Libraesva ESG v5.0: Release Notes

Libraesva ESG

Changes in v5.0.12 (Jan 10, 2022)

Security

  • Bitdefender server: update to version 3.0
  • Avira SAVAPI: update to version 4.15
  • ESG Bitdefender integration: drops high-privileges while scanning
  • ESG Savapi integration: drops high-privileges while scanning
  • Quicksand: increase the Office Document scan limits to intercept more threats

Improvements

  • ESG Bitdefender integration: nearly halves RAM usage during scanning
  • ESG Savapi integration: nearly halves RAM usage during scanning
  • Install license: replicate license installation in cluster setup

Bug fixes

  • MailIntercept: do not monitor for messages received from localhost
  • System preferences: fix a UI issue when using three-level timezones (e.g. America/North_Dakota/Center)
  • Report: add UI feedback when using “Per Domain Mailbox Use” with date ranges
  • System preferences: fix audit message for timezone changes
  • Social graph: fix a server error when searching by empty email address
  • Graymail: prevent duplicate record creation
  • PDF Report: display correct datetime interval
  • Custom spam policy: avoid errors when adding an policy with empty description
  • ESG4 migration: copy LetsEncrypt account information to authorize automatic renewal

Changes in v5.0.11 (Dec 28, 2021)

Security

  • Message detail page: stricter validation of message ownership of logged user
  • ClamAV SaneSecurity: changed enabled databases based on Libraesva security review
  • Passwordless: double check server-side secret on token verification
  • Disable httpd lua module (CVE-2021-44790)

Improvements

  • ISP Instance Monitor: integrate with ESG4 appliance and use faster queue length evaluation
  • Scheduled report: new email template with whitelabelling and explicit report type in subject
  • Release request: new email template with direct detail page link
  • User messages: allow signatures bigger than 64k
  • Message details: show delivery information of messages imported from ESG4
  • Add audit log in Account takeover protection
  • Disk expansion: warn about possible expansions left
  • ClamAV monitor: wait more time when doing service availability tests
  • Whitelabelling: remove Libraesva signatures from email notifications
  • Hypervisor Console: add “pause incoming mail” command as in web ui
  • WebUI: better vertical alignment of all forms

Bug fixes

  • Quarantine actions: avoid redirect to login when session is expired and passwordless cookie is available
  • Quarantine actions: quarantine administrators always have action “release” instead of “ask to release”
  • Dashboard: last messages honor the global settings, instead of using a fixed 20 results limit
  • Disk expansion: minimal increase is set to 1GB (to avoid almost null expansions)
  • LDAP: enable pagination only when server announce it in the banner
  • User text import: restore notification email, and document quarantine address selection
  • History import from ESG4: enable import of deliveries logs
  • Reports: evaluate all saved search filters on “per domain email usage” report
  • LetsEncrypt: when server verification fails due to network issues, do not retry validation on remote server
  • SocialGraph: show proper UI feedback when searching by empty email
  • Deferred message: show full deferred status as reported by the MTA

Changes in v5.0.10 (Dec 15, 2021)

Security

  • QuickSand: handle PDF files with random file preamble or filename containing “..”
  • SNMP: disable basic information access when SNMPd is enabled for one IP
  • Adaptive Trust Engine: fully handle UTF-8 to better identify first time senders

Improvements

  • Add UI feedback on Threat Remediation recall actions
  • LDAP: allow anonymous access to external sets when bind user is left empty
  • Integration: performance speedup (up to 10x)
  • UI: show delivery status as bounce when there’s at least one recipient with bounce
  • Quarantine Actions: show user-friendly 410 gone page for old quarantine link actions
  • CRM114: improve learning routine, and avoid useless “forget” actions
  • Enable Threat Analysis Portal registration (license dependent)

Bug fixes

  • Restore release permission for “Quarantine” Admin/Domain Admin
  • Mail Encryption portal: allow loading of images on reply
  • Replicate Bayes learn action in cluster environment
  • prevent cluster setup failure when letsencrypt directory is missing
  • Message details: delivery path interpolate hop without Geo-localization
  • Integration: avoid duplication errors when valid recipients are found on multiple sources
  • LDAP import: always set a page size when supported by remote server to avoid server import limiting results transparently
  • LDAP synchronization: correct loading email and users from Domino servers
  • LDAP on domino: properly filter email addresses based on domain
  • Avoid a configuration errors on engine which caused messages to became marked as other infected
  • Fix a race condition which caused some message to be left in “active” delivery status
  • Permission check against bounce messages for domain admin no longer generate UI errors
  • WebUI: align graphics for all modal

Changes in v5.0.9 (Dec 1, 2021)

Security

  • Adaptive Trust Engine: increase accuracy by normalizing header from
  • Quarantine action: restrict permissions on forwading

Improvements

  • ClamAV: halves RAM usage during signature reload
  • Quarantine action: properly blacklist from header when available
  • Quarantine action: improve feedback on release
  • LDAPS: allow using self-signed certificates on remote host
  • Integration: separate import of users and valid recipients for G Suite, Microsoft365 and LDAP, to better compute licensed mailbox
  • Message detail: add audit logging as in ESG 4
  • Wizard: add validation when using IP address instead of hostname
  • Bitdefender: use proper brand spelling

Bug fixes

  • Encryption: resolve issues with multipart/signed and multipart/encrypted MIME which caused some email to become plain/text
  • Quarantine action: add modal for “ask to release” when viewing email
  • URLSand: fix licensing hash on link generation
  • Database mail logger: avoid issues when importing reports with size above 4 kilobytes
  • Graymail: fix a database permission error which prevented newsletter identification
  • Backup: change audit log messages
  • Antispam engine: resolve accuracy issue when interpreting rare UTF-8 character (i.e. high level pages)
  • System Preferences: use system administrator email for system email (i.e. sent to root)
  • Threat Remediation: avoid failing when no mailbox was found
  • Relay domain: fix an error when enabling dynamic verification

Changes in v5.0.8 (Nov 18, 2021)

Security

  • update operative system to upstream RHEL version 8.5
  • reduce session TTL on server-side

Improvements

  • WebUI: spinners icons review
  • scanning engine maximum message size is kept in sync with MTA max message size
  • re-enable email encryption portal (license needed)
  • graceful reload of HTTPd configurations
  • email samples are sent to esvalabs.com to improve deliverability
  • faster mail queues length calculation on dashboard

Bug fixes

  • avoid CPU high utilization when reading messages in active queue
  • avoid memory exausted when generating Spam rules hit reports on large dataset
  • add backward compatibility with encrypted links generated by ESG 4.x
  • mail queue logger can handle remote server messages up to 8192 chars

Changes in v5.0.7 (Nov 02, 2021)

Improvements

  • Syslog: configuration isn’t replicated in cluster setup
  • Microsoft365/GSuite: faster import of users (at least 2x)
  • Allow readonly access to relay and user page when the license is expired
  • Whitelabelling: rollback to previous theme, should the generation fail
  • Allow cluster destroy should the license expires

Bug fixes

  • IMAP/POP3: prevent a 500 error on user login
  • Import 4.9: cleanup old configuration to avoid clamav engine failures
  • Whitelabelling: don’t reset theme on updates
  • Release requests: allow empty notification email
  • Release requests: remove loading browsere popup on successful release
  • Digest Report: fix selection of options in bulk actions
  • User preference: read default values for new user when creating on login
  • Email continuity: use new security policy system to validate user from addresses
  • ATE: prevent errors when from header is not set in a message

Changes in v5.0.6 (Nov 09, 2021)

Security

  • Hardened configuration for SSH daemon

Improvements

  • Chrony: if the offset is above 30 minutes, just set the current time
  • Check for update after network first configuration
  • Cluster: better status monitor for file replica
  • automatically reload mail scanner engine after configuration changes
  • added confirm modal for shutdown/reboot/suspend cluster actions

Bugfix

  • First run: wait for database initialization before scheduling reboot
  • Console: reset fallback address in issue file on first boot
  • restore release requests functionality
  • cluster setup: fixed file synchronization of TLS keys
  • compile smtp check override after migration from 4.9
  • When creating users inherit all configured default
  • Fix signature saving error on some configuration
  • Fix widget for color selection in system preferences
  • Restored SNMP OID for SMTP traffic
  • Remove errors on whitelist and blacklist insertions for users with multiple addresses in recipients
  • Remove errors on whitelist and blacklist insertions for safe-learn users
  • LDAP set of type other are correctly identified as such
  • prevent a page error when decrypting links generated by ESG 4.9

Changes in v5.0.5 (Oct 19, 2021)

Main Features

  • New modern web interface, with dynamic responsive dashboard and highly detailed scan result report
  • Message classification through new message badges: phishing, bulk, spoofing, BEC, malicious, etc…
  • Adaptive trust engine improvements: UI representation of historic data, improved AI
  • Advanced analysis result with Risk Confidence and Spam Confidence indicators
  • Unified Advanced search, a single place to search rejected and accepted messages
  • New Reports that can also be exported as PDF
  • Unified TLS management, allows certificate validation, rapid renewal and service assignment from a single page
  • LDAP sets can be managed in groups, to allow flexibility when merging user information from different tenants

Security

  • Abuser lockout: implement incremental lockout for recidive abuser
  • Adaptive Trust Engine: support BATV address and domain with more than 4 levels
  • Adaptive Trust Engine: separated history age for different relays
  • DKIM key: upgrade to 2048 bit
  • DNS: prevent DoS on SERVFAIL by adding a short term cache
  • Webapp: force HTTPS with TLS > 1.2
  • Mail transport agent: disable TLS 1.0 and 1.1 on strict/medium TLS mode
  • RBL: don’t disclose RBL name on rejection
  • User Manager: all domain admins are now multi domain admins (no longer restrict the username format)
  • User Manager: increase password security for Users, by using high-end caching algorithm for user passwords.

Improvements

  • AntiSpam settings: defaults for new users are explicitly configured and no longer inherited from the domain admin’s configurations
  • Appliance Sizing: automatic configuration of all resource-intensive services
  • Backup and Restore: new data importer from ESG 4
  • Backup and Restore: FTP backup supports TLS
  • Branding: new Libraesva logo and hypervisor themes
  • Cluster Setup: simplified setup wizard
  • Cluster: simplified monitoring and recovery UI
  • Console: add full ANSI-color support to hypervisor console
  • Console: interactive console with dynamic data
  • Crash auto-recovery: auto-repair services for most disk crash situation
  • DKIM: disabled signature for empty envelope from
  • Dashboard Threat Map: high level threat distribution like phishing, spoofing and whaling
  • Details page: quick summary for rejected email
  • Details page: threat or indicators identified by the internal engines
  • Disk expansion: support for 60 disk expansions
  • Licensing: new licensing system
  • MailIntercept: new dedicated configuration page
  • Machine Learning: new page with statistical records of CRM114 machine learning engine
  • Machine Learning: new page with statistical records of Bayes machine learning engine
  • Message Actions: all actions can be executed from all message views
  • Message details: add DSN and description to all SMTP reject listing, to distinguish temporary from permanent failures
  • Message details: new analytical representation of email path
  • Message details: new delivery status badges, which includes all statuses (e.g. recalled, released, …)
  • NTP: system clock synchronizations is always enabled and synchronized
  • Network: refactored network management with multiple interface and route configurations
  • Phishing Highlight: removed some options which are now managed directly by the ESG security team
  • Quarantine list: show scan results and delivery status
  • Quarantine settings: explicit configuration of default settings for new users (no longer inherit domain admin configuration)
  • Reboot/Shutdown: prompt feedback of the progress of the reboot
  • SASL: automatic realm initialization and asynchronous configuration
  • Sandboxes: URLSand and Quicksand configurations are on distinct pages
  • Scan result: Dictionary and DNSBL reporting has been improved
  • Scan result: new “Archive Encrypted” scan result
  • Scan result: new “QuickSand URI Disarmed” scan result
  • Scan result: “OFF” messages (not scanned because of exception rules) are displayed in message lists
  • Search page: searches with advanced filters can be saved to be used with report pages
  • Search page: can now search also among rejected messages
  • Social graph: refined interface and interactions
  • System preferences: increased the default value of records displayed in message lists
  • System preferences: new color palettes and new color picker
  • System resource: new dedicated page, with detailed resource statistics
  • TLS Certificates: TLS certificate can be shared in a cluster setup
  • White-labelling: logo automatic scaling from many raster formats
  • Wizard: brand new first-run wizard, with configuration loader from ESG 4.9

VM hardware improvements

  • Use EFI in all hypervisors which support it
  • Add Secure boot and security options in VMware 6.7+
  • Add IOMMU in VMware 6.7+
  • Use GPT partitioning which allows up to 60 disk expansions
  • Support for in-place operating system migration
  • Fully automated build-chain for many target hypervisors. Supported vSphere 6.0-6.5,
    vSphere 6.7+, Proxmox KVM, Hyper-V, Xen

Bug fixes

  • User Manager: Read-Only administrator can modify their own profile
  • Mail transport agent: default email max size lowered to 25 MB, to avoid delivery issues to M365 and GSuite
  • Licensing: atomically switch license without services restart

Missing or removed features

  • Legacy end-user API (new user API for mobile applications to be used instead)
  • Administrative API for system configuration: will be released later
  • Distributed setup: will be released later