Headline
CVE-2022-37238: SecurityGateway for Email Servers Release Notes
MDaemon Technologies SecurityGateway for Email Servers 8.5.2 is vulnerable to Cross Site Scripting (XSS) via the currentRequest parameter.
Developed with 20 years of proven email security expertise, SecurityGateway provides affordable email security. It protects against spam, viruses, phishing, spoofing, and other forms of malware that present an ongoing threat to the legitimate email communications of your business.
Click here to learn more about SecurityGateway for Email Servers
SecurityGateway 8.5.3 - July 26, 2022****CHANGES AND NEW FEATURES
- [26179] When Location Screening is enabled the connecting country/region will always be logged (if known) even when the particular country/region is not being actively blocked. So, even if you do not wish to block any country you can still enable Location Screening (without selecting any countries to block) so that country/region can be shown and logged.
- [22988] Added a Location Screening option (“… add ‘X-SGOrigin-Country’ header to messages”) to insert the header ‘X-SGOrigin-Country’ that lists the country and region for content filtering or other purposes. This option is enabled by default when Location Screening is enabled.
FIXES
- [26147] fix to Reflected Cross Site Scripting (XSS) vulnerabilities reported by Pankaj Kumar Thakur from Green Tick Nepal Pvt. Ltd.
- [26148] fix to HTTP Response splitting vulnerabilities reported by Pankaj Kumar Thakur from Green Tick Nepal Pvt. Ltd.
- [26149] fix to line breaks in disclaimer text specified directly in a sieve script are HTML escaped
- [26229] fix to if the “Relay Control | Only domain mail servers can send local mail” option is enabled, a different error may be returned from the SMTP MAIL command depending on if the local address specified exists or not
- [26172] fix to a race condition at startup may result in not all sieve scripts executing
- [26213] fix to callback verification (CBV) does not use the MX record of the sender’s domain if an SPF MX lookup is performed first
- [26214] fix to changes to the Automatic Archive Store Creation | Content Directory field are not saved
- [26170] fix to 32-bit version of ClamAV 0.104.3 is included instead of the 64bit version
- [26216] fix to process executed from sieve script remains in memory until service restart
SecurityGateway 8.5.2 - May 17, 2022****SPECIAL CONSIDERATIONS
- [25911][25912] Domain administrators, by default, no longer have access to archiving or RMail settings. These permissions may be granted to a domain admin via two new settings added to the “Edit User” and “Edit Administrator” dialogs.
- [26003] Changed the default behavior to not query default user verification sources for addresses where the domain is not a local domain. Starting with 8.5.0 all addresses are queried in an attempt to automatically resolve any external aliases. However, this change greatly increased the number of queries made to the default user verification sources in some environments. The default behavior has been restored to that of 8.0.4, where the default user verification sources are only queried if the domain of an unknown address is a local domain. The behavior of the “Enable automatic domain creation” has not changed, and if enabled the default user verification sources will be queried for all unknown addresses. A new user verification source option “Always query default user verification sources for external aliases” has been added to always query the default user verification sources for external aliases, without needing to enable the “Enable automatic domain creation” option.
CHANGES AND NEW FEATURES
- [25693] Support for Cyren’s threat lookup service has been added to the Cyren AV engine. When the AV engine detects a suspicious file that is not classified by the virus definitions it will generate a hash of the file and query Cyren’s threat lookup service. Cyren’s threat lookup service is a 100% cloud-based solution that allows SecurityGateway to conduct a file integrity check and get up-to-moment classification of malware threats based on Cyren’s global threat intelligence.
- [25766] Added support for SMTP AUTH PLAIN authentication
- [25775] Updated FusionCharts library to version 3.18.0
- [25837] Renamed “Unknown - Outbreak Protection” to “Outbreak Protection” in the AntiVirus / Inbound by Name report
- [25894] Added sample PowerShell scripts that use XMLRPC API to export and import Sieve scripts. The sample PowerShell scripts may be found in the …\Docs\API directory.
- [25788] Added "send as a secure message (using built-in web portal)" and “send using REQUIRETLS” as potential actions for Data Leak Prevention | Medical Terms
- [25956] Added PowerShell API samples; Create SG Domains.ps1, List Methods.ps1, and Get Method Help.ps1
- [25998] LetsEncrypt script has been updated to use Acme-PS 1.5.2
- [26063] Updated embedded database engine to Firebird 3.0.9
- [26079] Updated ClamAV to version 0.104.3
FIXES
- [25879] fix to domain selector drop down only displays the page domains (default 50) alphabetically
- [25864] fix to matching whitelist/blacklist entry link in the Message Log | Message Information | Transcript view does not switch to the correct page of the list if the matching entry is not on the first page
- [25186] fix to the value of the “Only include new messages quarantined since last email was sent” option for the administrative quarantine report is read from the user quarantine report settings
- [25869] fix to no result feedback message is displayed when clicking the Spam/Not Spam toolbar buttons
- [25887] fix to when replying to a secure message the line breaks are lost and the message received by the recipient is a single line
- [25943] fix to Secure Message Recipients may be deleted at midnight
- [25867] fix to when using an external Firebird database server, the securitygatgeway.exe process crashes at startup if it is unable to communicate with the Firebird database server on port 3050. The process now exits normally and logs an appropriate error message.
- [25955] fix to “Secure Web Message” is missing from the “Result” pulldown on the Message Log search pane
- [25968] fix to the “Resend invitation email” link on the Secure Message Recipient edit page uses the wrong template for the email message
- [25832] fix to switching between the “Remote Mail Delivery” options loses any saved password for the mail server
- [25974] fix to quarantined messages are still displayed in the list after they have been whitelisted or blacklisted
- [25744] fix to administrator quarantine schedule set to “On the schedule specified below:” configured to send one report per day sends a report each minute until the top of the next hour
- [25988] fix to when the “Day” summary type is selected for a report, drilling down on a summary period may not list the correct messages
- [25964] fix to SGSpamD.exe process stops on secondary nodes when processing messages using Bayesian learning
- [22348] fix to unable to save port values higher than 32767 for Domain Mail Servers, User Verification Sources, or Remote POP Accounts
- [26008] fix to resending a “Secure Web Message” from the Message Log sends the message via SMTP
- [26001] fix to Addheader sieve command does not encode non-ANSI characters
- [25995] fix to a matching entry in the “Attachment Filtering | Attachments to Quarantine Attachments | Exclude messages sent to email addresses listed below” list does not prevent messages from being quarantined
- [26013] fix to no verification occurs when adding an alias or selecting “Merge User” in the user edit dialog. Invalid alias addresses are not added to the user when saved, however, no feedback is displayed to the user. This was introduced in the 8.0.0 release.
- [21425] fix to with the “Setup | Mail Configuration | Email Protocol | Check commands and headers for RFC compliance” and the “Security | Anti-Spoofing | DMARC Settings | Refuse to accept messages if ‘From’ is incompatible with DMARC” options disabled messages with an invalid From header are still rejected
- [26024] fix to Secure web messages deleted via the portal are removed from the database. The message should not be removed, but have its state set to "Deleted".
- [26023] fix to Secure web messages that are flagged “admin quarantine” are still delivered to the secure web message portal. The message should not be visible in the portal unless an administrator releases it from the quarantine.
- [26039] fix to messages collected from a remote pop account are detected as relayed messages and DATA event sieve scripts are not executed
SecurityGateway 8.5.1 - March 8, 2022****FIXES
- [25866] fix to XML injection vulnerability that may disclose private data
- [25834] fix to Outbreak Protection Anti-Spam configuration options are disabled and cannot be enabled
- [25858] fix to changes made to POP mail source are not saved if the “Test” button is used
- [25844] fix to custom branding image is not displayed on secure user account setup page
- [25833] fix to Installer: Selecting Database Type “External Server” results in error “Cannot find FBCLIENT.DLL or GDS32.DLL”
SecurityGateway 8.5.0 - February 15, 2022****SPECIAL CONSIDERATIONS
[25553] 32bit builds and support for 32bit operating systems has been discontinued. Starting with SecurityGateway 8.5.0 only 64bit builds will be distributed. This allows for us to streamline development and testing and utilize libraries that are only available as 64bit. If you are currently running a 32bit build on a supported 64bit operating system, you can simply download the 64bit build and install on top of the existing installation.
MAJOR NEW FEATURES
- [24440] Secure messaging web portal
- Secure messages are stored on the SecurityGateway server and are accessed by the recipient via the browser. End-to-end encryption is maintained between the SecurityGateway server and the recipient via HTTPS encryption.
- A message may be flagged as a secure message via a Content Filter rule, Data Leak Prevention rule, or a sieve script.
- Added “Send as secure web message” as an available action in the Content Filter and Data Leak Prevention rule editors.
- Added Sieve action "vnd.mdaemon.securewebmsg". This action can be used in manually created sieve scripts.
- A “Secure Message Recipient” account is created for external users to whom a secure message is sent.
- May be automatically or manually created.
- When a secure message is received for an email address, an invitation is sent to the user with a link to create an account to view the message.
- The admin may also specify a six-digit numeric PIN that the secure message recipient must specify when creating their account. This PIN would be communicated to the recipient out of band i.e. in person, postal mail, etc.
- Secure Message Recipients may optionally compose new secure messages to a pre-defined list of local users.
- [24423] User based mail routing
- Configure which domain mail server(s) email should be routed to on a per-user basis.
- Allows for a hybrid deployment where the mailboxes for some local users are hosted in the cloud while others are onsite.
- Use a single domain, and a single SecurityGateway server to route mail to mail servers running at each location of your business.
- A new flag has been added to the domain properties dialog "Do not use this mail server to deliver domain mail, only make avaliable to assign to specific domain users".
- Secure Message Recipients may optionally compose new secure messages to a pre-defined list of local users.
- [171] Performance Counters
- Performance counters have been implemented to allow monitoring software to track SecurityGateways’s status in real time. There are counters for the number of active sessions, the number of messages in the queues, server active / inactive states, uptime, domain count, user count, and licensing state.
CHANGES AND NEW FEATURES
- [24443] Added an option to require strong passwords at Setup/Users | Accounts | User Options. The feature can be disabled per user.
- [25370] The dashboard and registration pages will now display if a service provider/private cloud registration key is used.
- [25508] Recipient whitelists for attachment filtering. A list of recipient addresses, including support for wildcards, may be defined for both attachment blocking and quarantining that bypass the relevant filtering.
- [25631] Lets Encrypt - the script will no longer delete the log file on each run.
FIXES
- [25333] fix to black and whitelists for host and IPs exported per domain are missing the domain in the CSV file
- [24825] fix to MTASTS report headers contain erroneous trailing ‘>’ character
- [25147] fix to DNS Blacklists - enabling the “When rejecting a message return ‘SMTP Response’ rather than 'user unknown’” option has no effect
- [25331] fix to per domain white listed Hosts and IP addresses are not excluded from SMTP Authentication
- [25280] fix to Setup | Archiving | Configuration |Automatic Archive Store Creation - the “Save and Close” button does not close the dialog or save changes made
- [25380] fix to quarantine report email message may contain lines longer than 998 characters in violation of RFC 2822
- [25433] fix to When clicking Disable Two Factor Authentication button without entering password an Access Denied error is returned
- [25459] fix to Two Factor Auth may break for users when a domain admin changes a setting on the User Options page
- [25501] fix to “form list [ScheduleList] not found” exception when saving My Account | Settings if the user does not have the “Allow users to modify their own quarantine settings” permission
- [25542] fix to unable to restore a database backup from the web interface
- [21191] fix to embedded images are not displayed when viewing a message in the web interface
- [25578] fix to SSL options are not restored when importing a database configuration export only backup
- [25585] fix to sgdbtool attempt to restore database backup to an external Firebird Server returns error “Main database file must be specified”
- [25645] fix to changes to a Domain Mail Server’s domain list are not logged to the change log
- [25660] fix to when delivering TLS-RPT reports the REQUIRETLS SMTP command may be issued even if the receiving server did not advertise support for it
- [8613] fix to creating an alias with a domain that does not exist in SecurityGateway (external alias) results in the alias’s domain being created in SecurityGateway. The newly created domain contains no users but cannot be deleted without removing all aliases of the same domain.
SecurityGateway 8.0.4 - October 26, 2021****FIXES
- [25400] fix to extended high CPU usage in securitygateway.exe while verifying a particular DKIM signature
- [25445] fix to high CPU time and delay in response to SMTP DATA command due to excessive record count in accounthijack table
SecurityGateway 8.0.3 - September 14, 2021****SPECIAL CONSIDERATIONS
Active Directory user verification sources now default to using Secure Authentication when SSL/LDAPS is not used. Secure Authentication does not support the distingused name format for the verification source user name. Both the DOMAIN\USER and user principal name ([email protected]) formats are supported.
FIXES
- [25281] fix to Active Directory user verification source allows an Exchange distribution list account to authenticate with any password
- [25286] fix to Active Directory user verification source password verification fails when the password contains a non-ascii character
- [25287] fix to Active Directory user verification source may fail when the user name is in the format of DOMAIN\USER
- [25288] fix to whitelist test does not check RFC822 from header
- [25300] fix to user real name is corrupted when synchronized from an Active Directory user verification source if it contains non-ANSI characters
- [25308] fix to AD/LDAP user verification source error string is garbled in the log if it contains non-ANSI characters
- [25309] fix to user can log in with blank password when using an AD or LDAP user verification source if “secure authentication” is disabled
- [25311] fix to system generated messages are not DKIM signed
SecurityGateway 8.0.2 - August 24, 2021****CHANGES AND NEW FEATURES
- [24780] Updated ClamAV to version 0.103.3
- [24781] A footer may be added to messages sent using a trial version of SecurityGateway.
- [24831] The Let’s Encrypt script has been updated to support ECDSA certificates. Let’s Encrypt is currently only supporting ECDSA certificates via their staging system and via an allowed accounts list in production. If you’d like to request an ECDSA certificate from their production system, comment out lines 1072 - 1078 in SecurityGateway\LetsEncrypt\SGLetsEncrypt.ps1. For more information, please see https://community.letsencrypt.org/t/ecdsa-availability-in-production-environment/150679. If you comment out these lines and request an ECDSA certificate without being on the allow list, you will get an RSA certificate. To request an ECDSA certificate add "-ECDSA" to the command line.
- [24878] Added support for embedding the SecurityGateway web interface into an iFrame. This can be useful to integrate SecurityGateway into an existing portal/management console. A new option “Allow management interface to be embedded into a frame” has been added to the Setup | System | HTTP Server configuration page. If this option is enabled, the HTTP server will not send the X-Frame-Options: SAMEORIGIN HTTP header and changes the SameSite attribue of the session cookie to "none". HTTPS is required by modern browsers in order to send the session cookie in a third-party context.
- [24837] Large messages are no longer excluded from SpamAssassin processing by default. A new option has been added to the Heuristics and Bayesian options page that allows the message size limit exclusion to be re-enabled. The initial size of the exclusion has been reset to a new default value of 2MB.
- [25177] Added two new options for Active Directory User Verification Sources that are using SSL.
- Verify SSL certificate - enabled by default, may be disabled to allow an SSL certificate that cannot be verified/trusted, i.e. a self signed certificate
- Check certificate hostname - enabled by default, may be disabled to allow an SSL certificate where the hostname does not match that of the request
- [24962] Added setting value to database to specify Minger query timeout and changed default timeout to 10 seconds
FIXES
- [8613] fix to creating an alias with a domain that does not exist in SecurityGateway (external alias) results in the alias’s domain being created in SecurityGateway. The newly created domain contains no users but cannot be deleted without removing all aliases of the same domain.
- [24799] fix to Unable to restore database from within web interface
- [24784] fix to securitygateway.exe process may crash after upgrade from version earlier than 6.0
- [24815] fix to many instances of “Unable to load string” logged in CTAV update log with non-English installations
- [24807] fix to wildcard asterisk (*) match comparator is not setting correct sieve capture variable value
- [24832] fix to macros in Microsoft Office documents are still detected by ClamAV after disabling the antivirus option “Flag attachments with documents that contain macros as virus”
- [24808] fix to new installations sending blank ehlo/helo command to when delivering mail
- [24896] fix to SG 7.0.x English release notes are not in the history.htm file
- [24895] fix to Export Archived Messages does not validate that a valid email address is specified
- [24893] fix to when creating a new active archive store and the creation fails, the active flag is still cleared for the existing active archive store for the domain. This results in a new archive store being automatically created for the domain.
- [24902] fix to Cyren AV updates are failing on Windows Server 2008 R2
- [24919] fix to archived messages will not be exported if their hash contains an embedded NULL
- [24921] fix to message received by the journal mailbox that is from a local user but to a remote address is not archived
- [24959] fix to message sent from a domain alias is not DKIM signed. The DKIM selector must be added for each domain alias in DNS.
- [24923] fix to message received by journaling mailbox may be archived to wrong archive store
- [24835] fix to unable to delete temp file from temp folder when redirecting a message
- [24738] fix to “can’t format message – message file …\SecurityGateway\App\firebird.msg not found” logged when a Firebird database error occurs
- [25109] fix to unable to create ActiveDirectory user verification source using XMLRPC API
- [25110] fix to “Security | Anti-Spoofing | Reverse Lookups | Send 501 and close connection if no PTR record exists” option cannot be enabled
- [25111] fix to customized quarantine report template custom_quarantine_report.xsl is not used
- [25191] fix to quarantine report query may be run for “users” which were not found be the user verification source and a negative cache record was stored. This can only be seen in the system log if debug logging is enabled.
- [23820] fix to potential crash in SGAV_CTAPlugin.dll
SecurityGateway 8.0.1 - April 13, 2021****FIXES
- [24720] fix to SQLException prevents intial installation when the option to use the embedded database is selected
- [24733] fix to UNIQUE KEY constraint violation “INTEG_28” on table “MESSAGES” logged to system log file
- [24730] fix to process terminates when a configuration backup occurs if the database has not been converted to Firebird 3 format
- [24724] fix to location screening selections are not saved
- [24748] fix to quarantine reports are not sent on the “schedule specified” if the schedule string is not saved in English
SecurityGateway 8.0.0 - March 23, 2021****MAJOR NEW FEATURES
- [23935] Support for active - active database replication. This functionality requires the purchase of an external replication tool. For additional details, please see: SecurityGateway: Configuring Active-Active Database Replication
- [21299] Data Leak Prevention - Search for medical terminology. A list of medical terms may be defined and a score assigned to each. Messages are scanned for matching terms and the sum of the scores for all terms found is calculated. The specified action is performed on messages for which the calculated score exceeds the defined threshold.
- [23795] Added ability to run a custom process/script during message processing and select an action based on the result of the script.
- The script must be placed in the “Sieve Executable Path” directory which can be configured from Setup | System | Directories.
- The “execute” sieve keyword has been added which may be used as an action and a test.
- First parameter is the name of the script. At this time, .bat, .exe, and PowerShell are supported.
- The second parameter is arguments that will be passed to the process. The message_filename is populated with the full path to the RFC822 source of the message being currently processed.
- For example… if execute “Test.ps1” "-msg '${message_filename}’" { }
- [21918] Added the ability to export all archived messages for a domain.
- [24282] Change/Audit logging - Added a new log file which logs changes to the configuration and who made them.
- [4665] Added the ability to send user and administrative quarantine reports on a defined schedule.
- [545] Added option to only include new (those messages quarantined since the last quarantine report email was sent) quarantined messages in the quarantine report email. A quarantine report will not be generated if there are no messages to include in the report.
CHANGES AND NEW FEATURES
- [24305] Updated the “Forgot Password” process to send an email with a link to change the user’s password.
- [24299] LetsEncrypt - Update script to look for the new Issuer being used by LetsEncrypt.
- [24307] Updated DKIM Signing to use SHA256 hash.
- [24326] Added GetServerSetting and PutServerSetting methods to XMLRPC API and PowerShell module.
- [9344] Added the SMTP connection and protocol timeouts to the Setup | Mail Configuration | Email Protocol page.
- [24315] Added the ability to download attachments from the Message Log | Message Information | Message tab.
- [24292] Updating the alert, confirm, and prompt message boxes.
- [24376] Added several example PowerShell scripts to the docs\API\PowerShell Samples directory for reference.
- [24348] The HELO Domain Name value (Setup | Mail Configuration | Email Protocol) is now a per-server setting in clustered environments. The value may be set to a unique value on each server in the cluster.
- [4665] Added the ability to send user and administrative quarantine reports on a defined schedule.
- [16386] Added the ability to manually execute an SQL statement against the database from the web interface. This feature should only be used on the instruction of technical support and it is recommended that a database backup be performed first.
- [24550] Added option to include “Blacklist Domain” link in the quarantine report email.
- [24608] Updated Cyren AV engine to version 6.4.0r2.
FIXES
- [24253] fix to DKIM verification behavior is opposite that of the “Verifier requires signatures to protect the Subject header” option value
- [24298] LetsEncrypt - change the script look at the DnsName instead of subject when looking for old certificates to remove
- [24344] LetsEncrypt - update the script to get/set SSLTLS settings from the new location
- [24269] fix to Virus Scanning “Exclude messages from whitelisted sender” option has no effect. This was resolved by removing the option as it was added inadvertently.
- [24351] fix to XML-RPC API does not let the ordinal (position) of a system generated Sieve script to be changed
- [24352] fix to editing a Sieve script moves it to the bottom of the list
- [24268] fix to the “Message score” Sieve script runs before domain specific scripts that adjust the score
- [24444] fix to unable to copy “custom branding/custom images” settings from a domain to other domains
- [24449] fix to if MTA-STS is enabled delivery of certain messages may be delayed
- [24383] fix to process crashes when accessing archive store when the location does not exist
- [24358] fix to Office 365/AD User verification source removes disabled accounts setup as shared mailboxes
- [24511] fix to cannot scroll Log Viewer on the x-axis for desktop sizes
- [24512] fix to several minior message viewer display issues
- [24582] fix to virus scanning email address exclusion list is not used if the recipient domain has specified its own virus scanning settings
- [24313] fix to virus scanning email address exclusion list is only used for the first recipient of the SMTP session
- [24599] fix to message sent to a remote domain is not BATV signed if a previous RCPT in the SMTP session is a local user
- [24592] fix to web interface does not reload and hangs when saving after changing port values in Setup | Mail Configuration | Email Protocol
- [24303] fix to Cyren AV mistakenly detects some PDF files as being password protected