Table of Contents
Main features of version 5.2
- Relay focused interface.
- Advanced sender and recipient rules for every feature.
- New integration connectors with advanced testing.
- Introducing functional users.
- Improve security and user management with primary addresses.
- New licensing accounting with mailbox identification.
- Use inclusive feature names for user oriented configurations.
Version 5.2.30 (Jul 31, 2024)
Security
- Bitdefender: update to version 3.7.1
- Savapi: update to version 4.15.22
Version 5.2.29 (Jun 25, 2024)
Bug fixes
- Email continuity: fixed download for non-binary attachments (regression of 5.2.28)
Version 5.2.28 (Jun 12, 2024)
Improvements
- LDAP integration: changed default property for group aliases
- ESG cloud: notify about upgrade to ESG 5.3
- ESG console: enable SSH service
Bug fixes
- Email continuity: fixed download for binary attachments
Version 5.2.27 (Jun 3, 2024)
Security
- Improved 7zip support
- Attachment Filters: added “.ace” and “.lz” to blocked extensions
Version 5.2.26 (May 28, 2024)
Security
- Authentication: extended Nonce protection on all login method
Improvements
- Quarantine: reduced I/O required to store quicksand and infections
Bug fixes
- Quicksand: allow embedded xml in PDF documents
- Mail Intercept: fixed reading of on-hold messages
- Reset password: fixed default page for any users after successfully reset
- DKIM Signing: not invalidate keys when all links are phishing safe
Version 5.2.25 (May 13, 2024)
Security
- QRCode: extract and analyse URIs hidden in query strings
- QRCode: added more content-type identified as PDF entities (e.g. x-pdf)
Improvements
- User Action: added back to homepage button
- Mail log: improve database efficiency by ignoring dynamic verification deliveries flagged as status=deliverable/undeliverable
- Quicksand: reduced cache expiration to increase cache-hit ratio
Bug fixes
- Database: always execute optimization once time a week
- Manual upgrade: verify cluster status in pre-upgrade checks
- LDAP Integration: automatically append default domain to Domino additional emails
- Mail Signature: apply per email-address, if available, instead of domain/default
- Outlook addin: fixed login for users that use primary email instead of username
- Google Integration: fixed “Filter by address” search for users groups
- User Management: fixed edit of user email
Version 5.2.24 (Apr 22, 2024)
Improvements
- Dashboard: highlight bounce messages in top senders
- Dashboard: optimize top sender and top recipient loading time
- Cluster setup: added percentage progress during cluster restore
Bug fixes
- Backup: fixed restore Lets Encrypt configuration on newly created appliance
- Scheduled Report: fixed title of PDF report
- OpenDMARC: add memory protection limits
- ClamAV: use non-blocking reload only when sizing is Medium or above
Version 5.2.23 (Apr 8, 2024)
Security
- QRCode: detect numeric IPv4 URL
- QRCode: handle evasion attempts based on different Content-Type and Content-Disposition
Improvements
- Logwatch: added release/rescan counters
- Change timezone: avoid reboot when the actual timezone doesn’t change
- Cluster setup: better update of setup progress
- Cluster monitor: show warning when the remote node has replication issues
Bug fixes
- QRCode: fixed memory disk usage issue on PDF image extraction
- Maillog: ignores invalid date ranges caused by daylight savings time
- Message details: identify Libraesva blacklisted URL
Version 5.2.22 (Mar 26, 2024)
Security
- QRCode: detect and analyze images in PDF documents
Improvements
- Outlook addin: use threats as default filtering option
- ESG console: allow to query A/MX/TXT for any domain via console
- LDAP Integraion: import Active Directory shared mailbox and Domino mail-in-databse as functional users.
- ClamAV: use non-blocking reload when enough RAM is available
- Logwatch: updated configuration to handle more mail scanning and DNS logs
- Risk score: fine tuned score for high-spam messages which contains viruses
Bug fixes
- MTA Smarthost: when creating a rule for email address, don’t automatically add a rule for the related domain
- Bulk Mail Management: fixed loading of sender/recipient of blocked bulk mail for blocklist
- URLSand: avoid log warning when spurious href without value are found
- User spam levels: evaluate case-insensitive email when applying custom score overrides
- User Management: fixed display issue for delivery time 08:00
- User Management: fixed “Delete all” action
- Dashboard: Do not include pending messages in the quarantined counter in the “Email Flow” graph
- DMARC: optimized management of used memory
- Clamw whatchdog: wait longer during signatures reload, before attemping a service recovery
API
- IMPROVEMENTS: add boolean property
otpEnabled
toGET /user/{id}
Version 5.2.21 (Mar 5, 2024)
Security
- ClamAV: upgrade to version 0.103.11
- Bitdefender: update to version 3.5.5
- Savapi: update to version 4.15.20
Improvements
- TLS Encryption: log outbound activity by default
- Cluster setup: avoid storage usage spike during first quarantine sync
- Cluster setup: reset all caches before reconfiguration
- Cluster setup: improved database cloning and quarantine synchronization
- DKIM: removed internal useless header DKIM-Filter
Bug fixes
- Outlook Addin: fixed auto login from Microsoft 365
- SMTP Auth: properly reconfigure users realm when MTA hostname is changed
- SMTP Auth: fixed replication of passwords in cluster setup
Version 5.2.20 (Feb 20, 2024)
Bug fixes
- Backup: fixed local backup creation (regression of 5.2.19)
- Manual upgrade: prevent upgrade during cluster setup/destroy
- Manual upgrade: suspend system upgrade during manual upgrade
- Dictionary: fixed visualization of dictionary names
Version 5.2.19 (Feb 13, 2024)
Security
- Quicksand: improved PDF sanitization
Improvements
- Manual Upgrade: keep MTA active during version upgrades
- Manual Upgrade: automatic backup before start the version upgrade
- Local DNS: optmized memory usage for cached resolutions
Bug fixes
- Mail Encryption: fixed configuration of action for encryption policies
- Microsoft 365 integration: use license technical contact for system notification from cloud appliances
- Digest Report: fixed redirection of old 5.1 [Blacklist] link
- Digest Report: properly show recipient & action urls for messages with multiple recipients with digest enabled in the same hour
- Whaling Protection: permit multiple whale with the same email address and different full name
- Outlook Addin: fixed login for new users
- Quarantine Settings: fixed validation of “Report Link URL” to permit custom port
Version 5.2.18 (Jan 23, 2024)
Security
- Quicksand: improved PDF sanitization
Improvements
- Check Firewall Ports: added separate DNS TCP firewall check for port 53
- Trusted Network: supersede option “Restrict Sender Domain” with new option “Mail service type”
Bug fixes
- Account Takeover Protection: hide menu in quota tracking pop-up
- Account Takeover Protection: fix race condition on new quota tracking
- User messages: prevent CR to be added at the end of body lines
- Azure agent: disable hostname probing to avoid network reloads
- Message details: extends Machine Learning indicator to all Bayes and CRM114 rules
- Adaptive Trust Engine: avoid duplicate tracking of welcomelist/blocklist action
- OpenDKIM: fixed an MTA delivery issue when there are no keys enabled
Version 5.2.17 (Jan 3, 2024)
- RBL: moved SpamCop from SMTP to Content checks
Bug fixes
- SASL LDAP: fix filter token %d to properly use domain part or default realm
Version 5.2.16 (Dec 12, 2023)
Improvements
- Antispam engine: reduced cache lifetime to improve accuracy when scanning newsletters
- Queue cleaner: speed up cleaning huge number of queued messages
Bug fixes
- Mobile APP: fixed Google OAuth2 authentication
- Report: fixed report generation with default Saved Search (regression of 5.2.15)
- Queue cleaner: allow script to remain active for a long time when cleaning
- User Management: fixed “export” of users
Version 5.2.15 (Nov 28, 2023)
Security
- DMARC: consider SPF pass for EHLO only when the incoming message is a bounce
- Quicksand: improved identification of URI in PDF
Improvements
- System notification: use license technical contact for system notification from cloud appliances
- Search: added database optimizations when email filters contains explicit domain
- SPF engine: add Authentication-Results header instead of Received-SPF header
- Database: double write-though cache size for XL appliances
- Web UI: update SMTP Check override description
- QR code: integrate new rule for esvalabs rules integration
- Quarantine report: decreased generation time
Bug fixes
- Search: fixed filtering when using not equal conditions on “address” fields
- Search: removed many useless parameters from URL to allow more custom filters
- Antispam Test: fixed internal headers for scanning
- HTTP login DoS protection: login exceptions also applies to token based authentication
- DMARC: increase report generation timeout and reduce history days
- Email Continuity: fixed DKIM signatures for user generate messages
- Integration: always reload license before every import
- Outlook add-in: invalidate user session if token expired or became invalid
API
- FIXED: avoid 500 errors from
POST /message/{id}/mark-for-release
when release reason is required
Version 5.2.14 (Nov 13, 2023)
Security
- Quicksand: for first time senders disarm all URIs, including PDF text body
Improvements
- Right to be forgotten: remove users with matching primary addresses and user secondary addresses (also correct license counting)
- Clamd: improved reliability of signature download in case of remote server errors
- DKIM: added record type description in Web UI
- Web UI: added search by comment in many pages
- Admin console: improved purge queue command output and performance
Bug fixes
- Licensing: updates users primary address when recomputing license usage
- Web portal authentication: when using multiple LDAP sets for the same domain, don’t exit on first error
- Outlook add-in: support Outlook instances based on IE/Trident instead of Edge
- message rescan: allow to rescan dictionary based messages
- ATP: cleared stale runtime cache to re-enable email notification
- Rsyslog: fixed selection of TLS Certificate file
- Integration: avoid import issues when creating new group email that are assigned to multiple users
- Web UI: added ARC title in menu entries
- LDAP: special wildcard are escaped when passed in as values
- Antispam test: increased accuracy of test results
- Antispam engine: increased internal max message body size
- ARC: prevent duplicate domain entries
- Dangerous attachment rules: fixed web UI for option “Block outgoing messages with not allowed attachments”
- DMARC reports: ignore rua for email without domain, that will fallback to local hostname/domain
API
- ADD:
DELETE /message/{id}/body
for remove message body from quarantine - ADD:
POST /message/{id}/mark-release
action to mark to release a message - ADD:
POST /message/{id}/release
action to release a message - ADD:
POST /message/{id}/forward
action to forward (a.k.a. release to) a message - ADD:
POST /message/{id}/rescan
action to mark to rescan a message - ADD:
POST /message/{id}/submit-as-good
action to submit a sample to esvalabs as good - ADD:
POST /message/{id}/submit-as-bad
action to submit a sample to esvalabs as bad - ADD:
POST /message/{id}/train-ai-good
action to train AI with a sample as good - ADD:
POST /message/{id}/train-ai-bad
action to train AI with a sample as bad
Version 5.2.13 (Oct 26, 2023)
Security
- QRCode: detect and analyze embedded images in HTML code
Improvements
- Dynamic Verification: bulk update of server/port
Bug fixes
- Mail Encryption: fixed Web Service configuration
- Digest Report: only show permitted actions for Functional Users
- Google Workspace: skip import of archived users
- Definitions update: properly identify default network interface
- Backup: don’t restore cluster settings
Version 5.2.12 (Oct 17, 2023)
Improvements
- Auditing: improved log of message release notification changed
- Release request: include also clean messages
Bug fixes
- Web UI: use configured date format in all configurations
- DMARC: increase timeout of report generation
- Auditing: fixed audit of Restricted Senders
- License billing: fixed visualization of first and last seen columns
- License count: restore counting when previous accounted email was invalid
- MCP Action: fixed save of high MCP message actions
- Google Workspace integration: handle errors caused by API returning empty pages
- Auto User Creation: do not add invalid users
- Encrypted Reply: properly allow from address when original recipient(s) are mixed case
- Domain Admin Permission: removed full list of relays from HTML source
API
- FIX: properly check existing welcome/block lists in POST action
Version 5.2.11 (Oct 3, 2023)
Security
- Quicksand: improved detection of active code in PDF
- Quicksand: block Office document that use and external template
- Quicksand: improved detection of active content in RTF document
- Published security policies (RFC 9116)
- TxRep: improve outgoing learning capabilities from Microsoft 365 tenants
- Login: use stricter content security policy
Features
- Inline deploy for Microsoft 365
Improvements
- DMARC reporting: don’t generate report for managed domains
- DKIM: show only non-configured relays when create a new DKIM key pair
- Updates: added more Libraesva repository mirrors
Bug fixes
- Spam Engine: skip RBL check for appliance hostnames
- Login: improved user interface and form validation
- Quicksand: properly cache results for indeterminate files
- Quicksand: restore tracking of message result Quicksand URI disarm
- DMARC: removed memory leak in ARC validation
- DMARC: properly restart/reload daemon to apply new configurations
- Delivery test: fixed custom TLS certificates option simulation
- Licensing: don’t apply subaddressing if new local part is empty
- Reports: fixed donut chart values for “top sender by volume” and “top recipients by volume” reports
- Dashboard: honor “Messages per page” preference for “LAST * MESSAGES” section
- Message Details: show URLs before others in URIs section
- Message Details: hide “Search on Virus Total” button for non-URLs URIs
- Cluster auto-recover: added auto-recovery for duplicated URIs
- Cluster monitor: avoid UI unresponsiveness when the other node is down
- Cluster setup: replicate timezone before setup and handle NTPd firewall restrictions
- SMTP Restriction: fixed configuration on new appliance
- LDAP: fixed update of very old users without an external id
- LDAP: improved help message for many fields
- Firewall check: use strict SSH host checking as in actual cluster setup
- TxRep: added score limits to prevent fast fluctuation in scores
Version 5.2.10 (Sep 11, 2023)
Security
- QRCode: handle evasion attempt based on invalid content-types
- Login Authorized Network: add new category for Impersonator user (i.e. API user)
Improvements
- Cluster setup: preserve setup log for more than 30 days
- Login Authorized Network: extends defined user rules to functional users
- SMTP Check Override: add advanced logging and auditing
Bug fixes
- Search: avoid memory limits when exporting many thousands or records
- Logwatch: fixed a regression which caused the report to be sent twice
- Web server: reset logs permission to 5.2.x defaults
- Log rotation: randomize service start time to avoid disk usage spikes
- Custom spam policies: on show list all configured details
- SMTP Check Override: stricter validation of network addresses
Version 5.2.9 (Aug 29, 2023)
Security
- ClamAV: upgraded to version 0.103.10
Improvements
- Auditing: show “via WEB-ANON” when user action are made via safe-learn network
- Console: allow remote support to connect on port 443, 505 and 25
- Dashboard: show cluster warning when one node is blocked connecting to the replica
- Logs rotation: use default system cron to make sure is always
- Cluster setup: improved progress visualization on the web UI
Bug fixes
- License Accounting: integrate recipient to mailbox when a user with the same primary address is created
- Submit to labs: improved email generation with big samples
- ExternalUserSync: in case of conflicting user and functional user, keep the former
- SASL LDAP: validate required field and add support anonymous bind
- Web UI: avoid duplicated info/warning messages
- Reports: preserve HTML UTF-8 options when editing email templates
- Dashboard: analyzed messages account are limited to email strictly owned/visible by logged in user
- Recall: ignore recall action on a quarantined message to prevent spurious errors
- Cluster: auto-recover cluster that may have blocked during upgrade from 5.1
- Cluster setup: don’t hard fail if cluster is correctly setup but quarantine first initialization is not
- Cluster setup: forced alignment of datetime and system timezone before update
- Cluster destroy: remove remote host information when destroying cluster
- ESG 4 import: ignore certificates with invalid CN (e.g. non-FQDN)
- ESG 4 import: upgrade migration for antispam action which may block the upgrade
- ISP panel: handle many spurious situation from ESG 4.9 and wrong server configuration
API
- ADD:
POST /user/{id}/password
to change or remove user password - ADD:
POST /user/{id}/otp-secret
to change or remove user OTP secret - IMPROVEMENTS: add boolean property
passwordEnabled
toGET /user/{id}
Version 5.2.8 (Aug 8, 2023)
Security
- Quicksand: add RAR archive reconstruction on sanitization
- Passwordless: enforce OTP on cookie initialization
Improvements
- Microsoft 365: automatically detect and sync mailboxes that became shared mailbox
- Storage: convert from MBR to GPT only when expanding the disk
- Cluster recovery: 10x speed for multiple consecutive identical errors
- Reports: use UTF-8 for HTML instead of IS0-8859-1
- User Management: allow search by username to domain admins
- Outlook add-in: improved rebrending (may need reinstall)
- User actions: warning and errors from user actions are also logged to syslog
- User manager: use a relay select for assigning domain admin permissions
- Web UI: uniform all sender/recipient labels to properly hint about accepted values
Bug fixes
- MTA: resolved timeout issue for outgoind SMTP messages to relay port 467
- Relay delivery test: updated TLS management, aligned dynamic verification and add header Date to sample message
- Integration: don’t log an update notice when there are unchanged email address
- Letsencrypt: updated certbot and dependencies
- Licensing: fixed domain computation when “Add groups as user email” is disabled
- Reports: variable $hostname is aligned with MTA hostname
- ESG licensing: added users statistics to facilitate accounting resolutions
- Passwordless authentication: added CSRF validation
- Cloud IPs: update Microsoft365 and Google Workspace IPs on primary node only
- Cloud IPs: on installation, always re-download updated data
- Rsyslog: remove duplicated forwarder configuration (left by version 5.1)
- Web UI: remove useless tab from MTA advanced settings
- Mail Scanner: IP based rules have higher priority than domain based rules in first match rules
- File rules: fixed JS validation for sender “bounce” keyword
- Job status: faster timed out job cleanup
Version 5.2.7 (Jul 24, 2023)
Security
- Mail Scanner: extract and analyze URL encoded as QR images
- Avira: upgraded to version 4.15.17.118
Improvements
- Mail Scanner: convert broken xbrl.p7m/xml.p7m sent in quoted-printable instead of base64
- Passwordless authentication: add confirmation page to prevent Microsoft SafeLink invalidation of authentication
- Microsoft 365: add weekly system notification when client secret is expired on the external connector
- Boot sequence: faster boot sequence when optional system updates are available
- External warning exception: added advanced auditing
- Short URL decoding: use faster cache in tmpfs
- Blocklist/Welcomelist: add apply button on domain admins web UI, to immediately apply settings
Bug fixes
- ClamAV: remove old databases from ESG 5.1 which may slow down the daemon
- Licensing: fixed a bug in avira/bitdefender accounting which may suspend incremental account
- Relay test: use custom TLS certificate if overridden in relay configuration
- User Manager: allow domain admin to edit quarantine options of functional users
- System settings: reload ATP and DMARC service after changing system administrator email
- Outlook Add-in: distinguish 4xx/5xx errors from generic issues
- Dictionary: fixed the name label in web view
- LetsEncrypt: fixed renew of MTA only certificates when strict canonical names are enabled
- Trusted network: fixed update of existing records
- ISP Monitor: improved feedback on failure
- Welcomelist/Blocklist: ignore username when listing rules (unless is listed as a real email)
- Integration: when an import job fails or partially fails, the UI job status is shown as failure
- Integration: since Exchange don’t support searching with empty DN, add a hint in the web UI
- Relay: fixed validation of single-letter sub domains (e.g. a.domain.test)
- Forgot password: allow recovery to domain admin with no primary email, but with quarantine email in his domain
- Logwatch: fixed configuration of sender and recipient after system email change
- ESG 5.1 upgrade: improved migration of antispam actions, and add more logging for configuration recovery
- Account Takeover Protection: fixed enable/disable of Policy Quota service
Version 5.2.6 (Jul 10, 2023)
Improvements
- Outlook Add-in: removed Libraesva ESG references to improve rebranding
- Antispam engine: improve compile speed by using RAM disk instead of primary disk
- Message details: identify user defined rules in custom reports even when the rule is removed
- Antispam engine: use idle CPU cycles when optimizing spam rules
Bug fixes
- Attachment filters: removed a bug which prevented multiple default rules to apply simultaneously
- Integration: fully recover login with primary address on LDAP sets
- POP3: honor configured port when different from defaults
- Integration: added more validation checks on import and during auto-creation on login
- Login network: allow removal of network even when the next authentication may be a lockout
- Outlook Add-in: show server errors in the UI to ease EWS debugging
- Outlook Add-in: when both actions “release” and “ask to release” actions are available, only show the former
- Integration: avoid transactions lock when synchronizing huge LDAP/Microsoft 365/Google Workspace sets
- Licensing: redirect to billing page after recalculate action
- ESG 5.2 upgrade: always add username as email address and improve primary email selection
- ESG 5.2 upgrade: improved removal of duplicated welcomelist/blocklist
Version 5.2.5 (Jun 28, 2023)
Security
- Attachment filters: block .url file extension by default
- Message Recall: allow recall when message body is missing, but message headers are available
Improvements
- Licensing: added “Right to be forgotten” action which removes messages and deliveries for an email address;
- Licensing: improved licensing detail view by adding page “Overview” and “Billing”
- Licensing: add detailed delivery records in page “Usage Detail” for mailbox licensing model and MSP custom business logic
- Licensing: show excluded address detailed page
- Graph: added graph “Licensing Domain Based Recipients Usage”
- Graph: renamed graph “Per Domain Mailbox Usage” as “Licensing Domain Based Recipients Usage”
- Integration: add option “Force quarantine disabled on creation”, mainly used during upgrade
- Integration: improved import speed using multiple database transactions
- MTA: shows sender IP 127.0.0.1 for locally generated bounces
Bug fixes
- Attachment filters: prevent adding spaces in regex that are not supported by the mail scanner
- Avira/Bitdefender: make sure daemon is restarted when options are changed
- Clamd: restart updater daemon in case was stuck during mirror updates
- ExternalSync: make sure uniqueness of username and primary address is verified on first bulk import
- Gsuite OAuth: case-insensitive username check on login
- HTTPd cache: fixed a memory exhaust issue with some queries
- Integration: IPs for Microsoft 365 and Google Workspace are updated only on primary node, and then replicated
- LDAP Integration: simplify the query filters to workaround Domino limits
- LDAP Integration: allow to filter “other email addresses” by a single address
- LDAP Integration: improved user updates from previous version
- MTA queue: fixed UI issues when IP reverse is not available
- Maillog: fixed “rjct” prefixing of rejected messages
- Message Actions: during “mark for release” username are not used as email
- SNMPd: added validation for IP field
- TLS certificates: improved error messages during wildcard validation
- User Import: initialize defaults after define the primary address
- Web Portal: fixed set removal when bound to multiple domains
- Reports: replaced leftover blacklist terms with blocklist
- ESG 5.2: fixed LDAP configuration migration when user filter is empty
- ESG 5.2 upgrade: on error shows more error logs
API
- ADD: licensing billing data via
GET /graph/licensing-billing
. - ADD: licensing recipient usage data via
GET /graph/licensing-recipient-records
. - IMPROVED: handling of `@` sign in spurious location in all API calls.
- DEPRECATED:
/graph/per-domain-mailbox-usage
.
Version 5.2.4 (May 30, 2023)
Security
- MailScanner: block 7z archives with encrypted file names
- Quarantine actions: verify also user permissions (e.g. release) in addition to permissions check for functional users actions
Improvements
- Whaling: allow capitalized envelope-from addresses
- WebBug: use less invasive title instead of alt
- Wizard: permit to skip first relay configuration
- Spam Rule Hit report: improved generation speed
- Message Headers: automatic replace of broken UTF-8 sequences
- Submit as Bad: release permission is no longer required
- Azure appliance: added trust for Microsoft management IPs
Bug fixes
- Outlook-Addin: fixed Submit as Bad sample for messages analyzed by multiple ESG instances
- Digest report: restored action link for Functional Users
- Digest report: restored password-less action link for administrators without a primary address
- Message: fixed logging of message and delivery information for mail with both valid/rejected recipients
- Attachment Filters: do not permit to create rules with an IP Address/CIDR as recipient
- Welcomelist/Blocklist: preserve case sensitivity of comments
- HTML Disarm: fixed iframe disarm configuration
- License accounting: properly identify recipient or mailboxes after changes on users
- Message Details: fixed “Add to Welcomelist/Blocklist” button action
- FTP Schedule: edit popup now show the configured port instead of default port 21
- LDAP: fixed configuration of “Add Group Email to Users” option
- LDAP: fixed pagination identification from server capability
- Web Portal Authentication: properly fallback to Local User stored password, when external authentication method failed
- IMAP Login: use configured port instead of default 143/993
- Digest Report: automatic redirect for URL generated in previous version
- Bayesian Learn: fixed automatic learn as good on release action for anonymous users (Safe-Learn network)
- Search: restore total record count, without losing optimizations
- DKIM/DMARC: fixed redirect after save
- ARC: added validation for duplicated entries
- System upgrades: make sure services are not left stopped after database updates
- ESG 4.9 migration: added migration of SMTP-Auth LDAP configuration
API
- SECURITY: check privacy password in
/message/{id}/fetch
and/message/{id}/fetch/{attachment}
- IMPROVEMENT: remove from message-soar and message-journal documentation for unsupported pagination options
Version 5.2.3 (May 17, 2023)
Security
- Whaling: improved whale identification
- Welcomelist/Blocklist: added support for “bounce” sender keyword
Improvements
- LDAP Integration: improved Zimbra primary address identification and updated reference configuration
Bug fixes
- Database Rotation: delete orphan deliveries and requeue based on MTA queue lifetime
- Threat remediation: fixed mailbox search for Exchange on-premise
- Web UI: fixed 500 errors due to memory exhausted
- Logger: avoid memory issues due to cache slams logging
- Integration: ignore case sensitivity when searching existing user email
- Seach page: fixed queries for page and recipient counting
- ESG 5.2 migration: delete invalid rules which may block the mail scanner
- Logwatch: updated configuration for ESG 5.2 release
- Bitdefender: forcibly restart service if stopped due to previous bugs
Version 5.2.2 (May 8, 2023)
Security
- Savapi: update to version 4.15.16
- Bitdefender: update to version 3.2.2
Improvements
- Microsoft 365: support user import from Hybrid configurations
- Microsoft 365: don’t import users with #EXT# in username
- Search: automatically resize results per page to improve server reliability
- System Preferences: added a separate option for message max results
- Learn Actions: always update Adaptive Trust Engine when learning as good or bad
- File name rules: added regex filter on search
- Whaling: add apply button to force immediate engine configuration reload
- Release request: ignore notification to domain admin without addresses
- Web UI: improved message listing in when in mobile view
- Storage: automatically convert MBR to GPT for some cloud providers
Bug fixes
- Web UI: fixed validation of custom antispam scores
- SubmitToLabs: when submitting as bad, use learn-as-bad instead of forget
- Quarantine reports: allow actions from quarantine report for read-only admins with “mark for relase” permissions
- Custom rule: fixed validation when using header exists rule
- MailScanner: always clean anti-spam cache on apply settings
- HTTPd: fixed listing of server aliases
- Cluster setup: after setup enable file sync on replica node
- MTA: starts after the network is online to prevent error on reboot
- Web UI: added redirect for old advanced settings address
- User manager: show help button in standard toolbar
- User manager: when setting the user primary address, make sure all others are set as secondary
- Logwatch: updated configuration for ESG 5.2 release
- ESG 5.2 upgrade: pre-install the upgrade file for user convenience
Changes in v5.2.1 (Apr 26, 2023)
Improvements
- Added header X-%org-name%-FirstTimeSender: 1 to messages identified as first time senders
- Cluster auto-recovery: improved recovery speed and replica stability
- Anti-spam test: more accurate test with new report format
- Integration: promote or demote between normal user or functional user, but leave admin account unchanged
Bug fixes
- Routing issue (404): moved all admin area under /admin/ to resolve all 404 issues
- Message deliveries: fixed a database issue which slowed down delivery updates
- Message details: Fixed flash message after message rescan
- User Manager: fixed Permission field on user edit
- FTP backup: port field accept port above 32000
- HTTPd: fixed strict host checking for HTTP validation (port 80)
- Release requests: fixed notification to domain admin
- Release requests: fixed error visualization when quarantine file is not available
- Login Network UI: fixed javascript network validation
- Maillog2db: avoid crash when logs contains spurious binary data over date values
- Mail scanner reconfiguration: avoid crashes when there are multiple default/default rules
- Threat remediation: show proper error when test user is not configured
- License UI: show proper issued date
- Domain privacy password: resolved UI errors for domain admin without associated domains
- ESG 4.9 migration: fixed anti-spam actions migrations when delete action is set
Changes in v5.2.0 (Apr 3, 2023)
Security
- ARC policy evaluation: explicit trust validation of ARC chain has been added for forwarded emails.
- Relay RBL: RBL check can now be enabled or disabled on a per-domain relay basis.
- DANE verification: DNS-SEC options have been integrated to support DANE as a global configuration.
- Firewall requirements: Outgoing port TCP 873 (RSYNC) is no longer required and can be closed on the firewall.
- Firewall requirements: Outgoing port TCP 80 (HTTP) is no longer a requirement, but it provides extra protection
against HTTP-based URL shorteners.. - HTTPd: add strict host checking when SSL is correctly configured.
- HTTPS TLS: Only TLS1.2 and TLS1.3 with high-grade ciphers are now allowed.
- System TLS: CBC, CAMELLIA, and SHA1 have been removed from all TLS connections except HTTPS and SMTPS.
- ClamAV: SaneSecurity signatures are now managed from the official Libraesva repository.
- Permissions: users can only “submit as good/bad”, while administrator can also “mark as good/bad”
or “train as good/bad”.
Improvements
- Quicksand: added a domain-based cache to speed up sanitization and avoid DoS.
- PhishBrain: automatic campaign integration when users triggers “submit as bad” on a phishing test
campaign. - Adaptive Trust Engine: rotate idle historical record (more than 18 months).
- Attachment filter: file name and file extension rules can be managed from a single list.
- Attachment filter: added option to block outgoing messages on attachment removed.
- Auditing: added advanced auditing to all entities available via API.
- Avira: improved Web UI interface.
- Cluster setup: improve compression and transfer speed for multi-CPU appliances.
- DKIM: keys can be created only for existing relay domains.
- DKIM: automatically generate keypair on record creation.
- Gray Listing: no longer applies to trusted senders and well-known cloud providers to avoid a long delay on first
contact. - Integration: add an option to force enable/disable quarantine digest option, independently from domain defaults.
- Licensing: computation triggered from the web UI is now completely asynchronous and with real-time job status
tracking. - Machine Learning: add statistics and cleanup buttons in TxRep pages.
- Machine Learning: improve statistics and cleanup buttons in Bayes pages.
- Mail Queues: show sender IP in message listing and reverse hostname in details.
- Message details: show additional information when the spam report is affected by user-made configurations.
- Message details: show from the Web UI the welcomelist or blocklist triggered by the message.
- Message listing: show message directions as seen by the logged-in user.
- Message release: mark a released message as “Release” instead of generic “Off”.
- Message: use a new message ID format which is guaranteed to be unique across multiple instances.
- Email Continuity: compose and reply actions prefill user email addresses.
- MTA advanced: resource profiles ranges are now renamed from “tiny” to “extra-large” and verified
on the UI before change. - Network config: shows hardware address beside interface name.
- Notification to Senders: virus notification is now enabled only for outgoing messages.
- Policy Quota: changed server sizing limits to reduce memory usage.
- Quarantine reports: digest reports sent by both nodes of the cluster.
- Quarantine rotation: improve rotation speed and add logging for inspection.
- Remote syslog: send all database change auditing events.
- Safe-learn: moved page under web portal, added more documentation and implemented advanced auditing.
- Sender/Recipient address rewrite: emails sent from “user” (without domain) that are locally-generated will
be rewritten as user@hostname, while emails sent by a trusted source will be rewritten as user@domain. - Smarthost: configuration is no longer replicated in cluster setup to allow advanced routing policies.
- Smarthost: moved configuration under relay configurations.
- Spam Actions: bounce action is valid only for messages received from trusted senders.
- Storage management: automatically expand storage at boot when enough free space is found.
- UX: ease navigation by using more compact sidebar menu entries and option list entries.
- User Action: improved the web UI theme and messages.
- User manager: added configuration for new user default settings and permissions.
- User manager: hide external ID from user listing.
- User manager: added all external user information on view.
- WebPortal Authentication Test: also show logged messages from M365/GSuite/LDAP/IMAP/POP3 authentication sets.
- Database optimization: reduce memory used by the database (for all appliance sizes), while improving connection
speed and cache hit. - Webserver optimization: use a second shared memory cache to speedup page loading.
- Storage: use trimming on SSD storage to free unused blocks.
- System Kernel: upgrade system kernel from version 5.4 to version 5.15.
- Mail Transport: use file-based database instead of the main database to improve efficiency and reliability.
- ESG 4.x Migration: import most recent record first to give immediate feedback on the web UI.
Bug fixes
- Sender/Recipient Address Rewrite: message header rewriting is active for emails sent by trusted senders.
- User validation: added stricter permission checks when editing users.
- Remote syslog: fixed service restart on remote server configuration change.
- IMAP: now supports passwords with special characters when the remote server supports the AUTHENTICATE method.
- SNMP: optimized the Libraesva OID, especially for “queue length” when in critical length status.
- Web UI: renamed all references to “G Suite” with “Google Workspace”.
- Web UI: renamed all references to “Office 365” to “Microsoft 365”.
- Web portal authentication: deleted orphaned set associations.
- Message Details: removed the spam report button when there are no specific rules.
- Renamed “Archive Check Rules” to “Archive Scan Rules”.
- Completely disabled the GPG agent when mail encryption is disabled.
- Completely disabled the DCC service when the antispam feature is disabled.
- ESG 4.x Migration: import customized MTA DoS limits.
API
- ADD: allow read only access to licensing accounted emails via
/licensing/accounted-email
. - ADD: allow user creation (
POST /user
), editing (PUT /user/{id}
) and delete (DELETE
).
/user/{id} - ADD: manage user defaults via
/user-defaults
. - ADD: manage filename rules via
/attachment-filter/file-name-rule
. - ADD: manage filetype rules via
/attachment-filter/file-type-rule
. - ADD: manage scan archive rules via
/attachment-filter/scan-archive-rule
. - ADD: manage password-protected archive rules via
/attachment-filter/password-protected-archive-rule
. - ADD: manage restricted senders via
/restricted-sender
. - ADD: manage welcomelist via
/welcomelist
. - ADD: manage blocklist via
/blocklist
. - IMPROVED: rename user property
quarantine_permissions/user_permissions
topermissions
. - DEPRECATED: all request URI matching
/whitelist
are deprecated, use/welcomelist
. - DEPRECATED: all request URI matching
/blacklist
are deprecated, use/blocklist
.
Breaking changes
This version introduces some changes which require your attention.
- User configuration is based on primary address, whereas in the previous version, it was based on either
the quarantine recipient address or the first email address. This may change the “active configuration”
(e.g., quarantine report configuration) for some users, especially those imported from LDAP. This
change won’t affect users imported from Microsoft 365 and Google Workspace. - Usernames must be unique and are no longer considered owned email addresses. All previous
data is migrated to preserve the current permissions, but the LDAP sets may need proper cleanup
or reconfiguration to be able to allow import. - Removed HTTPS compatibility with old browsers. Stricter TLS checks: HTTPS no longer compatible
with Android <4.4.2, Firefox < 27, Chrome < 31, IE before Windows 7, Safari < 9. - Normal users are only allowed to “submit as good/bad,” not to “mark as good/bad,”
so you may need to change some customized reports to reflect this change. - System-generated emails are now sent using the format
$local_user@$esg_hostname
,
so make sure your mail server properly handles such cases. - Remote syslog message ID changed. Message IDs in versions up to 5.1 will use the format
matching the regular expression/[A-Z0-9]+\.[A-Z0-9]{5}/
, while versions 5.2 onward will use the new format
matching the regular expression/[0-9B-DF-HJ-NP-TV-Zb-df-hj-np-tv-z]{12,}/
. - Antispoofing extended to subdomains. Improved protections against spoofing by extending
the Trusted Networks check to subdomains. If untrusted sources send messages to ESG
from a subdomain use “Standard (SPF)” instead of “Trusted Only” in the Antispoofing configuration.
Version 5.1
All upgrades from previous versions are included. See the full release notes of Libraesva ESG version 5.1.