Libraesva ESG v5.3: Release Notes

Libraesva ESG

Main features of version 5.3

  • Apply settings: centralized tracking and application of all configurations.
  • Auditing: enhanced auditing capabilities now include property changeset tracking for all configuration and settings changes.
  • Distributed setup: cluster setups now support the addition of up to 64 worker nodes, empowering scalability of high traffic loads.
  • Domain summary page DNS enhancement: MX, SPF, DKIM and DMARC information are now available as well as record validation.
  • Domain trials: allow the creation of one-time trials for MSSP
  • Integration: added functionality to import of “external groups” as “functional users”, offering license accounting optimization and improved integration capabilities.
  • Letsencrypt: primary nodes can now create certificates on behalf of any replica nodes, simplifying certificate management.
  • MTA Strict Transport Security (MTA-STS): verify external sender transport policies for TLS encryption
  • OTP: introduction of mandatory rules for OTP, enables administrators to enforce security measures for all or selected users.
  • Storage: quarantined emails are now continuously compressed during idle time, improving storage utilization and synchronization speed.
  • User UI: message listing for normal users (i.e. non-administrators) shows From header instead of envelope information, so that the listing is consistent with mail client experience.
  • Search: added select field to search by specific cluster node.
  • Search: added field to search by URI host.
  • Threat remediation: automatic recall of 0-hour threat
  • Message: allowed removal of scan analysis record (requires admin/domain-admin privileges).

Version 5.3.13 (Dec, 2 2024)

Improvements

  • Integration: improved import speed of external user groups (up to 12x)

Bug fixes

  • ATP: track apply settings when quarantine email address changes
  • Cluster worker: fast synchronization of worker quarantine only consider today emails
  • Quicksand: fixed cache clear after multiple domain changes
  • Disk space monitor: level for notification and disaster recovery are now percentage
    based (instead of absolute values in ranges)
  • ClamAV updates: restart update daemon for some appliance which failed update from 0.103 to 1.0

Version 5.3.12 (Nov, 18 2024)

Improvements

  • PhishBrain: updated sender IPs of user campaigns

Bug fixes

  • CRM114: added timeout for long-running process
  • CRM114: ignore computing the value for definitive bad or good
  • Proxmox: use VGA mode on pre-boot sequence to avoid out-of-sync output

Version 5.3.11 (Nov, 12 2024)

Security

  • Welcomelist: ignores listing when SPF contains permanent errors

Improvements

  • License & Billing: show Libraesva datacenter in cloud appliances

Bug fixes

  • Threat remediation: prevent temporary errors to interrupt bulk recall operations
  • SPF engine: update configuration on MTA hostname change

Version 5.3.10 (Nov, 5 2024)

Improvements

  • FTP backup: save MD5 and SHA256 files of each backup before uploading

Bug fixes

  • Cluster: disabled setup/destroy and “Hard Reset” operations in cloud appliances
  • Greylisting: ignore broken UTF-8 chars in MAIL FROM commands
  • Mail queues: ignore broken UTF-8 chars in subject
  • PhishBrain: disabled antivirus heuristic on user campaigns
  • Search: fixed selection for "cluster node" on a worker node

Version 5.3.9 (Oct, 15 2024)

Improvements

  • SNMP: “cluster error” OID also account for timed out database connection

Bug fixes

  • RBL: fixed a bug which prevented RBL checks for a domain when valid recipient list is used
  • User Management: fixed “User Permissions” property change

Version 5.3.8 (Sep, 30 2024)

Security

  • Whaling: avoid false positives from trusted services

Improvements

  • Licensing: added suggestions about overuse problem in license overuse page
  • MTA advanced: added notice for non-replicated configuration of “SMTP banner”
  • Integrations: options Add Group Email to Users and Create Functional User for Groups
    will default to Yes for new sets.

Bug fixes

  • Auditing: fixed account takeover configuration logging message.
  • Cluster: fixed auditing and tracking of non-replicated relay changes.
  • Dictionary: fixed auditing and tracking of non-replicated relay changes.
  • Microsoft 365: automatic regenerate access token when expires during user/group import.
  • Quarantine storage: fixed detection of Arabic languages when using charset ISO-8859-6.
  • TLS Encryption: fixed validation of per-destination policy map “protocols” attribute.
  • Web UI: fixed double HTML quoting of error messages.
  • Web UI: fixed search by boolean configuration (e.g. "Check only Envelope")

API

  • ADD: added enabled property to /api/v2/integration/google-connector-config
  • ADD: added enabled property to /api/v2/integration/ldap
  • ADD: added organizationId property to /api/v2/integration/google-connector-config
  • ADD: added userEmailFromGroups property to /api/v2/integration/google-connector-config
  • ADD: added userEmailFromGroups property to /api/v2/integration/ldap
  • ADD: added userEmailFromGroups property to /api/v2/integration/microsoft-365-config
  • DEPRECATE: added googleCustomerId property to /api/v2/integration/google-connector-config

Version 5.3.7 (Sep, 16 2024)

Security

  • URI: improved detection of HTML links constructed via base URL.
  • Message reputation normalization (TxRep): increased the effect of learning as good.

Improvements

  • Apply settings: changed theme of apply settings button and messages.

Bug fixes

  • Antispam action: changed notify label in web UI.
  • Antispam engine: fixed a compilation issues which caused some UTF-8 dictionary words to be ignored.
  • Apply settings: ensured that the action is not visible during cluster setup.
  • Apply settings: track MTA changes when message size is modified.
  • Auditing: fixed release message action logging when there are a large number of recipients.
  • Cluster: stopped worker email import when storage size falls below 10%.
  • Cluster worker: enforced storage retention for 3 days.
  • Cluster worker setup: fixed initialization of SSH keys for peer node.
  • DKIM: tracked pending changes when enabling or disabling single keys.
  • ESG 4 migration: forgot database replication history right after restore to reclaim storage space.
  • Message details: updated VirtuTotal link, so that results are refreshed when not available.
  • Message details: show country in delivery details even when ESG IP is behind a NAT.
  • Quarantine report: excluded useless quarantine action when the primary address is missing.
  • Release: preserved empty sender for bounce message on release.
  • User manager: prevented removal of primary address (unless it was the only one).

API

  • ADD: added tenant property to GET/POST /api/v2/integration/microsoft-365-config

Version 5.3.6 (Aug, 19 2024)

Improvements

  • Phish Brain: create a new configuration page under integration
  • System preferences: added description for logwatch service
  • Cluster setup: verify that ESG versions and update channel are compatible
  • Apply settings: faster HTTPd restart when reconfiguring database
  • Apply settings: faster “apply pending changes” when multiple services need to reload
  • Logwatch: added DNF RPM section.

Bug fixes

  • Backup: fixed estimate size computation for backup
  • Cluster destroy: improved trusted SSH key cleanup
  • DCC: fixed a regression which caused firewall checks to fail
  • First run: added audit logs on setup
  • First run: don’t reload running services before reboot
  • First run: fixed an issue which didn’t close SSH service after reboot
  • First run: fixed hardware clock time in UTC
  • Integration: increase timeout to allow execution on huge configurations
  • Letsencrypt: fixed uninstallation of certificate
  • Local RBL: fixed update of algorithm parameters
  • Log rotation: executes before system upgrade to avoid service race conditions
  • Logwatch: fixed a bug which re-enabled the service after system upgrade
  • Quarantine digest: disable report generation on worker nodes
  • Reports: fixed an issue which caused the job to be incorrectly flagged as failed
  • SMTP auth: permit to edit users without require to insert the password again.
  • TLS certificate: fixed visualization of active Letsencrypt certificate
  • Timezone: fixed changing timezone from local timezone to UTC or vice versa
  • Whaling: fixed a regression in Dangerous rules which prevented whaling to trigger
  • Wizard: fixed initialization of Quarantine Report Link URL

Version 5.3.5 (Jul, 30 2024)

Security

  • Whaling: Whaling engine now handles attempts to exploit the subject header in order to impersonate C-levels
  • ClamAV: Improved accuracy when scanning emails sent by online banking websites
  • Bitdefender: Upgraded to version 3.7.1
  • Avira: Upgraded to version 4.15.22

Improvements

  • SNMP: Added new OID to track overall license accounting
  • FileType rules: Added “All files” option allowing admins to create global rules for all files
  • Message details: Improved the display of ESG identity by using also MTA hostname information when applicable
  • Dashboard: Added cross-appliance links in cluster status box
  • Audit log: “action” is now the default search field
  • DCC: Reduced the refresh interval of DCC servers to improve speed and reliability
  • MTA: Hard reject (5xx) unauthorized destination, enforced consistency with previous ESG versions (i.e., untrusted sender and recipient not in relay table)
  • MTA restriction: Avoid querying DNS records for recipient domains included in relay table
  • Cluster monitor: Allow manual restart of stopped storage service
  • Cluster monitor: Updated email notification templates for clarity and better incident response
  • TLS: Added email notification for certificates expiring in 7 days
  • SASL LDAP: Increased max length for LDAP DN and filters, up to 2048 characters are now allowed

Bug Fixes

  • Auditing: Added English translation for modifications to global settings
  • Release requests: Fixed visualization in cluster worker interface
  • Message details: Link to “Add to Welcomelist/Blocklist” now enforces proper user capability checks
  • Search: After a save action the user is now redirected to “saved search” tab
  • ATP quota: Quota tracking sometimes was not shown
  • Backup: Increased the time limit for database backup operations in order to avoid timeout issues on large appliances
  • Cluster destroy: Fixed the revocation of the public key of the previous node
  • Domain trials: Fixed the URL displayed inside the notification email
  • Passwordless authentication: Fixed user experience issues related to the underlying management of authentication tokens for users with OTP enabled
  • Admin CLI: Fixed an issue that skipped some messages when purging more than 10,000 messages
  • Cluster storage: Automatic retry of the storage sync procedure after some failures caused by connectivity issues
  • Letsencrypt: Added a failsafe certificate fallback which prevents TLS failures when the the distribution of the renewed certificate between nodes fails because of communication issues
  • Web UI: Resolved rare HTTP 500 errors on some pages when some DNS queries were silently blocked by a firewall

API

  • FIX: Reported violations when GET /messages contains some invalid operator names
  • FIX: Filter by email in GET /licensing/accounted-email
  • FIX: Filter by sender in GET /restricted-sender

Version 5.3.4 (Jul, 16 2024)

Security

  • Mail Scanner: Enhanced 7zip support for nested directories.
  • QuickSand: Improved sanitization of archive content, especially for 7z files.

Improvements

  • DMARC: prevent execution of policies for IPs listed in SMTP check override.
  • Cluster: added a UI trigger to enforce storage file/email transfer to remote nodes.
  • Cluster worker: enabled access to email body via privacy password when the feature is activated.
  • System upgrades: introduced a simple “show” icon for previous version upgrades.
  • Cofense: switched to APIv2 from APIv1.
  • Whaling: avoid false positives from Microsoft365 and Google calendars.

Bug fixes

  • Cluster worker setup: resolved issues with starting the file sync importer on the primary node.
  • Let’s Encrypt: implemented one-shot cluster synchronization of certificates to address issues from the previous version.
  • MTA: tracks “apply changes” when “myhostname” advanced configuration is modified.
  • Mail Scanner: tracks “apply changes” when changing the appliance “resource profile.”
  • Mail Scanner: Tracks “apply changes” when modifying virus scanner configuration.
  • Mail encryption: reduced the delay between delivery and the availability of quarantined email.
  • Outgoing queue: restored the ability to delete single queue files.
  • PhishBrain: corrected attachment policies for sender IPs.
  • QuickSand: fixed the removal of empty archives post-sanitization.
  • QuickSand: corrected reporting for archives when content is sanitized.
  • URLSand: fixed tab selection issue in the web UI.
  • Whitelist: stopped tracking “pending changes” when administrators use quarantine actions (policies are reload periodically, like for other users).

Version 5.3.3 (Jul, 1 2024)

Improvements

  • MTA advanced: Add XCLIENT protocol support
  • PhishBrain: added UI button under system preferences to allow user campaigns
  • Logwatch: added UI button under system preferences to enable/disable the daemon
  • Mail Intercept: when processing ATE rules, ignores internal same-domain interactions

Bug fixes

  • Letsencrypt: fixed replication of renewed certificates in cluster setup
  • Web authentication: redirect to dashboard if target page is a login page
  • OTP mandatory: added cross-site protection when creating new secrets
  • Web UI relay select: fixed pop-up when domain names are very long
  • Web UI menu: improved icon rendering when using condensed menu
  • Relay domain: handle trailing dots for relay servers, avoiding deferred messages
  • Remote syslog: fixed validation of provided server
  • Database: prevent server crash due to a race-condition during sequence value generation
  • MTA-STS: fixed initialization on post-update

Version 5.3.2 (Jun, 26 2024)

Improvements

  • Logwatch: enable/disable report from system preferences
  • DNS RPZ: resolve both TXT and A record of SPF include entries (reverted, since interfere with correctly defined SPF)
  • MTA: increased number of recipient error before reject the message
  • Valid recipient: hide “Delete All” button when a domain is selected

Bug fixes

  • TLS Certificate: fix wildcard import on newly created appliances
  • LDAP: properly ignore users with invalid username
  • Outlook Addin: fixed Microsoft 365 automatic login
  • Database: fixed optimization of TxRep data
  • DNS RPZ: handle multiple IP for a single hostname
  • User messages: removed variables in notification subject on default templates
  • Threat Remediation: removed logs which saturate disk usage
  • Cluster: fixed destroy from worker node
  • Attachment Filters: properly validate extension (e.g .7z)
  • Quarantine: fixed a timeout issue on quarantined messages synchronization
  • FTP Backup: removed support for non-working active mode
  • Report Schedule: restored new button when there is at least on schedule configured

API

  • FIXED: properly check quarantined message stored in GET /message/{id}/fetch/{attachment}

Version 5.3.1 (Jun, 12 2024)

Improvements

  • Audit log: show the cluster node which executed an action
  • Relay summary: integrates with Libraesva LetsDMARC
  • DKIM/DMARC: added from header domain exception to overcome external sender issues
  • Relay: asynchronous CSV import with progress status
  • Valid recipients: asynchronous CSV import with progress status
  • URLSand exception: added auditing and bulk delete action
  • MSSP domain trial: added notification of expiring trials
  • SMTP auth: added button to search for messages sent from a locally defined user
  • Cluster: improved real-time synchronization between active-active nodes
  • Cluster: reduce I/O priority of asynchronous file copy
  • Cluster worker setup: improved first database import when attached node has a long message history
  • System timers: improved execution timing precision and reliability for all scheduled tasks

Bug fixes

  • Country block: restore missing new button
  • Relay test: automatically append domain part for local users
  • ESG 5.2: minor fixes to migration scripts
  • Quarantine: compress on first write instead of asynchronously
  • logwatch: improve output of content checks and ATE results
  • Release request: when sending notification use the username when full name is empty
  • LDAP: fixed import of group as functional users when group name is empty
  • DKIM: fixed permission issues which may cause outgoing messages to be deferred as “Configuration error”
  • Licensing: removed some unaccounted licenses listed in delivery records
  • Licensing: automatically search when clicking on billing report link

Version 5.3.0 (May, 22 2024)

Security

  • Phishing protection: added domain word-based similarity check to identify new potential phishing scenarios.
  • ATE: enhanced accuracy in first-time sender identification by tracking all good messages, even when whitelisted or cached, while ensuring that bad messages are never tracked.
  • DNS: static hosts are now also created as RPZ, enabling improved evaluation of DNS-SEC rules.
  • Mail scanner: increased archive scanning depth for enhanced security.
  • Web Application Firewall: completely blocks non-existing pages to reduce DoS/DDoS surface attack.

Improvements

  • Antispam engine: automatically configures the number of engines processors based on profile.
  • Antispam settings: increased the maximum length for “remove headers” setting.
  • Attachment filter: allows bulk removal of rules.
  • Attachment filter: separates file name and file type rules in two tabs.
  • Audit log: tracks cluster node unique identifier for every message (hostname independent).
  • Auditing: enhanced raw data tracking, normalizing data format and eliminating duplicated columns.
  • Canonical maps: now uses the same address syntax as all other configurations.
  • Cluster destroy: allows preservation of IP/key configuration to facilitate recreation.
  • Cluster file synchronization: reduced the number of monitored files for faster replication.
  • Cluster monitor: shows hostnames beside IPs.
  • Cluster setup: faster cluster recovery on replica node (useful when restoring a destroyed cluster).
  • Cluster setup: refreshes UI on replica nodes when the procedure starts
  • Cluster setup: verifies minimal required free space in advance.
  • Cluster: reduces privileges of replication thread to increase security.
  • Cluster: allows reuse of the same hostname for multiple cluster nodes.
  • DKIM/DMARC: improved email read speed using sockets instead of network.
  • DMARC: uses “no-reply@$hostname” as sender address instead of quarantine address.
  • Dangerous attachment: allows a global default to be defined for new domain for options “block message”.
  • Dashboard: provides advice if a cluster setup is currently running.
  • Database: improved caching for extra-large appliance.
  • Database: reduces binary logs I/O and network transfer.
  • ESG console: optimized sub-command listing and startup time.
  • First run: improved speed of first reboot and license installation from appliance initialization.
  • Geocoding: improved speed and hit-rate of geocoder cache.
  • HTTPd: improved all error pages templates (especially 400, 405, 500, 502, 503).
  • Integration: displays connectors schedule and last execution from the web UI.
  • Journaling: increases detailed log lifetime by using unallocated storage to provide better remote support.
  • Licensing: added delivery count beside first seen and last seen.
  • Licensing: email accounted for a single day no longer concur to licensing totals.
  • Login: reduced session expiration when dealing with OTP codes.
  • Logwatch: allows disabling the service from advanced settings.
  • Logwatch: added Adaptive Trust Engine section.
  • MTA Advanced settings: allows enabling optional SMTPUTF8.
  • MTA: locally generated email in cluster setup always use current node “MTA myhostname” by default to avoid SPF issues.
  • MTA: SMTP relay configurations are no longer implicitly inherited by subdomains and should be configured explicitly.
  • Machine learning: asynchronously copies learn requests to all replica nodes and learns on CPU idle time.
  • Mail Scanner: faster engine reload for all domain-based or email-based configuration changes.
  • Mail encryption portal: reduced memory usage by using streamed parsing.
  • Mail log: tracks cluster node unique identifier for every message (hostname independent).
  • Message details: added “on behalf of” for bounce messages.
  • Message details: added more authentication result details for SPF/DKIM/DMARC
  • Message listing: improved response time by reducing memory footprint of message loading.
  • Network settings: faster hostname change before reboot.
  • Passwordless login: use consistent interface with standard login.
  • Passwordless tokens: keep track of last usage to improve administrators’ maintenance.
  • Quarantine settings: mail logs retention is now aligned with metadata retention.
  • SPF policy: improved configuration when MTA hostname is customized.
  • SSH service: configuration moved from “system preferences” to “core services”.
  • System logger: increased logging size for larger appliances when disk space is available.
  • TLS certificate: allows to set all service certifications at once.
  • Threat map: displays generic spam/high-spam country counters.
  • URL IoC: improved efficiency of Libraesva IoC updates.
  • URLSand: HTML preview is now enabled by default.
  • URLSand: added “include subdomains” option to domain safe configurations
  • User auto-populate: allows a global default to be defined for new domain.
  • Users cleanup: added export function.
  • Valid recipients cleanup: added export function.
  • View mail: improved unnamed attachment naming convention
  • View mail: reduced memory usage by using streamed parsing.
  • Web UI: renamed ISP/MSP references with MSSP.
  • Web UI: integrated server validation with client validation for better UX when dealing with errors
  • Web UI: renamed “submit as” to “report as”
  • Web UI: uniform maximum comments length for all configurations.

Bug fixes

  • Auditing: eliminated double logging of simple authentication.
  • Cluster firewall: avoids using session for SSH tests to improve reliability.
  • Cluster setup: improves reliability of synchronization before setup.
  • Cluster setup: in case of errors, displays the last logs of the setup procedure.
  • Cluster setup: introduce locks on both nodes before starting to prevent interference during the setup process.
  • Cluster: ensures all nodes have aligned timezones on change to maintain time consistency.
  • Content filter: fixed and improved reliability of regexes for “^starts with” applied to headers.
  • DMARC: uses “queue bounce lifetime” for generated reports left in deferred queued.
  • Error pages: removed logo animation when the logo is customized to accommodate customers key visuals rules.
  • HTTPd: enters maintenance mode during upgrade to avoid rare race conditions.
  • Maillog: logs rejected email due to invalid long addresses (length > 254) by truncating the email format.
  • OTP: uses short session time during code verification.
  • Quarantine: fixed a memory exhaust issue when doing garbage collection of huge quarantine storage.
  • SASL policy: ensures reliable configuration changes in cluster setups.
  • SASL: suppresses harmless warning that may reach external rsyslog.
  • SPF policy: ensures reliable configuration changes in cluster setups.
  • Scheduled report: when generating reports, now includes more useful logs for comprehensive analysis.
  • System timers: don’t immediately start monotonic timers on package update.
  • User auto-populate: recipient for automatic user creation are now extracted from accounted deliveries.
  • User messages: removed support for variables in notification subject that may generate mixed charset issues.
  • User messages: updated variables guide.
  • View mail: fixed stream encoding conversion issues when downloading attachments.
  • Web UI: bulk modification of any settings no longer triggers multiple engine reloads.
  • Wizard: enforces legacy option ‘system clock in local time’ that creates issues in new VM setup.

API

  • ADD: added POST /appliance/apply-settings to apply configuration changes.
  • ADD: added POST /message/{id}/report-as-good and POST /message/{id}/report-as-bad
  • DEPRECATED: added POST /message/{id}/submit-as-good and POST /message/{id}/submit-as-bad

Breaking changes

This version introduces some changes which require your attention.

  1. API application need to apply changes. After any (or multiple) configuration changes, a call
    to POST /api/v2/appliance/apply-settings is required in order to make the changes effective. In
    previous version a configuration reload was forced after every change, disrupting performance
  2. DMARC report sender address changed. DMARC sender is now always set as “no-reply@$hostname”
    like other locally generated email. Verify that any SPF related to your hostname is correct.
  3. Subject no longer allow dynamic variable substitution. Review your User Message settings, most
    notably “spam notification header” is now changed to “Spam notification”.

Version 5.2

All upgrades from previous versions are included. See the full release notes of Libraesva ESG version 5.2.