Clearswift SECURE Email Gateway 4.7.0 ReadMe

Important

This upgrade adds a number of new features and addresses a number of security issues. We strongly recommend that you upgrade as soon as possible to benefit from these new features and to ensure that you are fully protected.

Security Technical Implementation Guides (STIGs) contain technical guidance to "lock down" computer systems that might otherwise be vulnerable to a malicious computer attack. They are administered by the Defense Information Systems Agency (DISA) in the United States through the Information Assurance Support Environment (IASE). Clearswift Gateways are now compliant with a number of STIGs. You can access a whole-system report that details the compliance level of this release in the STIGs compliance report.

In addition, other security guides are available through the open source OpenSCAP framework and associated policies.

After installation or upgrade, if you would like to generate a manual system evaluation for STIGs compliance, you will need to contact Clearswift Technical Support.

Improvements and new features in version 4.7.0

Postfix replaces Sendmail

Postfix replaces Sendmail as the Clearswift Email Gateway's Message Transport Agent (MTA). This allows Clearswift the ability to more easily distribute Red Hat security fixes and implement features, such as TLS, that more closely match customer expectations on a more up-to-date MTA.

As part of this improvement, a number of changes have been made to the functionality and user interface of the Clearswift Email Gateway.

Inbound and outbound TLS

As a global setting, there is now a single option for enabling opportunistic inbound and outbound TLS. Mandatory TLS is configured on Connection Profiles for inbound TLS, and routing for outbound TLS. Connection Profiles include a list of Client Hosts, which can be IP addresses or host names, and Sender Domains. In this version, the Clearswift Email Gateway uses Sender Domain names to select a profile for TLS but not for relay control or SMTP Authentication.

Outbound TLS configuration is no longer based on the IP address of the receiving MTA and instead is based on the destination email domain.

Inbound and outbound TLS settings within Connection Profiles have been restructured and simplified.

The High cipher list has been updated as part of this release.

Queue management

Two new message queues - SMTP Inbound and SMTP Outbound - have been added to the Message Center Home page. These queues are integral to Postfix and, while this increases the number of queues to a total of five, the queue directories are more detailed than Sendmail's directories. On upgrade, any messages in the Dispatch Retry queue are moved to the SMTP Outbound queue.

Message tracking

You can track messages from the 4.7.0 Gateway to selected peers of any version.

New DKIMDomainKeys Identified Mail signing option

If you have enabled DKIM signing on outbound messages in the SpamLogic Settings page, you can optionally choose whether to enable If the message sender is empty, sign using the key for the domain of the From address in the DKIM signing on outbound messages section. The DKIM signature is added per sender domain, which previously excluded out-of-office replies as the default, expected behavior. This new option now allows you to apply DKIM signing to out-of-office replies and similar messages that have empty message sender fields.

Additional improvements

There are a number of new features included in this release:

• Greater support for General Data Protection regulation (GDPR) with new Predefined Text Entities in Lexical Expressions
• Detect Malformed Data content rule
• Adaptive Redaction of meta data in JPEG image files
• STIGs compliance
• Support for additional network interface controller (NIC) IP addresses accessible from the user interface
• Support of MindManager files (MMAP) as a media type
• Support for Norwegian keyboard layouts in Server Console
• Support for Greek, Turkish, and Norwegian Time Zones

For more detail on these new features and how you can use them, see What's New in 4.7.0 in the online help.

Before you install or upgrade the product

Installing the product

You can install the SECURE Email Gateway from the ISO image available for download in the Clearswift download area.

Full installation instructions are provided in the Installation and Getting Started Guide.

Fixed Issues

This update includes the following fixes, which have been implemented in version 4.7.0:

• Message processing improvements

  Enhancements to the content engine improve:

  • Detection of Active Content in Word documents
  • Message sanitization
  • Sanitization of suspicious URLs
  • Sanitization of duplicate URLs
  • Processing of encrypted S/MIME messages
  • Processing of PDF files
• PMM Single-Sign-On continuously redirects in Chrome

  When logging in to PMM using Chrome, the browser looped indefinitely between the following pages: http://pmm.domain.com/PMM/authenticate.jsp?action=sessionexpired and https://pmm.domain.com/PMM/authenticate.jsp?action=sessionexpired.

  This is due to the cookie security settings on access to PMM, which have been reconfigured and tested. This issue is resolved in this release.

• Malicious PDF in zip file

  A PDF containing malware in EML format was not correctly detected by the Kaspersky anti virus scanner. This issue has been resolved by improvements to the content engine.

• Travel itinerary messages caused problem messages when decryption was enabled

  Some base-64 encoded content was causing a series of messages to remain in the content queue and fail as 'problem messages'. This release includes a significant update to implement cryptographic message syntax processing which resolves this issue.

• SFTP test export or manual export of transaction logs fails

  Transaction log export failed if your initial scheduled configuration was run without testing the SFTP settings. Manual export then also failed, along with any subsequent test of the FTP settings. This issue was caused by the Gateway restricting write permissions to the file /var/log/cs-gateway/sftp.log.

  The export process has been updated and tested in this release, and scheduled logs are now exported correctly.

• Misleading UI certificate upgrade error

  When upgrading a custom UI certificate, the following error was encountered: "Certificate with alias "tomcat" already exists in keystore. However, this was a result of the Gateway failing to remove the old certificate and replacing it with the upgraded version.

  This wording has been replaced with: "Failed to import updated certificate into keystore. Ignore if the customer has changed the password and are using their own certificate."

• LDAP address lists and wildcards

  LDAP address lists were not configurable with wildcards in the domain name, for example:

  firstname.lastname@*.*

  This caused problems when using an LDAP Query to populate a working address list.

  This has been resolved and wildcards are now permitted.

• Kaspersky virus counters not increasing

  The Kaserpsky anti virus counter on the Anti virus scanners page was not accurately reflecting the number of detected viruses. No increment was displayed when tested with standard KSN test or heuristic data.

  This issue has been resolved in this release.

• Low processing limit results in performance drop

  The process limit for gw-services was lower than required to process high volumes of traffic. This resulted in a slowing down of mail traffic and a number of 'unable to create new native thread' errors in various logs. This issue was resolved by resetting the hard and soft processing limit to 4096. Performance testing of this change has not shown any negative effects.

• Policy enforcement service constantly restarts

  The policy enforcement service was constantly restarting as a result of the monitoring watchdog exceeding its configured threshold. This threshold has been increased, to prevent the issue recurring.

• Bad Request Error when accessing PMM

  Internet Explorer and Chrome displayed a 'bad request' error when accessing PMM. This problem was due to large cookies and could be temporarily fixed by clearing the cache. However, this issue has now been fully resolved by increasing the default cookie size limit.

• RBL whitelist entry ignored for blacklisted IPs found in received headers

  Whitelisting Sender Email addresses or Sender Hostnames for RBL checks had no effect. This issue has been resolved in this release and whitelisting now operates as expected.

• DKIM verification failure when headers signed in simple mode

  DKIM verification failed if:

  • the message was signed in simple mode on the headers

  • the message did not contain a whitespace character after the colon that separates the header field name and the value.

  This issue has been resolved in this release.

• Medium Cipher in high cipher list

  The cipher DES-CBC3-SHA MEDIUM RSA RSA SHA1 3DES(168) was offered for TLS when high ciphers were enabled.

  This cipher has been excluded from the High setting. Custom override of the cipher list is also possible in the /opt/cs-gateway/custom/general.properties file.

• Signed XML with active content not being detected

  The Gateway failed to detect signed Office XML files containing active content.

  This issue has been resolved and active content is now detected in these files as expected.

• Policy engine failure with duplicate manager email address

  If duplicate email addresses existed in the manager relationship data, the policy engine failed to restart. For example, two users with nearly identical email addresses (user@company.com and User@company.com) were indistinguishable identities, causing the Mail Application master to terminate.

  This issue has been resolved in this release.

• %DATE% token using incorrect time zone

  When creating a message inform which uses the %DATE% token, the token displayed the time in the +0000 time zone regardless of the local configuration. This problem was caused by the Gateway using either the date in the header of the email or the current time, rather than the machine's local time zone. This issue has been resolved and date and time stamps are now displaying correctly in messages and informs.

• Proxy Configuration does not support underscore characters in the username

  Underscore characters were not permitted when configuring a proxy server using the Server Console (Configure System > Configure External Servers > Proxy Server). An error message indicated that the 'specified user is invalid or empty'.

  This has been resolved and underscore characters are now supported.

• SpamLogic whitelisting case-sensitive

  Entries added to a whitelist were treated as case-sensitive, leading to the Gateway distinguishing between identical email addresses with different upper or lower case characters. This issue has been resolved and The Gateway now considers whitelist entries as case-insensitive.

• Installation is unsuccessful if hostname returns a null value

  When installing the Gateway in a cloud-based environment using icloudhosting, changing the hostname returns a null value and displays a syntax error in Server Console. This issue has been resolved in this release.

• Validate Sender Domain not applied when the hostname has a FQDN

  Validate Sender Domain performed a number of DNS lookups in order to resolve FQDNs. This resulted in inconsistent validation when DNS server entries included a wildcard for subdomains.

  This release includes a replacement of the Message Transfer Agent (MTA), which resolves the issue. Validate Sender Domain is now applied as expected.

• Unable to delete a secondary virtual IP config from eth0

  Previously, it was not possible to delete a secondary IP address from eth0. When applying the changes, the deleted address was still displayed.

  This issue has been resolved in this release.

• Reputation Services alarms triggered when connection management is disabled

  The alarms following alarms were displayed despite the Gateway being configured not to perform connection management:

  • The reputation feed service is unavailable.
  • The reputation update service is unavailable.

  This issue has been fixed in this release.

• BATV rejects not displayed in message tracking

  BATVBounce Address Tag Validation (spam:batvfailure) was not displaying as a reject reason in message tracking. This issue has been resolved in this release.

• PMM Portal not displaying company branding following upgrade

  Following upgrade to 4.5.0, 4.6.0 or 4.6.2, the PMM Portal failed to display the configured logo. This issue has been resolved in this release.

• HTTP proxy not applied correctly in Server Console

  Configured HTTP proxies in Server Console were not displaying correctly if they contained an authentication password including an equals sign (=). This impacted Anti Virus upgrades and licence validation. This issue is resolved in this release and HTTP proxy entries are now displayed and applied correctly.

• Mailshell service auditor log incorrectly exported

  When exporting SMTP logs using syslog, a number of Mailshell service auditor logs were also exported when only SMTP logs were selected. This was recorded in the log as: 'The Mailshell engine has been initialized successfully.'

  This release includes an update to the logs that filters erroneous entries from SMTP logging. This issue is resolved in this release.

• 'Blocked' relay action not functioning as described

  When a connection for a specific IP address included a relay option set to 'Blocked' it failed to apply the block when the sender and recipient were both identified as users from the same domain. This resulted in the potential for spoofed messages to be delivered.

  Version 4.7 includes a replacement of the Message Transfer Agent (MTA) which has fixed this issue. Messages encountering the relay option are now processed correctly and, where blocked, "No messages will be accepted from this Connection profile" as expected.

• FIPS mode not initiated correctly by Gateway Installation Wizard in IE10

  When completing the Gateway Installation using IE10 as the web browser, FIPS mode did not initiate as expected. The FIPS Mode check box was cleared when the Next button was clicked.

  This has been resolved and all FIPS features now appear as expected after FIPS Mode is enabled during installation.

• Enabling User Access Control disabled peer communications

  If an IP address was added to the User Interface Access Control, it prevented policy being applied from another peer unless the IP address of that peer was also added. This release contains significant updates which effectively resolve this issue and you can now share policy between peers effectively.

• TLS criteria on Message Tracking only displays outbound information

  The Transport Security, TLS Requested and Hostname information on message tracking displayed correctly for SMTP OUT messages, but was not displayed for similar messages that were received. This release contains significant updates, which resolve this issue. Messages now correctly display TLS information in message tracking.

• Connectivity test not checking Relay To actions

  When running a connectivity test, the Gateway displayed the Relay To option as disabled even if relay servers were configured and performing correctly. This issue has been resolved in this release and the connectivity test checks valid relay servers where applicable.

• PMM Alarm not cleared after error is resolved

  The PMM Alarm: 'Failed to fetch PMM data from peer' is raised correctly when the PMM service is interrupted. For example, during a Red Hat upgrade.

  However, this alarm was still being displayed when the peer became available and PMM service had resumed. This was accompanied by a 'Connection refused' entry in the PMM Infrastructure log. The alarm could not be manually canceled.

  This has been resolved in this release. You can now cancel this alarm.

• Spoof detection not available if Connection Management is configured to receive messages indirectly

  If Connection Management was configured as: "The Email Gateway does not receive messages directly from the Internet but still performs connection management' then spoof detection was ineffective. Spoof detection should be performed on the basis of the sender's hosted domain settings, and connection management must operate independently.

  This issue has been resolved in this release. Spoof Detection can be performed regardless of Connection Management configuration.

• Support for NTP Servers

  Previously, the Gateway only supported one NTP server. This should be a variable number of servers to allow for NTP pooling if the server is unavailable.

  Support for multiple NTP servers has been added in this release. You can now add up to 20 NTP servers using Server Console. See System Time Settings for more information.

• NTP uses default servers from Red Hat

  Default Red Hat servers were used by NTP, which caused block messages in the firewall due to the unrecognized server names.

  You can now view and disable these Red Hat servers (0.rhel.pool.ntp.org, 1.rhel.pool.ntp.org, 2.rhel.pool.ntp.org, 3.rhel.pool.ntp.org) and replace them with custom NTP servers as appropriate. See System Time Settings for more information.

• Message attachment link colors unchanged after opening

  When downloading attachments from held messages, an opened attachment link was indistinguishable from an unopened link.

  This made it difficult to track which attachments had already been opened. This issue has been resolved.

• Messages not rejected if in the form <"test>>me"@domain.com>

  If an inbound message was received in the form <"test>>me"@domain.com the Gateway ignored any rejection settings. This issue has been resolved.

Known issues

Product version end of life

Note the following end of life information:

• Clearswift SECURE Email Gateway 4.5 started end of life process on 7 November 2017 and will not receive technical support after 7 November 2018.

For more details, see the End of Life statement.

Contact information

For contact details, information on product updates and other products, see the Clearswift Website.

Revision 1.0 November 2017

Published by Clearswift Ltd.

© 1995-2017 Clearswift Ltd

All rights reserved

The materials contained herein are the sole property of Clearswift Ltd. No part of this publication may be reproduced or disseminated or transmitted in any form or by any means electronic, mechanical, photocopying, recording, or otherwise stored in any retrievable system or otherwise used in any manner whatsoever, in part or in whole, without the express permission of Clearswift Ltd.

Information in this document may contain references to fictional persons, companies, products and events for illustrative purposes. Any similarities to real persons, companies, products and events are coincidental and Clearswift shall not be liable for any loss suffered as a result of such similarities.

The Clearswift Logo and Clearswift product names are trademarks of Clearswift Ltd.

All other trademarks are the property of their respective owners. Clearswift Ltd. (registered number 3367495) is registered in Britain with registered offices at 1310 Waterside, Arlington Business Park, Theale, Reading, Berkshire RG7 4SA, England. Users should ensure that they comply with all national legislation regarding the export, import, and use of cryptography.

Clearswift reserves the right to change any part of this document at any time.

Copyright © 1997-2017 Kaspersky Labs, 10 Geroyev Panfilovtsev St., 125365 - Moscow, Russian Federation. The Kaspersky Logo and Kaspersky product names are trademarks of Kaspersky Labs.

Copyright © 2000-2017 Sophos Limited. All rights reserved. Sophos is a registered trademark of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.

Licensed under US Patent No:5,623,600

Protected by UK Patent 2,366,706

The software allows Clearswift to collect certain data from you regarding spam and other unwanted emails. Clearswift will use this information to improve its service to you (defined as the "Support Service") in the license agreement. Clearswift will use all information provided in accordance with the license agreement and Clearswift's stated privacy policy which can be found at http://www.clearswift.com/about-us/legal-information .

Click here to read Copyright and Acknowledgments in full.