Secure Email Gateway

NOTE: Prior to release 5.1.0 Secure Email Gateway was called SECURE Email Gateway.

January 2023

Version 5.5.1

January 12, 2023

Fixes
  • This release corrects a problem introduced in V5.5.0 where TLS would fail if the TLS configuration depended on CA/Intermediate certificates which were in the Gateway configuration but not in the Red Hat certificate store. The fix is applied automatically when the system is upgraded to V5.5.1.

December 2022

Version 5.5.0

December 5, 2022

New Features
  • MTA-STS functionally allows email service providers to specify Transport Layer Security (TLS) for secure SMTP connections. This functionality is currently being released as a Preview feature. For additional information, contact Fortra Clearswift Support.

  • The advanced spam filtering system, Rspamd, can now run behind a proxy server.

Enhancements
  • MS Office formats have been split into CDA /XML format types so that you can specifically select one or the other in rules which have media type selection.

Fixes
  • Python3 code has been updated to run with version 3.8. This resolves CVE-2021-3177. Note that the "python3" package may still be installed after upgrade and require manual removal.

  • Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults. Apache Commons Text has been upgraded to 1.10.0 where applicable to null this threat.

  • A fix has been applied to an issue where certain spam parameter configuration changes were not reflected on a peered Secure Email Gateway. This fix supersedes the original fix that was supplied in release 5.4.3.

  • A fix has been applied so that PDF files no longer cause memory exhaustion.

  • A fix has been applied so that a Redact Text rule correctly redacts the selected text from a PDF.

  • A fix has been applied so that TNEF messages display as expected after Active Content Sanitization.

  • Fixed an issue in the 5.4.3 release where messages could fail to process when the "Log A Message" action was triggered.

  • The possibility of creating a cross-site scripting (XSS) attack in the admin user interface using a malicious crafted message tracking URL has been removed.

  • Fixed an Export Reports issue where "Send to Me" would send the report to the administrator rather than the logged in user.

  • It is now possible to use the "Detect Lexical Expression" rule to detect expressions in a From: header that is syntactically incorrect.

  • Excessive logging within the Sandbox manager log has been corrected in this release.

  • Clearswift is committed to providing software that can perform in a secured Red Hat environment with a high overall STIG security score against the DISA STIG profile. Red Hat has released a new version of the scap-security-guide package v0.1.63 (https://access.redhat.com/errata/RHBA-2022:6576 ) on RHEL7, which contains an update to the DISA STIG profile to version V3R8. This new profile version introduces several additional requirements but was released too late for these to be factored into the Gateway v5.5 release. As a result, these will be observed as additional findings in any STIG evaluation report using this new profile. These extra findings do not represent a reduction in the security of the Gateway software but are additional configurations that could be implemented to improve the overall system security. However, remediating these rules without proper evaluation carries the risk that the enhanced protection they introduce may conflict with correct system operation. Clearswift will be working to evaluate these new rules to determine their impact on the system and will make modifications to the product to allow for automatic remediation in a future release.

July 2022

Version 5.4.3

July 15, 2022

Enhancements
  • In the Detectable Types selection list within the Detect Lexical Expression, Detect Media Types and Redact Text content rules, support has been added for iCalendar. This means the Gateway can provide better deep content inspection of some types of meeting requests and calendars.

  • The update URLs for Sophos Anti-Virus are now "https" rather than "http". For example, https://sav-update-1.clearswift.net/SOP64/sopupdates.txt

  • Rspamd has been updated to version 3.2.

  • A new cloud location, https://au.analysis.sophos.com, is available for sandboxing. Also, URLs of the existing cloud locations have been updated from https://XXXX.sandbox.sophos.com (XXXX is a location of user's choice) to https://XXXX.analysis.sophos.com. Please note that using the sandboxing feature requires a license.

  • Proactive Alerts have been modified to restrict any potentially sensitive information being sent to Clearswift via unsecured email. An ability to modify the message body of the Proactive Alerts emails has been introduced, so when working with customer support, and with communication over TLS, more diagnostic information can be sent. Please note that using the Proactive Alerts feature requires a license.

  • Detailed logging is available from the Policy Enforcement service. Logging levels is configurable from System > Gateway Settings > Policy Engine Settings, and provides more assistance with problem investigations when required.

  • When a message triggers multiple content rules in a policy route, the Policy Summary tab under the Messages > Held Messages only displayed a filtered list of these rules, whereas all the triggered rules were listed under the Structure tab > PrimaryRules and SecondaryRules properties. Now, all the triggered content rules are listed under the Policy Summary tab, and the rule(s) which caused the message to be held are displayed in bold.

Fixes
  • A fix has been applied to an issue where informs were not sent correctly if the Analyze Properties content rule was configured to detect multiple document properties, and to generate an inform.

  • In PMM the Italian translation for "The message will be delivered shortly" has been corrected.

  • A fix has been applied to an issue where purging the database could run out of memory if Secure Email Gateway had a large audit database. PostgreSQL has now been configured to use less memory when purging.

  • A fix has been applied to an issue where using proxy in Secure Email Gateway intermittently caused sandboxing to queue messages.

  • Memory leak in the DKIM function has been resolved by upgrading the Mailshell SDK to version 8.2.1.

  • A fix has been applied to an issue with Cockpit where Software Updates > Check for Updates could contain out-of-date information. Now, the caches are correctly cleared by clicking the Check for Updates button.

  • A fault in checking CRLs (Certificate Revocation Lists) from bafin.de has been corrected.

  • A fix has been applied to an issue where SCOM server configuration in Cockpit could be lost after a product upgrade.

  • A fix has been applied to an issue where certain spam parameter configuration changes were not reflected on a peered Secure Email Gateway.

  • A fix has been applied to an issue where non-delivery messages were blocked by Secure Email Gateway for DMARC failures.

  • A fix has been applied to an issue where the Gateway’s UI rejected an input of special characters which were eligible to be used for the local part of the email address.

  • Sanitization of meeting requests, especially URLs within meeting requests, has been improved through the additional support of the iCalendar document format.

December 2021

Version 5.4.2

December 21, 2021

  • In response to the recent global security alert (CVE-2021-45105) on Apache Log4j, we have fixed the vulnerability on the affected versions of the Secure Gateway products.

Version 5.4.1

December 17, 2021

New Features
  • SpamAssassin Rules have been enabled under Rspamd. These are an extra set of rules that work to improve the detection of Rspamd, enhancing spam detection rates.

Enhancements
  • Microsoft 365 deployments have been enhanced to make the process of deploying a Secure Email Gateway in conjunction with M365 more seamless and secure. This also reduces the possibility of spoofed messages from other M365 tenants by requiring outbound messages to contain a specific X-header that needs to match with specific values set in the Secure Email Gateway product.

  • Rspamd has been upgraded to 2.7.

  • Management links in Informs now follow PMM configuration (HTTP/HTTPS).

  • The product icon for Secure Email Gateway has been updated.

Fixes
  • Microsoft hosted SMTP servers are correctly configured for Greylisting.

  • If an FTP backup configuration is enabled, the password was previously held in plain text in the file /var/cs-gateway/diag/diag-config.xml. This is now encrypted.

  • The SMTP Inbound Transport service can now be restarted from the Admin UI control button.

  • Computer Graphics Metafile (CGM) files were not available in the Detectable Types selection list within the Detect media types content rule. This has now been resolved.

  • It is now possible to set custom "confirmed"/"suspected" spam detection thresholds for Mailshell. Support has also been added for Rspamd custom thresholds.

  • A fix has been applied so that when running a Connectivity Test for Avira, it no longer erroneously fails and shows servers as unavailable.

  • A fix has been applied so that forwarded message text is no longer truncated at the first special character.

  • When configuring a Redact Text rule for UK postcodes (which consist of multiple parts, e.g. AB1 0CD), only the first portion of the UK postcode was being redacted. This has been fixed.

  • Microsoft Project (.mpp) files were failing to process with errors. This has now been resolved.

  • A fix has been applied to the Sanitize Active Content rule, whereby active content was being incorrectly detected.

  • The 'remove potential embedded data' (anti-steganography) option in the Sanitize Document Content rule is now working on files generated using Xiao Steganography.

  • RBL error responses have now been updated so they no longer block mail that receives a Spamhaus error code.

  • Some macro-enabled Visual Basic .xlsm files were failing to process and causing the message to be held as Malformed Data. This has now been resolved.

  • A fix has been applied to an instance where messages were causing the encryption and policy engine components to crash while the messages were being processed.

  • When using both a Sanitize Message content rule to sanitize URLs, and adding a disclaimer, messages were not being sanitized correctly. This has now been fixed.

  • It was previously not possible to sanitize active content for xlsm created in the recent version of M365. This has now been fixed.

  • In response to the recent global security alerts (CVE-2021-44228 and CVE-2021-45046) on Apache Log4j, we have fixed the vulnerability on the affected versions of the Secure Gateway products.

September 2021

Version 5.4.0

September 27, 2021

New Features
  • Enhanced protection is now included by checking the reputation of entered URLs against the Sophos Real-time Malicious URL List. This list contains up-to-date information of all known and emerging malware and is regularly updated to offer maximum security.

  • An additional X-header has been added to a message that shows more detail as to why a message was blocked as Spam.

Enhancements
  • For increased security, the Postgresql database has been upgraded from V9.6 to V13.3.

Fixes
  • Listening on port 81 has been turned off and the port disabled.

  • Unlicensed rules can now be deleted from a policy route.

  • The Sandbox report now correctly shows messages that have been detected by Sandboxing.

  • A fix has been applied so that when the gateway receives a connection from an unidentified host, it no longer causes a crash error.

  • PDF files are now created correctly following steganography or text redaction changes.

  • The search facility in the PMM portal now works as expected.

  • It is no longer possible to add invalid IP addresses to a connection tab.

  • The install process on systems with large RAM and hard disk capacities has been streamlined.

  • The Clearswift product name is now clearly identified within Cockpit.

July 2021

Version 5.3.0

July 29, 2021

New Features
  • Sandboxing allows the execution of email attachments in a controlled environment to check for any suspicious activity such as attempting to modify the registry or a file on the system. Sandboxing uses the Sophos sandboxing service and works in tandem with Sophos Anti-Virus. All sandboxing activity is conducted in the cloud and not on-premise.

Enhancements
  • An extra two rows have been added to the Product Information table on Cockpit Clearswift page to show whether Red Hat or Clearswift online updates are enabled.

Fixes
  • Fixed an issue where the "Upgrade is available" alarm would never be raised if using a non-English system locale.

  • If you change the gateway branding text and add multiple lines, they all display on a single line. This has now been fixed.

  • Fixed an issue where new SCOM servers could not always be added in the "Monitoring Services" page in Cockpit.

  • The 5.2 upgrade overwrote the keystore, reverting the custom UI certificate back to the Clearswift self-signed cert. This has now been fixed.

June 2021

Version 5.2.0

June 3, 2021

New Features
  • PhishTank has been enabled under Advanced Phishing Detection as part of spam policy. Advanced Phishing Detection uses the feed of confirmed phishing URLs supplied by PhishTank, providing a second source of phishing detection and complements the existing Mailshell functionality.

Enhancements
  • IP addresses have been updated to support the use of IPv6, enabling users to accept emails from email servers with IPv6 addresses. The Classless inter-domain routing (CIDR) format will be used to add and display addresses within the Gateway.

Fixes
  • PDF rendering has been improved, following steganography or redaction changes applied by the Gateway.

  • XLSX files were being detected as active content when no active content was present. This has now been fixed.

  • An Avira antivirus error stating that ‘not all file contents could be scanned’ has been resolved.

  • Processing documents such as PDFs and RTFs has been improved, resulting in more efficient detection of active content.

  • PDF detection and processing has been enhanced in this release to correct a number of issues, including the Gateway becoming unresponsive.

  • You can now disable XLM macros from being detected, by adding a configuration to the CDA and ZIP format managers. For more information, refer to the online help topic on Sanitization.

  • The process of generating SwissSign certificates with Silver license has been improved and now issues certificates successfully.

  • The gdb and valgrind RPMs can now be removed after product installation. This should be performed using the yum utility in Cockpit Terminal. Please note that these will be automatically reinstalled upon every product upgrade, so the removal process will need to be repeated each time.

  • DMARC logging detail now gives sufficient information as to why a message may have failed DMARC.

  • x-msw-jemd-scanning-scores headers were not being added to messages. This was due to RSPAMD engine returning a negative score to an email message. This has now been resolved.

March 2021

Version 5.1.0

March 1, 2021

New Features
  • PMM Portal users can add a domain to Trusted Senders to allow messages from any email address in that domain is trusted. This is particularly useful for allowing recurring mail to be delivered, such as newsletters.

Enhancements
  • Kaspersky anti-virus has been upgraded to version 8.9.

  • Branding changes have been applied to the user interface including new product logos. SECURE Email Gateway is now Secure Email Gateway.

  • Secure Email Gateway now has its own unique installation ISO and download location.

Fixes
  • A number of message processing failures have been fixed in this release.

  • Static Hostnames can contain alias names of over 40 characters.

  • SPF checks were failing due to a deprecated SPF RR Type. This has been fixed in this release.

  • An update to the Avira anti-virus engine has resolved a number of issues, including the detection of Eicar, and consistent use of downloaded definitions.

  • Excel macro detection has been significantly improved in this release.

  • A custom setting has been added to help FTP backups work more effectively.

  • Certificate store is now not restarted when applying configuration, unless its configuration has changed. This has made the Apply Configuration process faster.

  • The option to search for ‘Imported or generated’ certificate store has been removed and replaced with ‘unknown’.

September 2020

Version 5.0.0

September 08, 2020

New Features
  • As well as an update to Mailshell SDK 8.2.1, this release includes a number of new services designed to significantly improve spam detection rates. Additionally, a new Rspamd anti-spam engine is now configurable alongside Mailshell as part of the Gateway spam detection and filtering system. Rspamd is not enabled by default on upgrades.
  • Red Hat Cockpit replaces server console for administrators. Cockpit is an integrated web interface used for managing your network configuration, software updates, and system management.
Enhancements
  • This version of the Gateway runs on RHEL 7.8, enabling more accessible software updates, a number of technical improvements from RHEL 6, timely security fixes, and a more robust operating system.
  • You can now use the Search text box at the top of a reference list to search for a particular entry within a list. This includes Lexical Expressions, Content Rules, Hosted Domains, Email Routing, and MTA Groups.
  • Support for the SMBv1 protocol is no longer mandatory, due to security vulnerabilities. This version of the Clearswift SECURE Email Gateway still supports SMBv1, but SMBv2 will take precedence if available. The Gateway no longer requires a server to support SMBv1 in order to establish a connection.
  • You can now configure a lexical expression to ignore any duplicates of a unique string that matches that expression. This reduces false positives, where a string might be repeated in a file or attachment.
  • Detection of lexical expressions has been enhanced, so that the count of multiple matches is recorded per attachment or document.
  • The user interface has been resized to be more responsive to screen-size. Additionally, sensitive terminology has been updated where possible, replacing slave/master with worker/controller in log files. Blacklists and whitelists are now referred to as block lists and allow lists respectively.
Fixes
  • A weighted term now only counts once if it is repeated across multiple worksheets, if ‘Each expression may trigger only once for each part of the message’ is selected.
  • UI access controls have been significantly updated and tightened, restricting permissions to the correctly privileged users.
  • An admin account opening multiple tabs while logged in to the Gateway, presented the risk of cross-site-request forgery (CSRF) if a malicious page was open in a browser. This vulnerability has been resolved in this release.
  • Only the Installation Wizard page is accessible if the Gateway has not been fully configured.
  • The branding text appears on the login page, and was editable without authentication. This has been resolved in this release.
  • The certificate store is now automatically restarted if it crashes.
  • TrustCenter Connection check is now working as expected.
  • The Kaspersky anti-virus engine now installs correctly.
  • Failure to detect 'undisclosed-recipients:;' in the To: field when configured as a lexical expression. This issue has been resolved.

September 2020

Version 4.11.2
  • The %localdate% token in a Message Area Release Notification could show the incorrect timestamp for messages sent from the local time zone. This has been fixed.

  • Occasionally, applying configuration could result in the loss of Message Tracking events relating to the delivery of the message. This has been fixed.

  • The Sanitize Message rule could fail to detect some formats of URL in HTML href links. This has been fixed.

  • The ENVID parameter of a DSN request was dropped for messages delivered by the Gateway. This has been fixed.

  • The handling of attachments with incorrectly encoded filenames has been improved. It is now possible to inspect the held message.

  • Where a message was processed on multiple policy routes, it was possible for the attachments of the message to be duplicated in the Message Transaction log. This has been fixed.

  • Various problems with message formats have been fixed in this release.

October 2019

Version 4.11.1
Enhancements
  • Sanitization of URLs in documents.

  • Improved security of PMM digest links.

  • Improved searchability of Lexical Expressions, Email Addresses, and URL Lists.

  • Missing Manager updates for when a sender is not in the Manager Relationships list.

Fixes
  • Line breaks in Annotation Content written in plain text did not appear in emails received in Outlook.

  • When configuring the Gateway using the installation wizard, licenses were marked as invalid if you selected the Turkish locale (tr_TR.UTF-8) with US keyboard settings and the time zone GMT+2, using the Server Console.

  • When configuring an Active Directory forest, the credentials panel accepted an invalid user name if no password was entered. This rendered the Test Authentication to be successful without a specified password.

  • If a message containing a Delivery Service Notification (DSN) request was held, the Gateway removed the DSN request when the message was released.

  • In the Gateway, the ability to search for messages with an empty sender by specifying <> in the Sender field was not working.

  • In the Gateway, emails flagged as newsletters were detected as spam when the Reclassify suspected newsletters as spam option was disabled.

  • OCR extraction did not work on all images due to a problem with processing.

  • In the Gateway, DNS lookups for spam detection sent domain names and telephone numbers in clear text. Sensitive information is now obfuscated.

  • If a Gateway was configured to Bounce Address Tag Validation (BATV) sign outbound messages, and the original sender requested a DSN (Delivery Status Notification), the DSN was incorrectly sent to the BATV address.

August 2019

Version 4.11.0
New Features
  • Automatic Certificate Generation using SwissSign's Trust Center from within the Email Gateway.

  • URLs detected in messages can be rewritten, enabling integration with your web protection software, URL filtering, sandbox, or browser isolation platforms.

  • Geoblocking enables you to classify emails as Suspicious or Blocked based on the country of origin.

Enhancements
  • Not Junk Reporting can be configured to restrict the email data sent in reports.

  • Configure HTTPS in PMM Digest Only Mode.

  • Display the spam engine definitions timestamp on the System Health and Installed Version & Upgrades pages.

  • Spam headers are recorded in logs.

  • Sanitization and redaction of metadata in GIFs and PNGs.

  • Detect and inspect content in RAR5 archive files.

  • Content sanitization occurs regardless of the read-only flag in XMP data.

Fixes
  • Reports did not filter on parameters containing an underscore character "_". This issue was resolved and reports are displayed as expected.

  • The TRUSTmanager statistics on the System Health page have been updated to reflect the correct percentage for Good or Neutral reputations.

  • Messages sent to a recipient without a domain name were affected by this issue. This has now been resolved.

  • The Reset Statistics button on the System Health page now correctly resets TRUSTmanager statistics.

  • The Only accept messages for these addresses and Reject messages from the following options failed for invalid email addresses. This issue has been resolved.

  • Domain Keys Identified Mail (DKIM) signing intermittently caused the SMTP Outbound Transport service to fail. This has been resolved in this release.

  • The Gateway offered a limited set of ciphers and there was no customer-override available. If none of the Email Gateway ciphers were supported by the SFTP server, the SFTP option could not be used. This has been resolved in this release by replacing the low-security cipher.

  • When reprocessing the original or modified message, the reprocessing sometimes failed with a different error message than was given during processing the first time. Reprocessing will now give the same result given for initial processing.

  • If the connection was interrupted after issuing a DATA command but before a message is accepted or rejected, it was possible the message event wasn't recorded.

  • If a Detect Lexical Expression content rule was created to run against a Received: header, it did not detect the phrases specified in the lexical expression list. This was due to an error with the content rule and has now been fixed in this release.

April 2019

Version 4.10.0
New Features
  • Mail Domains and Routing enables you to add load balancing and failover hosts for message delivery.

  • The Gateway can now use Optical Character Recognition (OCR) to redact text in images.

Enhancements
  • Additional TLS information (version and cipher name) is now provided on inbound and outbound connections in Message Tracking and SMTP logs.

  • You can now add comments to SpamLogic whitelist entries, enabling you to identify them more easily.

  • You can now detect and sanitize URLs found in message subjects.

  • You can now detect and process High Efficiency Image File formats (HEIF and HEIC).

  • Sophos anti-virus has been upgraded to version 2.6

  • Kaspersky anti-virus has been upgraded to version 8.8.

Fixes
  • If Manager Relationships were set to update through LDAP SSL, and the policy was applied to a peered Gateway, the SSL setting on the peer was incorrectly changed to false. Applying a policy to a peered Gateway no longer changes this setting.

  • A problem has been fixed where email addresses of the form 'abc@local' could not be used in the Identify function on the Mail Policy Routes page.

  • A problem has been fixed where Sanitize Active Content sometimes failed on PDF files held in 7z compressed files.

  • A number of defects involving PDFs have been fixed to improve usability.

  • In PMM portal, when users with full access to test another user mailbox created an additional mailbox, the mailbox was displaying incorrectly in PMM Portal, even though it was displayed correctly in the Gateway UI. Attempts to delete the mailbox were unsuccessful. This issue has now been fixed, and the shared mailbox is displayed correctly in PMM portal and can be correctly deleted, as necessary.

  • A problem has been fixed where the Memory Low and Memory Critical alarms failed to trigger correctly when configured in specific instances.

  • If you configured SMTP authentication without enabling mandatory TLS, a warning icon only displayed on the connection profile list. A warning message now also displays on the SMTP Authentication panel.

  • A problem has been fixed where DKIM signatures were not added to outgoing email, when configured to do so, for capitalized hosted domain names, for example CLEARSWIFT.com.

  • If a message subject line contained ASCII control characters (in the ASCII range 0 - 31), it sometimes caused viewing message tracking details on a remote peered gateway to fail. These control characters are now replaced with a space before the subject is added to the audit database.

  • A problem has been fixed where when a message was signed using a specific certificate, the micalg element of the ContentType header was incorrectly set.

  • A problem has been fixed where messages were incorrectly rejected if a sending address was whitelisted in SpamLogic but the server IP was listed in the Realtime Block List.

  • The performance of tracking data processing has been improved by the addition of a new database index. Previous issues with delays in processing audit data have now been fixed.

  • Occasionally, random lines in the transaction logs were truncated in the message subject. This caused issues for messages exported to management systems.

  • Postgres configuration settings have been increased to improve the performance of large queries, for example, when retrieving a list of a user's PMM messages.

  • The Gateway no longer offers the deprecated diffie-hellman-group1-sha1 cipher when connecting to an SFTP server for System Backup and Restore.

  • A problem has been fixed where configuring the Gateway using the installation wizard caused licenses to be marked invalid if you already selected the Turkish locale using the Server Console in specific circumstances. This is no longer the case, and you can now complete the configuration process.

Back to Clearswift Products