTLS Whitelist" and "STARTTLS Required List"
options to Setup | Encryption. STARTTLS will never be used when sending to
IP addresses, hosts, or domains on the STARTTLS whitelist. STARTTLS will never
be advertised to connecting hosts/IPs on the STARTTLS whitelist. SMTP connections
to hosts/IPs on the STARTTLS Required list MUST use STARTTLS. If STARTTLS is not
available or fails, the message will not be sent.
-  Added option to Setup | Encryption which allows you to temporarily white
list hosts which encounter an SSL error during an SMTP session. The white
list is reset every hour.
-  SecurityGateway now supports TLS 1.1 and 1.2. Requires Windows 7 / Server
2008 R2 or newer.
-  Added an option for a global administrator to export all whitelists and
blacklists to a CSV file. This includes the global, domain, and user lists.
-  Update Outbreak Protection SDK to version 8.0.110
-  SecurityGateway trial keys are now sent via email and must be entered into
the installer to continue. The trial period is 30 days.
-  Updated charting component to eliminate dependency of Adobe Flash
-  Added an option to Setup / Users | User Options | Configuration to "Send
an alert to global administrators when a new user is created"
-  Added a "Delete All" button to Bad Messages queue view.
Clicking the "Delete" dropdown menu will allow the user to delete the
selected messages or to delete all messages.
-  Updated SpamAssassin to version 3.4.1
-  Added option to My Account | My Settings and Setup | Mail Configuration
| Quarantine Configuration to control how the quarantine report email is sorted.
By default the quarantine report will continue to be sorted by date received, however
it can now be sorted by sender or subject.
-  Updated Cyren Antivirus to version 5.4.6-r1
-  Updated to latest version of libdkim library
-  fix to SQL error "Execute(execute procedure update_user(?,?,?,?,?,?,?,?))
... update conflicts with concurrent update" logged to system log
-  fix to "Maximum Bayesian Database Tokens" field in web interface
should allow 6 digits
-  fix to the height of the tab pane on the new/edit remote POP account dialog
may be too small
-  fix to System log may contain database error "Deadlock... Context:
Statement::Execute(delete from failedauth where ip=?)"
-  fix to the "verify from" Sieve condition may fail in custom Sieve
scripts even if the message is from a local user
-  fix to searching message log by sender or subject may return no records,
"invalid token" database exception logged to System log file
-  fix to installer still contains old domain cap logic. This may prevent installation
in specific scenarios.
-  fix to Transient Delivery Failure messages are no longer being generated
on delivery problems
-  fix to message log entries for which "no mail was sent" are not
removed by the nightly maintenance process
-  fix to domain aliases are not included in configuration only backup
-  fix to after enabling the "... unless message is from a whitelisted
IP address or host" option for SMTP Authentication, the option is not checked
when returning to the page
-  fix to bandwidth Throttling speed logged to SMTP session transcript is incorrect
-  fix to recipient parsed from mail collected via a POP account is rejected
if the Recipient's address is for a cross domain alias
-  fix to new virus definitions may not be used until the Cryen AV engine is
SecurityGateway 3.0.2 -
September 9, 2014
CHANGES AND NEW FEATURES
-  Added an option to exempt specific file names from the "Quarantine
messages that cannot be scanned" feature. This allows SecurityGateway to
receive password protected files with a known file name.
-  Support for RFC 3848 (SMTP and LMTP Transmission Type Registration) has
been added. This governs the value of the "WITH" clause in Received headers.
This means you'll see "ESMTP" for unauthenticated non-SSL sessions,
"ESMTPA" for authenticated sessions, "ESMTPS" for SSL sessions,
or "ESMTPSA" for authenticated & SSL sessions.
-  Added "unless message is from a whitelisted IP address or host"
exemption option for SMTP Authentication
-  fix to reports contain no result for custom date range where start and end
dates are the same
-  fix to message transcript data orphaned in database if the data
retention option to not log incomplete messages to the database is enabled
-  fix to can only use number pad negative sign for "Add to message score"
-  fix to a rejected message, for which the message data was received and retained,
that is selected for redelivery is not delivered becomes stuck in the delivery queue
-  fix to in the system log file, the time required to complete database maintenance
is incorrect if the process take an extremely long time
-  fix to Cyren AV engine reports messages with quoted printable encoding that
does not strictly follow the standard as corrupt. This causes the message
to be placed into the "Administrative Quarantine" if the option to "Quarantine
messages that cannot be scanned" is enabled.
-  fix to empty SMTP AUTH password may cause process to terminate
-  fix to warning string in license file causes dashboard view to not load
-  fix to time logged for database maintenance process to delete old messages
-  fix to domain administrator cannot release an item from the Administrative
-  fix to failed CRAM-MD5 AUTH attempt followed by successful AUTH LOGIN for
same user still counts towards failed auth dynamic screening threshold
-  fix to incorrect port logged for connections received on dedicated SSL
SecurityGateway 3.0.1 - June 17, 2014
-  fix to certain viruses may not be detected by the CyrenAV engine when the
"Attempt to clean infected messages" option is enabled
-  fix to unable to login when French language is selected
-  fix to database exception during nightly maintenance causes process to crash.
The exception is now handled and logged to the system log file.
-  fix to the translated text for the "Russian" language selection
on the logon page language menu is "English" and not "Russian"
-  fix to unable to use domain's SMTP AUTH password to authenticate
-  fix to unable to perform a new installation using the Japanese language
installer because the Next button is not enabled after completing the Customer Information
-  fix to login page may "jump" while loading the logo image
-  fix to when delivering mail additional MX records are not attempted
if the TCP connection is successful, but the connection terminates without an SMTP
protocol error occurring. Examples of this include an SMTP session that times out
or is closed by the other side.
SecurityGateway 3.0.0 - May 27, 2014
-  Outbreak Protection and CYREN AntiVirus are now included in SecurityGateway!
- The ProtectionPlus add-on is no longer needed to add an additional layer of antivirus
and spam protection to SecurityGateway and has been discontinued. When upgrading
to v.3.0 the installer will inform the user that it must automatically uninstall
ProtectionPlus before proceeding. Please note that if upgrading from within the
web interface, there is no opportunity for a prompt and that ProtectionPlus will
be automatically uninstalled.
- Kaspersky AV integration, which was previously provided via the ProtectionPlus add-on,
has been replaced with CYREN AntiVirus built in to SecurityGateway.
-  Active Software License Renewal coverage is required for Cyren Outbreak
Protection, Cyren AntiVirus, ClamAV updates, SpamAssassin updates, and Bayesian
-  The trial period has been changed. A hassle free 14 day trial period is
now offered without the need to provide any contact information. Simply install
the product and a trial license will be automatically downloaded. The trial period
may be extended to 30 days by providing valid contact information.
CHANGES AND NEW FEATURESS
-  Dynamic screening for failed SMTP authentication attempts now works across
sessions over time. Previously, the failed authentication attempts had to occur
within a single session. The failed authentication count for an IP is reset at midnight,
or when it is blocked and added to the dynamic screening list.
-  Added "User Verification Source Options" page with options that
allow response caching and user re-verification to be configured.
-  Added "Released" as a reason when filtering the message log
-  Added the ability to exclude whitelisted senders, authenticated sessions,
and domain mail servers from attachment filtering
-  Restart clamd.exe immediately if "unable to allocate memory" or
"cannot create thread" error occurs
-  SecurityGateway.exe is now Large Address Aware, allowing it to use up to
4 GB of RAM on a 64-bit OS.
-  Added "Spam" and "Not Spam" buttons for Bayesian Learning
to the quarantine views
-  Updated Firebird database engine to version 2.1.5
-  Updated ClamAV to version 0.98
-  Updated Chilkat library to 9.4.1
-  Improved whitelisting or blacklisting a sender directly from the message
log or quarantine
- Added "Whitelist" and "Blacklist" button to the domain and global
- Domain administrators may add the sender to the recipient domain's list
- Global administrators may add the sender to the global list
- Allow the sender's domain to be added, as a wildcard entry
-  Updated product logos
-  Added support for using the hostname returned by PTR lookup as a condition
in SIEVE scripts
-  Added option to automatically redirect HTTP requests for the web interface
-  fix to the Bayesian learning process fails if the Bayesian DB path in SpamAssassin's
local.cf file contains a parenthesis. The impacts most installations on a 64bit
OS as the default install location is "Program Files (x86)"
-  fix to when delivering remote mail, other MX records are not tried when
the TCP connection is successful but a SMTP protocol timeout occurs
-  fix to unable to disable "Close SMTP session after banning IP"
setting under Dynamic Screening
-  fix to Account Hijack detection does not kill current session when account
-  fix to Notepad does not detect logs as UTF-8 encoded
-  fix to unable to disable "... include original message when informing
the sender" option under "Mail Delivery"
-  fix to SSL negotiation error 0x80090308 when sending to certain SMTP servers
-  fix to Bayesian auto-learning does not occur if message is rejected
-  fix to when searching the message log, a search string that contains a single
quote results in an SQL error and no results are returned
-  fix to dashboard displays negative days remaining in trial after trial license
-  fix to "Save" button may not be enabled on "Quarantine Options"
-  fix to Administrative Quarantine Report interval still displayed as "Daily"
after being changed to another value
-  fix to installer unable to validate license when system does not have a
-  fix to redelivering a message needs to change the MessageID, or Exchange
will believe it is a duplicate and not deliver it
-  fix to unable to change just license name or company while leaving registration
key the same
-  fix to disabled user can still authenticate if the user is enabled on the
user verification source
-  fix to cannot access login page when installed on Windows Server 2012 R2
-  fix to unable to verify SPF record that contains "ip6" mechanism
-  fix to if a sender's name contains non-ASCII characters separated by a comma,
it may be rejected by the RFC compliance test
-  fix to possible installer crash seen on Windows Server 2012 64bit
-  fix to script error after adding DNSBL response that contains an ampersand
-  fix to message with a subject containing UTF8 line break (0xE2 0x80 0xA8)
character will prevent the mesage log from being displayed
-  fix to "Configuration Only" backup may fail with "violation
of FOREIGN KEY constraint 'FK_DOMAINUSERS_USER' on table 'DOMAINUSERS'"
-  fix to potential database deadlock "update conflicts with concurrent
update" when updating dynamic screening record for an IP address
-  fix to if the license file contains a warning, it is logged to the system
log every minute
-  fix to no entry logged to system log for update check that runs as part
of the midnight maintenance process
-  fix to installer may download license file to wrong location
-  fix to the global IP address and Host blacklists are not checked until the
RCPT event. This allows a blacklisted IP or Host to attempt to authenticate using
the AUTH command.
-  fix to unable to verify license file if serial number in the database is
in lower case
- April 30, 2013
-  fix to license usage requests may not be performed as scheduled. This results
in the administrator receiving an email that they have 5 or less days to activate
the software. A license usage request is performed before the license file expires.
SecurityGateway 2.1.1 - April 9, 2013
-  fix to message log search returns same results for "Result IS Quarantined"
and "Result NOT Quarantined"
-  fix to registration page does not display display the days remaining in
-  fix to unable to verify user passwords via ActiveDirectory user verification
-  fix to license expiration warning email is sent to administrators for expiring
trial keys. This message is sent in addition to the "Trial Expiration" warning message.
-  fix to the ProtectionPlus update checker is still using the old process.
It should check the <LatestVersion> information from the license file.
-  fix to web based upgrade checker does not check if software upgrade protection
coverage is valid for the new version. A version may be installed for which
the current license is not valid.
SecurityGateway 2.1.0 - March 26, 2013
ProtectionPlus for SecurityGateway version 2.0.1 or later is required. Please visit
please visit http://www.altn.com/Products/ProtectionPlus/ to upgrade your installation
of ProtectionPlus for SecurityGateway.
-  Product registration system has been updated to utilize a digitally
signed XML based license file. This approach allows for greater flexibility, and
will enable ALT-N to offer new innovative purchasing and renewal options. The installation
process will automatically download the license file. Product activation has been
replaced by a scheduled mechanism that will update the license file on a periodic
basis. The system is able to accommodate temporary connectivity outages, however
communication with the licensing service is required for continued use of the product.
-  SecurityGateway no longer supports Windows XP older than Service Pack 2 or
Windows Server 2003 older than Service Pack 1.
MAJOR NEW FEATURES
 DETECT AND STOP HIJACKED ACCOUNTS
The "Account Hijack Detection" feature limits the rate at which accounts
can send mail and adds an option to disable local accounts which try to send more
than XX messages in XX minutes. When an account is disabled an email is sent
to the global administrator which contains a link to re-enable the account.
Note that the account could quickly get disabled again if the message sending continues.
Accounts disabled by this process can still accept incoming mail but they cannot
log in to web administration and they cannot send mail. The intent is to try
and recognize and stop a hijacked account so that the administrator can review the
situation and take action. This feature only applies to authenticated sessions,
authentication must be required when sending mail as a local user. In addition,
global administrator accounts are exempt.
 ADMINISTRATIVE QUARANTINE REPORTS
A quarantine report for the "Administrative Quarantine" is now sent to domain and
CHANGES AND ADDITIONAL NEW FEATURES
-  Improvements to IP Shielding
- Added option to check message's "From" header against the IP Shield database
- Added option to exclude authenticated senders
- Added option to exclude domain mail servers
- Added support for $LOCALDOMAIN$ macro
-  Options to better handle RSET commands
- Added an option to Setup|Email Protocol to set a max number of RSET commands allowed
in an SMTP session (default is 20)
- Added an option to Security|Dynamic Screen for banning an IP that issues more than
x RSET commands
- Improvements to RFC Compliance test
-  When a message is rejected because it is not "RFC Compliant" a
reason string is now logged and returned in the SMTP response
-  Added an option to "Setup | Email Protocol" page to control if
the "RFC Compliance" test requires the message to contain a "Date" header.
Some legitimate messages are known to not contain a "Date" header, an example is
the test message sent by Outlook when configuring a mail account. This option is
disabled by default.
-  The RFC Compliance test is now enabled by default for new installations.
-  If the message's "from" header contains multiple email addresses, a sender
header with a single email address must be present.
-  Added options to the Setup | Mail Delivery page to control...
- If the sender should be notified if their message cannot be delivered
- If the original message should be attached when informing the sender
-  Updated Firebird database to version 2.1.5
-  Updated ClamAV engine to version 0.97.6
-  fix to the web interface is not fully compatiable with MSIE 10
-  fix to certain database timeouts may crash process
-  fix to while the correct value is sent to the client, macros such as $RBLREASON$
are not expanded in the message log
-  fix to possiable crash while validating users via Active Directory
SecurityGateway 2.0.8 - December 5, 2012
CHANGES AND ADDITIONAL NEW FEATURES
-  Updated Chilkat library to 9.3.2
-  Updated ClamAV engine to version 0.97.5
-  fix to process may run out of stack space and crash due to recursive SPF
-  fix to statistics report is sent to disabled administrator accounts
-  fix to HELO/EHLO and MAIL DNS lookup may close the connection even though
the refuse mail option is disabled
-  fix to SMTP session terminated by dynamic screening due to failed AUTH attempts
causes the transcript/log of a future session to start with entries that are related
to the older terminated session
-  fix to no description provided with SMTP error code when message is rejected
because it exceeds the maximum message size
-  fix to loop when remote server returns an error in response to "QUIT" command
SecurityGateway 2.0.7 - January 17, 2012
CHANGES AND ADDITIONAL NEW FEATURES
-  Updated ClamAV engine to version 0.97.3
-  The 200KB size limit on messages scanned by Outbreak Protection has been
-  Generated user passwords now have a random length and contain numbers and
-  Multiple SMTP connections are now supported when delivering mail to a local
domain mail server. This reduces the amount of time that items remain queued in
SecurityGateway before they are delivered to the domain mail server.
-  Updated product EULA and added new EULA dialog to the installer
-  fix to during mail collection from a remote POP3 account, a message with
several thousand addresses in the TO: header may cause the process to crash
-  fix to POP3 mail collection recipient parsing engine may not find valid local
-  fix to Call Back Verification does not strip BATV tag when using the VRFY
-  fix to Spanish language version crashes when a message that contains a virus
-  fix to specific attachment may crash engine during attachment text extraction
-  fix to message with malformed RFC822 headers may be logged incorrectly and
prevent the message list from being searched
-  fix to when delivering mail if an MX host has multiple IP addresses (A DNS
records) a connection is only attempted to the first IP address
-  fix to when an Active Directory user verification source is used, and an
email alias has been configured as an administrator, the administrator status is
lost when the primary account receives a message. This occurs because the alias
is merged with the newly created user, however the administrator status is not merged.
SecurityGateway 2.0.6 - May 17, 2011
CHANGES AND ADDITIONAL NEW FEATURES
-  Updated PCRE regular expression library to version 8.12
-  Updated Firebird database engine to version 2.1.4
-  fix to SGAV_ClamAVPlugin.dll is not installed for new installations. This
prevents ClamAV from loading, and prevents messages from being accepted unless AV
-  fix to disclaimer feature may corrupt message body content
SecurityGateway 2.0.5 - April 26, 2011
CHANGES AND ADDITIONAL NEW FEATURES
- Updated ClamAV engine to version 0.97
- Updated SGSpamD to SpamAssassin version 3.3.1
- Updated Chilkat libraries to version 9.1.2
-  Added link on disclaimer page to set the order in which disclaimers are applied
-  fix to if more than five crash memory dumps are captured, the newest crash
dump file is overwriten
-  fix to Remote POP Account SSL error "Not enough memory is available
to complete this request (-2146893056)"
-  fix to removing the HTTP and HTTPS port values prevents access to web interface
-  fix to ClamAV plugin may get stuck on recv() call and does not time out
-  fix to SecurityGateway.exe process terminates after changing port value
-  fix to password request feature may provide the password of another account,
this requires that the mailbox name exists as an alias in another domain
-  fix to mail collection from a Remote POP Account is not considering user
aliases for a different domain when determining if the message is addressed to a
-  fix to in specific instances, attachments may be erroneously removed from
the message during processing
-  fix to lines in message body over 5000 characters in length are truncated
-  fix to when routing outbound mail through SecurityGateway, messages from
"noreply" addresses are rejected. Messages from "noreply" will now be accepted if
sent by a domain mail server.
SecurityGateway 2.0.4 - August 17, 2010
-  fix to SPF resolver does not resolve returned CNAME records when performing
A record test
-  fix to when a custom date range is specified for a report, only 24 hours
of data is returned
-  fix to SMTP AUTH LOGIN is allowed over non SSL connection when "Allow
Plain Text Passwords" option is disabled
-  fix to files in attachments directory may not be removed after database
maintenance removes the related message from the database
-  fix to verify user feature does not delete users that were converted to aliases
of another mailbox (Active Directory or Minger)
SecurityGateway 2.0.3 - May 25, 2010
- The installation process now performs a one-time collection of basic customer information.
CHANGES AND ADDITIONAL NEW FEATURES
-  Added user option to disable Flash graphs on the "Dashboard" and "My Account"
-  fix to if AD user account name/mailbox contains non-ASCII, user cannot log
into web interface
-  fix to URIBL is not excluded when the "Do not perform anti-spam tests..."
option is enabled for the recipient
-  fix to disabled users count towards license limit
-  fix to SGSpamD.exe needs to be restarted after SA-Update.exe updates the
-  fix to unable to release message from the administrative quarantine, if the
SMTP sender value is NULL
-  fix to lower preference user verification sources are not queried when highest
preference source returns a negative result
SecurityGateway 2.0.2 - November 17, 2009
-  fix to domain administrator scheduled statistics report contains statistics
for all domains
-  fix to incorrect disclaimer may be applied when there are multiple RCPTs
in the SMTP session
-  fix to report drill down results for a specific email address may return
messages for multiple addresses. The SQL query is returning all records that "contain"
the address, it needs to return all records that "match" the address.
-  fix to URIBL is not excluded when the "Do not perform anti-spam tests..."
option is enabled for the recipient
-  fix to message log "Subject Starts With" search condition returns no results
if the subject starts with a capital letter
-  fix to custom_quarantine_report.xsl template file is not used
-  fix to sorting message list by subject is case sensitive
-  fix to SPF "ptr" mechanism is not correctly processed. In order to pass a
valid PTR hostname must exactly match the domain. The SPF spec states that the hostname
only needs to end with the domain.
-  fix to scheduled database backup may not run as scheduled
-  fix to messages collected via POP3 may be mistakenly routed to "bad" queue
-  Installer: The external administrator email address field does not scroll
to allow additional characters
SecurityGateway 2.0.1 - August 25, 2009
CHANGES AND ADDITIONAL NEW FEATURES
-  To reduce the size of the database, the admin may choose to not log certain
types of messages to the database. These items will not appear in the message log
and will not be included in report statistics. However, all messages will be logged
to the appropriate log file (e.g. Inbound.log).
-  fix to dashboard for domain administrators, the "Total Bandwidth Used by
Email", "Good vs. Junk Messages", and "Junk Email Breakdown" graphs show global
-  fix to greater than and less than characters in session transcript need to
be escaped for NDR messages
SecurityGateway 2.0.0 - August 4, 2009
MAJOR NEW FEATURES
-  Scheduled Statistics Report:
On a nightly or weekly basis, a statistics report can be sent to all global administrators,
all domain administrators, or a manually defined list of email addresses. This report
allows the filtering effectiveness and health of the server to be quickly ascertained.
For domain administrators, the report will only contain statistics for the domain(s)
which the administrator has administrative rights.
-  Disclaimers (Headers / Footers):
Added the ability to add simple headers and footers to messages. One use of this
is to add a "--- Message scanned by SecurityGateway for Exchange/SMTP ---" footer
to all messages. This feature will be expanded in future versions.
-  Extract text from attachments:
Content filter rules and custom Sieve scripts can perform actions based upon the
content of an attachment. The Sieve body test "text" tag automatically extracts
text from several popular attachment formats.
interface is used to extract plain text from Microsoft Office and PDF documents.
In order to search PDF documents, Adobe Acrobat
Reader must be installed on the SecurityGateway server. Office 2007 documents
require the 2007 Office System Converter: Microsoft
Filter Pack to be installed.
-  Dashboard for domain administrators. Only statistics for the domain(s) managed
-  Collect mail from a POP3 mailbox:
This feature allows mail for a domain to be collected from a POP3 mailbox. It is
modeled after MDaemon's DomainPOP functionality. For each POP3 mailbox you configure,
mail will be collected and parsed among valid recipients at the domain you specify.
-  Domain aliases:
Aliases may be defined for a domain. All of the domain's users are assumed to be
valid for each domain alias. This is useful if a domain has registered multiple
domain names, e.g. altn.com, altn.us, altn.biz, etc.
-  Define multiple search strings for a single content filter condition:
The content filter is a graphical interface for building Sieve scripts. Multiple
search strings may now be defined for a single condition. The user may specify if
the condition must match any or all or the defined strings. This is useful for searching
a message header or body against a list of keywords.
-  Added the following statistics (charts) to the "My Account" page for local
users. Only statistics for the user's account are displayed.
- Good vs. Junk Messages
- Junk Email Breakdown
- Inbound vs. Outbound Messages
- Top Spam Sources
-  Improved heuristic rule update process:
The heuristic rule update process now has the ability to pull updates from updates.spamassassin.org
in addition to updates from Alt-N. The SGSpamD Configuration UI has a new checkbox
which controls this capability. This will make sure your SpamAssassin rule-sets
are always kept current. This functionality is enabled by default.
CHANGES AND ADDITIONAL NEW FEATURES
-  Added option to redeliver message(s) from the message log. This option requires
that the content of the message has not been deleted from the database.
-  Added a per user language option. System generated messages sent to the user
will be translated to this language. A default value may be applied on a server
and individual domain basis.
-  Added the ability for SGDBTool.exe to create a global administrator. This
is useful in cases where the global administrator account created during installation
is not accessible.
-  Added the ability for SGDBTool.exe to promote a user to a global administrator.
-  Updated SpamAssassin (SGSpamD) to version 3.2.5.
-  Updated ClamAV engine to version 0.95.1.
-  Updated CommTouch Outbreak Protection engine to version 5.08.0002.
-  Changed default log rotation for new installations to "Create a new set of
log files each day".
-  Add to message score content filter action
-  A transient delivery failure notification is sent to the sender, if a message
cannot be delivered after one hour.
-  Verify users for a single domain. The "Verify Users" toolbar button on the
User Verification Source list honors the domain chosen from the drop down list.
-  Created additional indexes for "lists" table. This will improve the performance
of white/black list lookups.
-  Greylisting is now supported for Sieve scripts that run during the DATA event.
While it is preferred to greylist at RCPT, before the message is transferred, conditional
greylisting in response to the DATA command can be a useful tool. This may be an
attractive alternative to quarantining mid scoring messages. With the flexibility
of SIEVE, large messages can be excluded.
-  NDRs are no longer sent to "noreply" addresses.
-  Scale of "Total Bandwidth Used by Email" report is now automatically formatted.
For example 140000KB is now displayed as 140MB.
-  Added "Total" summary line for numerical reports
-  Changed defaults for "Relay Control | SMTP MAIL address must exist..." to
exclude domain mail servers and authenticated sessions by default. This only applies
to new installations.
-  Changed installer to make installing registered or trial version more clear.
An email address and country are now required for trial installations.
-  A different path/drive may be specified for the database file. This must
be a path on the same computer, UNC paths are not supported. To configure the path,
create a string value "DBPath" under the HKEY_LOCAL_MACHINE\SOFTWARE\Alt-N Technologies\SecurityGateway
registry key. The path does not need to contain the name of the database file, i.e.
-  fix to if SecurityGateway is installed to a different location, unable to
load web interface after restoring configuration
-  fix to when using Italian installation file, registration key is lost when
-  fix to when using Italian installation file, uninstall shortcut created in
same folder as installation file
-  fix to new version available email may not be sent to global administrators
-  fix to extra line breaks after saving Sieve script in MSIE
-  fix to log entries truncated at 1024 characters
-  fix to in specific circumstances duplicate domains may be created
-  fix to refreshing log file returns view to first page
-  fix to list view sort order is reset after going back, and then to next page
-  fix to file may be orphaned in temp directory if socket times out when attempting
to deliver a message
-  fix to log archive .zip file may be created which contains zero files
-  fix to OutbreakProtection is not enabled when expired ProtectionPlus is updated
-  fix to if a user's nightly quarantine report is generated after 1:00AM, the
user will not receive a quarantine report the next night
-  fix to when viewing a message with an attachment, from the message log, the
size of the attachment is not displayed
-  fix to when viewing the source of a message from the message log, tab characters
are not displayed correctly
-  fix to multi-line message headers are not properly unfolded when viewing
message from the message log
-  fix to a user can white/black list their address
-  fix to malformed DNS response may cause service to terminate
-  fix to domain administrator cannot perform any action when viewing messages
queued for delivery (access denied)
-  fix to message submitted via SMTP to the spam Bayesian learning address routes
to non-spam folder
-  fix to message headers may be corrupted for messages submitted via SMTP to
the Bayesian learning address
-  fix to no error is logged to the session log if a message addressed to a
Bayesian learning address is rejected because the session is not authenticated or
from a domain mail server
-  fix to dynamic SMTP Authentication does not pass full email address to user
-  fix to when using German installation file, uninstall shortcut link points
to wrong location