To facilitate relay customization, the admin area has been redesigned. Rather than having to select the domain on every page, the new global domain selection feature allows administrators to enter a domain-oriented admin area. Once inside, administrators can customize all features without having to switch between domains.

Moreover, the new Domain Summary Page offers a comprehensive overview of the current relay status, including the number of users, consumed license, relay information, and any overridden configurations. This feature will help administrators keep track of their system's performance and make informed decisions accordingly.

In addition to the new relay-focused interface, the enhanced security policy configuration capability is a valuable addition. The mail scanner policies, including attachment and archive policies, are no longer constrained to a single direction (e.g., From/To/FromOrTo), allowing for highly personalized policies that can fit any scenario. The sender policy matcher now includes a new special value called "bounce," enabling custom policies for emails without an envelope sender address. This new feature is especially beneficial for Mail Service Providers who need to create a sender policy exception for a single client domain.

The integration layer has been improved with more controls for administrators and easier configuration of external connectors. The new connector configuration page can configure all aspects of users, groups, and valid recipients, while the refined LDAP configuration can import groups as aliases for member users.

An interactive testing page allows for exploration of external directories and extensive debugging. There are also new import options, including a manual set import feature and progress information. The new "Cleanup stale" features help removing old users and recipients records in bulk.

Functional Users are a new type of imported users that cannot log in to ESG directly but can receive a quarantine report, allowing recipients to manage message actions. They correspond to a "Shared Mailbox" or a User Group without any member mapped on ESG.

Functional users are free from the licensing perspective.

User management has been revised to improve security and reduce ambiguities. The primary email address will now be used to select domain-specific configurations, while the username can still be used in email form but won't grant access unless it's listed as an email for the user.

For all existing users, the optimal primary email address is selected. For users imported from an external directory, the primary address will be aligned with the service provider. For Microsoft 365 and Google Workspace users will be perfectly synchronized with their respective providers, while LDAP users will have their chosen "main address" field used as the primary email address.

The licensing accounting has been refined to be more precise when accounting mailboxes. A license is now either counted as an "active mailbox" or a simple email "recipient", but is still based on the list of emails successfully delivered by ESG.

The "active mailbox" is determined using the user manager information. When an email is delivered to a recipient, the user who owns that email address is considered active and their primary email address is counted towards the active mailboxes. The web UI has been updated to reflect this and in the case of mailbox accounting, it will provide detailed information to track email usage effectively.

• ARC policy evaluation: Explicit trust validation of ARC chain has been added for forwarded emails.
• Relay RBL: RBL check can now be enabled or disabled on a per-domain relay basis.
• DANE verification: DNS-SEC options have been integrated to support DANE as a global configuration.
• Firewall requirements: Outgoing port TCP 873 (RSYNC) is no longer required and can be closed on the firewall.
• Firewall requirements: Outgoing port TCP 80 (HTTP) is no longer a requirement, but it provides extra protection against HTTP-based URL shorteners.
• HTTPS TLS: Only TLS1.2 and TLS1.3 with high-grade ciphers are now allowed.
• System TLS: CBC, CAMELLIA, and SHA1 have been removed from all TLS connections except HTTPS and SMTPS.
• ClamAV: SaneSecurity signatures are now managed from the official Libraesva repository.

The cybersecurity world is moving towards greater inclusivity and is abandoning terms that are often associated with discrimination. Some terms used in the product are merely historical technical terms that can easily be replaced for ethical reasons.

Renamed features:

• Graymail to Bulk Mail;
• Blacklist to Blocklist;
• Whitelist to Welcomelist;
• Whitelabel to Rebranding;
• URLSand whitelist to URLSand ignored.