Clearswift SECURE Email Gateway 4.2.1 ReadMe

New features

The following new features have been added in this upgrade:

Message processing resilience

Previous versions of the Gateway offered less resilience when processing large, corrupt or badly-formed messages. These messages occupied message processing slaves for excessive periods of time, resulting in a sustained state of low activity while the Gateway attempted to process the messages.

Message processing management has now been enhanced to ensure that not all message processing slaves can be blocked at once, and hence mail flow will continue. In normal day-to-day processing, this will not affect Gateway performance negatively in any way. However, when the Gateway receives many of these bad messages within a short space of time, it will no longer get into a stuck state and will continue to process other mail as expected.
Support for TLS connections based on recipient of outbound messages

It is now possible to create Mandatory TLS connections to email domains without having to define the IP address/host names of the recipient's mail relays. The Gateway “connection” is configured with the domain name of the mail recipient. When a message is to be delivered to that domain, the Gateway uses DNS to resolve the domain and tries to establish a secure connection to the MX hosts for that domain. If domain name matches the host names of the mail relays, then a TLS connection will be attempted.

If the recipient uses a third party mail relay, such as Symantec.cloud or Office365, then the Sendmail TLS checks will fail due to the relay server names not matching the recipient domain name. In this case, by enabling Opportunistic TLS, the Gateway will make the connection. By changing the TLS settings for the connection to require forced encryption in both TLS Client and TLS server modes, the messages will only be delivered if you send them in an encrypted form.
Classification of newsletters as spam

This upgrade allows the classification of newsletters as spam. In previous versions, the Gateway did not classify newsletters as spam. However, you can now configure the Gateway in SpamLogic Settings to reclassify newsletters as either Suspected Junk Email or Confirmed Junk Email.
Support for adding images and text to the Gateway login page

This upgrade allows the addition of images such as corporate logos, and text such as legal disclaimers to the login page of your Gateway’s user interface. This can be configured in Gateway Branding which you can access from the System drop-down menu. Images can be added in either .gif, .jpg, .png or .bmp format. The text has a maximum size of 1024 characters.
Missing Manager does not determine message senders from “Sender” header of email

In previous versions of the Gateway, Missing Manager determined the sender of messages using the “From” header of an email, which is used to specify the author of a message. However, in the route management part of the policy, the Gateway determined the sender of messages using the “Sender” header, as this specifies the mailbox of the agent responsible for the actual transmission of the message. Missing Manager has now been brought into line with route management and will use the “Sender” header if it exists. If it does not exist, Missing Manager will use the “From” header as before.

While the contents of the “Sender” and “From” fields are commonly identical, they will differ when messages are sent on behalf of someone else. The change in this release will ensure that when messages are sent on behalf of someone else, Missing Manager will check that the manager of the person responsible for sending the message is copied, not the manager of the person who the message is sent on behalf of.

Fixed issues

This update fixes the following issues:

Spam detection improvements

Spam detection rates have been improved following changes in a number of areas.
Increased efficiency of Kaspersky Anti-Virus updates

The retrieval of anti-virus definition updates for the Kaspersky Anti-Virus component has been improved, resulting in more up-to-date virus definitions and hence more accurate detection.
Logjam vulnerability

The Logjam vulnerability exploits a flaw in the TLS protocol by using a man-in-the-middle attack to downgrade TLS connections. This update eliminates the threat by generating 2048-bit Diffie-Hellman groups with primes generated uniquely for each Gateway.
Message processing improvements

Enhancements to the content engine have corrected various issues encountered while processing messages and attachments such as PDF, XLSX and DOCX.
Message processing timeouts

The Message Processing timeout value configured in Policy Engine Settings was not being enforced correctly. This has been resolved and message processing will no longer be allowed to proceed beyond the configured limit.
Unable to configure upstream MTA if connection management is disabled

Previously it was only possible to configure upstream MTAs in SpamLogic Settings if you enabled connection management. However, the spam detection component of the Gateway also needs to know about any upstream MTAs, therefore it is now possible to configure them even if the Gateway is configured not to perform connection management.

Still need to set MTA - make sure people remember to set them in both cases.

Note: We strongly recommend that you configure upstream MTAs regardless of whether or not the Gateway is configured to perform Connection Management in SpamLogic Settings.
Alarms cannot be cleared

Some of the alarms in the Gateway appeared repeatedly or could not be cleared, despite selecting the option to clear them. The handling of alarms has been improved and now allows for clarification and easier management of any that appear.
Restricting UI Access also denied PMM access

When configuring the Gateway to restrict access from a specified IP address to the web user interface, the Gateway also restricted access to PMM from the same IP address. This restriction has been removed and access to PMM will be allowed for those IP addresses.
PMM does not work after restoring to a new Gateway

Previously, if you restored a full Gateway backup to a newly installed Gateway, the PMM database replication would fail. This has been resolved and replication now completes as expected.

Upgrade instructions

Perform the following steps to download and apply software updates when you upgrade from a version 4 Gateway to 4.2.1

Open an SSH session and access the Clearswift Server Console. Log in using your cs-admin access credentials.

Online or Offline mode?

Offline mode is designed for installations that operate in a closed environment, disconnected from the Internet. Unless this is a specific requirement for your system, you should install the Clearswift SECURE Email Gateway in online mode.

To perform an offline upgrade you require a copy of the latest release ISO mounted to suitable media (DVD/USB). Please contact Clearswift Technical Support if you need additional guidance on how to complete this step.

If you have online repositories enabled, updates will be downloaded overnight (automatically). You can apply them immediately. You can also use the Check for New Updates button if you believe that there has been a recent security fix issued.

To apply software updates:

Select Configure System > View and Apply Software Updates > Apply Updates > OK from the Clearswift Server Console main menu.
Select Yes to confirm that you want to apply the updates.
All downloaded updates will now be installed. This process can take several minutes. A rolling progress log will be displayed.
When the Operation Complete message appears, select Done to complete the install process.

At the end of the upgrade process, the system will prompt you to either reboot or log out. Follow the instructions on-screen.

Gateway services will restart automatically in either case.

Revision 1.0 October 2015

Published by Clearswift Ltd.

The materials contained herein are the sole property of Clearswift Ltd. No part of this publication may be reproduced or disseminated or transmitted in any form or by any means electronic, mechanical, photocopying, recording, or otherwise stored in any retrievable system or otherwise used in any manner whatsoever, in part or in whole, without the express permission of Clearswift Ltd.

Information in this document may contain references to fictional persons, companies, products and events for illustrative purposes. Any similarities to real persons, companies, products and events are coincidental and Clearswift shall not be liable for any loss suffered as a result of such similarities.

The Clearswift Logo and Clearswift product names are trademarks of Clearswift Ltd.

All other trademarks are the property of their respective owners. Clearswift Ltd. (registered number 3367495) is registered in Britain with registered offices at 1310 Waterside, Arlington Business Park, Theale, Reading, Berkshire RG7 4SA, England. Users should ensure that they comply with all national legislation regarding the export, import, and use of cryptography.

Clearswift reserves the right to change any part of this document at any time.

Copyright © 2000-2015 Sophos Limited. All rights reserved. Sophos is a registered trademark of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.

Licensed under US Patent No:5,623,600

Protected by UK Patent 2,366,706

The software allows Clearswift to collect certain data from you regarding spam and other unwanted emails. Clearswift will use this information to improve its service to you (defined as the "Support Service") in the license agreement. Clearswift will use all information provided in accordance with the license agreement and Clearswift's stated privacy policy which can be found at http://www.clearswift.com/about-us/legal-information.

Clearswift SECURE Email Gateway 4.2.1 ReadMe

Important

New features

Fixed issues

Known issues

Before you install the upgrade

Upgrade instructions

Contact information