File
Libraesva ESG v5.2.gpg
Version5.2
File Size11 KB
File MD598cd35ad9bf858cb3e945111114eaf7a
File SHA256ec14b9a7a8963206fc30b1443b38c9f6518d8e45d617f9858d0b1531f5947122
Create DateApril 3, 2023
Last UpdatedJuly 27, 2023

Libraesva ESG 5.2

These are the major features of this release.

Relay focused interface

To facilitate relay customization, the admin area has been redesigned. Rather than having to select the domain on every page, the new global domain selection feature allows administrators to enter a domain-oriented admin area. Once inside, administrators can customize all features without having to switch between domains.

Moreover, the new Domain Summary Page offers a comprehensive overview of the current relay status, including the number of users, consumed license, relay information, and any overridden configurations. This feature will help administrators keep track of their system's performance and make informed decisions accordingly.

Advanced sender and recipient rules for every feature

In addition to the new relay-focused interface, the enhanced security policy configuration capability is a valuable addition. The mail scanner policies, including attachment and archive policies, are no longer constrained to a single direction (e.g., From/To/FromOrTo), allowing for highly personalized policies that can fit any scenario. The sender policy matcher now includes a new special value called "bounce," enabling custom policies for emails without an envelope sender address. This new feature is especially beneficial for Mail Service Providers who need to create a sender policy exception for a single client domain.

New integration connectors with advanced testing

The integration layer has been improved with more controls for administrators and easier configuration of external connectors. The new connector configuration page can configure all aspects of users, groups, and valid recipients, while the refined LDAP configuration can import groups as aliases for member users.

An interactive testing page allows for exploration of external directories and extensive debugging. There are also new import options, including a manual set import feature and progress information. The new "Cleanup stale" features help removing old users and recipients records in bulk.

Introducing functional users

Functional Users are a new type of imported users that cannot log in to ESG directly but can receive a quarantine report, allowing recipients to manage message actions. They correspond to a "Shared Mailbox" or a User Group without any member mapped on ESG.

Functional users are free from the licensing perspective.

Improve security and user management with primary addresses

User management has been revised to improve security and reduce ambiguities. The primary email address will now be used to select domain-specific configurations, while the username can still be used in email form but won't grant access unless it's listed as an email for the user.

For all existing users, the optimal primary email address is selected. For users imported from an external directory, the primary address will be aligned with the service provider. For Microsoft 365 and Google Workspace users will be perfectly synchronized with their respective providers, while LDAP users will have their chosen "main address" field used as the primary email address.

New licensing accounting with mailbox identification

The licensing accounting has been refined to be more precise when accounting mailboxes. A license is now either counted as an "active mailbox" or a simple email "recipient", but is still based on the list of emails successfully delivered by ESG.

The "active mailbox" is determined using the user manager information. When an email is delivered to a recipient, the user who owns that email address is considered active and their primary email address is counted towards the active mailboxes. The web UI has been updated to reflect this and in the case of mailbox accounting, it will provide detailed information to track email usage effectively.

Major security changes

  • ARC policy evaluation: Explicit trust validation of ARC chain has been added for forwarded emails.
  • Relay RBL: RBL check can now be enabled or disabled on a per-domain relay basis.
  • DANE verification: DNS-SEC options have been integrated to support DANE as a global configuration.
  • Firewall requirements: Outgoing port TCP 873 (RSYNC) is no longer required and can be closed on the firewall.
  • Firewall requirements: Outgoing port TCP 80 (HTTP) is no longer a requirement, but it provides extra protection against HTTP-based URL shorteners.
  • HTTPS TLS: Only TLS1.2 and TLS1.3 with high-grade ciphers are now allowed.
  • System TLS: CBC, CAMELLIA, and SHA1 have been removed from all TLS connections except HTTPS and SMTPS.
  • ClamAV: SaneSecurity signatures are now managed from the official Libraesva repository.

Use inclusive feature names for user oriented configurations

The cybersecurity world is moving towards greater inclusivity and is abandoning terms that are often associated with discrimination. Some terms used in the product are merely historical technical terms that can easily be replaced for ethical reasons.

Renamed features:

  • Graymail to Bulk Mail;
  • Blacklist to Blocklist;
  • Whitelist to Welcomelist;
  • Whitelabel to Rebranding;
  • URLSand whitelist to URLSand ignored.

Full release notes

See the full release notes

Minor upgrades for this release, which includes all 5.2.x versions, are automatically updated as soon as they are publicly
available. These updates include all security fixes and bug fixes that can be installed without service downtime, and
the expected behavior of the appliance remains unchanged.

Breaking changes

This version introduces some changes which require your attention.

  1. User configuration is based on primary address, whereas in the previous version, it was based on either
    the quarantine recipient address or the first email address. This may change the "active configuration"
    (e.g., quarantine report configuration) for some users, especially those imported from LDAP. This
    change won't affect users imported from Microsoft 365 and Google Workspace.
  2. Usernames must be unique and are no longer considered owned email addresses. All previous
    data is migrated to preserve the current permissions, but the LDAP sets may need proper cleanup
    or reconfiguration to be able to allow import.
  3. Removed HTTPS compatibility with old browsers. Stricter TLS checks: HTTPS no longer compatible
    with Android <4.4.2, Firefox < 27, Chrome < 31, IE before Windows 7, Safari < 9.
  4. Normal users are only allowed to "submit as good/bad," not to "mark as good/bad,"
    so you may need to change some customized reports to reflect this change.
  5. System-generated emails are now sent using the format $local_user@$esg_hostname,
    so make sure your mail server properly handles such cases.
  6. Remote syslog message ID changed. Message IDs in versions up to 5.1 will use the format
    matching the regular expression /[A-Z0-9]+.[A-Z0-9]{5}/, while versions 5.2 onward will use the new format
    matching the regular expression /[0-9B-DF-HJ-NP-TV-Zb-df-hj-np-tv-z]{12,}/.
  7. Antispoofing extended to subdomains. Improved protections against spoofing by extending
    the Trusted Networks check to subdomains. If untrusted sources send messages to ESG
    from a subdomain use "Standard (SPF)" instead of "Trusted Only" in the Antispoofing configuration.

NOTE: This upgrade takes up to 5 minutes to complete and requires a system restart. A Snapshot is always recommended as a best practice!
Enter your Email to download