This upgrade adds a number of new features and addresses a number of security issues. We strongly recommend that you upgrade as soon as possible to benefit from these new features and to ensure that you are fully protected.
If you are using mandatory TLS settings, when you upgrade, mail flow is stopped. Following the upgrade, you must modify the mandatory TLS settings in your Connection Profiles before you can enable mail flow. If you have significant configuration changes to make on upgrade, one possible approach is to add an additional peer that won't carry traffic. Upgrade this peer and perform the configuration changes, then apply that configuration to each existing peer as it is upgraded. |
Security Technical Implementation Guides (STIGs) contain technical guidance to "lock down" computer systems that might otherwise be vulnerable to a malicious computer attack. They are administered by the Defense Information Systems Agency (DISA) in the United States through the Information Assurance Support Environment (IASE). Clearswift
In addition, other security guides are available through the open source OpenSCAP framework and associated policies.
After installation or upgrade, if you would like to generate a manual system evaluation for STIGs compliance, you will need to contact Clearswift Technical Support.
Postfix replaces Sendmail as the Clearswift
As part of this improvement, a number of changes have been made to the functionality and user interface of the Clearswift
As the Message Transport Agent (MTA) provider has been changed from Sendmail to Postfix, the log format has also changed. If you are exporting logs to a third-party syslog tool, Clearswift recommends installing this release in a sandbox environment initially to review the log format and update your syslog environment before upgrading. |
Inbound and outbound TLS
As a global setting, there is now a single option for enabling opportunistic inbound and outbound TLS. Mandatory TLS is configured on Connection Profiles for inbound TLS, and routing for outbound TLS. Connection Profiles include a list of Client Hosts, which can be IP addresses or host names, and Sender Domains. In this version, the Clearswift
Outbound TLS configuration is no longer based on the IP address of the receiving MTA and instead is based on the destination email domain.
Inbound and outbound TLS settings within Connection Profiles have been restructured and simplified.
The High cipher list has been updated as part of this release.
Queue management
Two new message queues - SMTP Inbound and SMTP Outbound - have been added to the Message Center Home page. These queues are integral to Postfix and, while this increases the number of queues to a total of five, the queue directories are more detailed than Sendmail's directories. On upgrade, any messages in the Dispatch Retry queue are moved to the SMTP Outbound queue.
Message tracking
You can track messages from the
New DKIMDomainKeys Identified Mail signing option
If you have enabled DKIM signing on outbound messages in the SpamLogic Settings page, you can optionally choose whether to enable If the message sender is empty, sign using the key for the domain of the From address in the DKIM signing on outbound messages section. The DKIM signature is added per sender domain, which previously excluded out-of-office replies as the default, expected behavior. This new option now allows you to apply DKIM signing to out-of-office replies and similar messages that have empty message sender fields.
There are a number of new features included in this release:
For more detail on these new features and how you can use them, see
There are also a number of changes included in this release:
Server Console changes and STIGs compliance
You can now add up to 20 NTP servers to operate your synchronized Network Time Protocol using the Server Console. See System Time Settings for more information.
If you have recently upgraded to In a closed environment this might be undesirable and could cause excess logging at your firewall. In Server Console, the Red Hat NTP pool servers are now displayed, and can be individually disabled. Alternatively, you can disable NTP entirely if preferred. |
Cryptographic Message Syntax
The
If you want to revert to the previous settings, edit /var/cs-gateway/encryption/cryptod.local.cfg to contain:
[SMIME]
UseCMS = no
Restart the Policy Enforcement service.
S/MIME Signature Algorithm
The default for the S/MIME signature algorithm has been changed from SHA1 to SHA256. SHA256 is a more secure algorithm, which now affects signature processing and certificate generation.
If you have previously created a Certificate Authority for S/MIME, you might need to recreate it following upgrade, in order to apply the new algorithm consistently through your certificate chain. |
If you want to revert to the previous settings, edit /var/cs-gateway/encryption/cryptod.local.cfg to contain:
[SMIME]
OpenSSL-SigAlgo = SHA1
Restart the Policy Enforcement service.
Message tracking
Logging Levels
Queue management
Inbound and outbound TLS
SMTP authentication
Email routing
Retention Time extension
Address Rewriting
%LOCALDATE% token
We strongly recommend that you follow the installation steps outlined in the Clearswift |
If you are migrating from a previous version of
If you are upgrading from an earlier version
Change your AUTH profile user names and passwords, if you are using the same user name on different profiles. For more information, refer to SMTP Authentication.
For further information on how to upgrade, refer to Upgrading from an earlier version 4 release to version 4.7.0.
Detailed instructions on backup and restore are available in the Clearswift
You can install
Full installation instructions are provided in the Installation and Getting Started Guide.
Perform the following steps to download and apply software updates when you upgrade to
Open an SSH session and access the Clearswift Server Console. Log in using your cs-admin access credentials.
Online or Offline mode? Offline mode is designed for installations that operate in a closed environment, disconnected from the Internet. Unless this is a specific requirement for your system, you should install To perform an offline upgrade you require a copy of the latest release ISO mounted to suitable media (DVD/USB). Please contact Clearswift Technical Support if you need additional guidance on how to complete this step. |
If you have online repositories enabled, updates will be downloaded overnight (automatically). You can apply them immediately. You can also use the Check for New Updates button if you believe that there has been a recent security fix issued.
To apply software updates:
Select Yes to confirm that you want to apply the updates.
All downloaded updates will now be installed. This process can take several minutes. A rolling progress log will be displayed.
At the end of the upgrade process, the system will prompt you to either reboot or log out. Follow the instructions on-screen.
After you have upgraded, you need to:
When you upgrade, mail flow is stopped. You must modify the mandatory TLS settings in your Connection Profiles before you can enable mail flow by restarting the SMTP Inbound Transport, SMTP Outbound Transport, and SMTP Alert Transport services. |
This update includes the following fixes, which have been implemented in version
Enhancements to the content engine improve:
When logging in to PMM using Chrome, the browser looped indefinitely between the following pages: http://pmm.domain.com/PMM/authenticate.jsp?action=sessionexpired and https://pmm.domain.com/PMM/authenticate.jsp?action=sessionexpired.
This is due to the cookie security settings on access to PMM, which have been reconfigured and tested. This issue is resolved in this release.
A PDF containing malware in EML format was not correctly detected by the Kaspersky anti virus scanner. This issue has been resolved by improvements to the content engine.
Some base-64 encoded content was causing a series of messages to remain in the content queue and fail as 'problem messages'. This release includes a significant update to implement cryptographic message syntax processing which resolves this issue.
Transaction log export failed if your initial scheduled configuration was run without testing the SFTP settings. Manual export then also failed, along with any subsequent test of the FTP settings. This issue was caused by the
The export process has been updated and tested in this release, and scheduled logs are now exported correctly.
When upgrading a custom UI certificate, the following error was encountered: "Certificate with alias "tomcat" already exists in keystore. However, this was a result of the
This wording has been replaced with: "Failed to import updated certificate into keystore. Ignore if the customer has changed the password and are using their own certificate."
LDAP address lists were not configurable with wildcards in the domain name, for example:
firstname.lastname@*.*
This caused problems when using an LDAP Query to populate a working address list.
This has been resolved and wildcards are now permitted.
The Kaserpsky anti virus counter on the Anti virus scanners page was not accurately reflecting the number of detected viruses. No increment was displayed when tested with standard KSN test or heuristic data.
This issue has been resolved in this release.
The process limit for gw-services was lower than required to process high volumes of traffic. This resulted in a slowing down of mail traffic and a number of 'unable to create new native thread' errors in various logs. This issue was resolved by resetting the hard and soft processing limit to 4096. Performance testing of this change has not shown any negative effects.
The policy enforcement service was constantly restarting as a result of the monitoring watchdog exceeding its configured threshold. This threshold has been increased, to prevent the issue recurring.
Internet Explorer and Chrome displayed a 'bad request' error when accessing PMM. This problem was due to large cookies and could be temporarily fixed by clearing the cache. However, this issue has now been fully resolved by increasing the default cookie size limit.
Whitelisting Sender Email addresses or Sender Hostnames for RBL checks had no effect. This issue has been resolved in this release and whitelisting now operates as expected.
DKIM verification failed if:
the message did not contain a whitespace character after the colon that separates the header field name and the value.
This issue has been resolved in this release.
The cipher DES-CBC3-SHA MEDIUM RSA RSA SHA1 3DES(168) was offered for TLS when high ciphers were enabled.
This cipher has been excluded from the High setting. Custom override of the cipher list is also possible in the /opt/cs-gateway/custom/general.properties file.
The
This issue has been resolved and active content is now detected in these files as expected.
If duplicate email addresses existed in the manager relationship data, the policy engine failed to restart. For example, two users with nearly identical email addresses (user@company.com and User@company.com) were indistinguishable identities, causing the Mail Application master to terminate.
This issue has been resolved in this release.
When creating a message inform which uses the %DATE% token, the token displayed the time in the +0000 time zone regardless of the local configuration. This problem was caused by the
Underscore characters were not permitted when configuring a proxy server using the Server Console (Configure System > Configure External Servers > Proxy Server). An error message indicated that the 'specified user is invalid or empty'.
This has been resolved and underscore characters are now supported.
Entries added to a whitelist were treated as case-sensitive, leading to the Gateway distinguishing between identical email addresses with different upper or lower case characters. This issue has been resolved and The Gateway now considers whitelist entries as case-insensitive.
When installing the
Validate Sender Domain performed a number of DNS lookups in order to resolve FQDNs. This resulted in inconsistent validation when DNS server entries included a wildcard for subdomains.
This release includes a replacement of the Message Transfer Agent (MTA), which resolves the issue. Validate Sender Domain is now applied as expected.
Previously, it was not possible to delete a secondary IP address from eth0. When applying the changes, the deleted address was still displayed.
This issue has been resolved in this release.
The alarms following alarms were displayed despite the
This issue has been fixed in this release.
BATVBounce Address Tag Validation (spam:batvfailure) was not displaying as a reject reason in message tracking. This issue has been resolved in this release.
Following upgrade to 4.5.0, 4.6.0 or 4.6.2, the PMM Portal failed to display the configured logo. This issue has been resolved in this release.
Configured HTTP proxies in Server Console were not displaying correctly if they contained an authentication password including an equals sign (=). This impacted Anti Virus upgrades and licence validation. This issue is resolved in this release and HTTP proxy entries are now displayed and applied correctly.
When exporting SMTP logs using syslog, a number of Mailshell service auditor logs were also exported when only SMTP logs were selected. This was recorded in the log as: 'The Mailshell engine has been initialized successfully.'
This release includes an update to the logs that filters erroneous entries from SMTP logging. This issue is resolved in this release.
When a connection for a specific IP address included a relay option set to 'Blocked' it failed to apply the block when the sender and recipient were both identified as users from the same domain. This resulted in the potential for spoofed messages to be delivered.
Version 4.7 includes a replacement of the Message Transfer Agent (MTA) which has fixed this issue. Messages encountering the relay option are now processed correctly and, where blocked, "No messages will be accepted from this Connection profile" as expected.
When completing the
This has been resolved and all FIPS features now appear as expected after FIPS Mode is enabled during installation.
If an IP address was added to the User Interface Access Control, it prevented policy being applied from another peer unless the IP address of that peer was also added. This release contains significant updates which effectively resolve this issue and you can now share policy between peers effectively.
The Transport Security, TLS Requested and Hostname information on message tracking displayed correctly for SMTP OUT messages, but was not displayed for similar messages that were received. This release contains significant updates, which resolve this issue. Messages now correctly display TLS information in message tracking.
When running a connectivity test, the
The PMM Alarm: 'Failed to fetch PMM data from peer' is raised correctly when the PMM service is interrupted. For example, during a Red Hat upgrade.
However, this alarm was still being displayed when the peer became available and PMM service had resumed. This was accompanied by a 'Connection refused' entry in the PMM Infrastructure log. The alarm could not be manually canceled.
This has been resolved in this release. You can now cancel this alarm.
If Connection Management was configured as: "The Email
This issue has been resolved in this release. Spoof Detection can be performed regardless of Connection Management configuration.
Previously, the
Support for multiple NTP servers has been added in this release. You can now add up to 20 NTP servers using Server Console. See System Time Settings for more information.
Default Red Hat servers were used by NTP, which caused block messages in the firewall due to the unrecognized server names.
You can now view and disable these Red Hat servers (0.rhel.pool.ntp.org, 1.rhel.pool.ntp.org, 2.rhel.pool.ntp.org, 3.rhel.pool.ntp.org) and replace them with custom NTP servers as appropriate. See System Time Settings for more information.
When downloading attachments from held messages, an opened attachment link was indistinguishable from an unopened link.
This made it difficult to track which attachments had already been opened. This issue has been resolved.
If an inbound message was received in the form <"test>>me"@domain.com the Gateway ignored any rejection settings. This issue has been resolved.
See
Note the following end of life information:
For more details, see the End of Life statement.
For contact details, information on product updates and other products, see the Clearswift Website.
Revision 1.0 November 2017
Published by Clearswift Ltd.
© 1995-2017 Clearswift Ltd
All rights reserved
The materials contained herein are the sole property of Clearswift Ltd. No part of this publication may be reproduced or disseminated or transmitted in any form or by any means electronic, mechanical, photocopying, recording, or otherwise stored in any retrievable system or otherwise used in any manner whatsoever, in part or in whole, without the express permission of Clearswift Ltd.
Information in this document may contain references to fictional persons, companies, products and events for illustrative purposes. Any similarities to real persons, companies, products and events are coincidental and Clearswift shall not be liable for any loss suffered as a result of such similarities.
The Clearswift Logo and Clearswift product names are trademarks of Clearswift Ltd.
All other trademarks are the property of their respective owners. Clearswift Ltd. (registered number 3367495) is registered in Britain with registered offices at 1310 Waterside, Arlington Business Park, Theale, Reading, Berkshire RG7 4SA, England. Users should ensure that they comply with all national legislation regarding the export, import, and use of cryptography.
Clearswift reserves the right to change any part of this document at any time.
Copyright © 1997-2017 Kaspersky Labs, 10 Geroyev Panfilovtsev St., 125365 - Moscow, Russian Federation. The Kaspersky Logo and Kaspersky product names are trademarks of Kaspersky Labs.
Copyright © 2000-2017 Sophos Limited. All rights reserved. Sophos is a registered trademark of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.
Licensed under US Patent No:5,623,600
Protected by UK Patent 2,366,706
The software allows Clearswift to collect certain data from you regarding spam and other unwanted emails. Clearswift will use this information to improve its service to you (defined as the "Support Service") in the license agreement. Clearswift will use all information provided in accordance with the license agreement and Clearswift's stated privacy policy which can be found at http://www.clearswift.com/about-us/legal-information .
Click here to read Copyright and Acknowledgments in full.