Secure Exchange Gateway
November 2023
Version 5.7.0
November 8, 2023
Fixes
-
A number of security fixes have been applied to this version of Secure Exchange Gateway.
May 2023
Version 5.6.0
May 26, 2023
New Features
-
A new What Else To Do? action, Copy to Message Area, has been added to the Detect Lexical Expression content rule.
-
The OCR feature has an extended functionality, QR code and barcode scanning. You can adjust your preferences under System > Gateway Settings > Policy Engine Settings.
Enhancements
-
In accordance with the recent rebranding from HelpSystems to Fortra, changes have been applied to the user interface, including new product and company logos.
-
The User Interface Service Access Log has been enhanced to include additional audit events, such as system reboots, configuration changes and admin user modifications.
-
Properties of IRM protected documents can now be detected using the Analyze Properties content rule.
-
Security improvements have been made in handling login attempts by users. The login screen now displays the same message whether the user is valid or not.
-
Customizations to the Gateway Infrastructure service Memory allocation can now be maintained on upgrade.
Fixes
-
The processing of steganography has been enhanced to improve the sanitization of TIFF files.
-
Improvements in the OCR functionality allow images with a color depth of 64 bits to be analyzed with better accuracy.
-
Improvements have been made in the handling of compound document files, such as DOC and MSG files, that result in less mis-classifications as malformed data.
-
Amendments have been made to the Manager Relationships updating process. The Manager Relationship Updater log is now written as intended.
-
Analysis of PNG files has been improved to reduce instances of false-positive identification of malformed data.
-
Adding an email address in the Add Address dialog no longer allows incorrect double quote strings as a valid local part.
-
Improvements have been made in handling malformed TNEF messages, which results in fewer messages being held in the Problem Messages message area.
-
RTF encoded HTML which contains active content can now be correctly sanitized using the Sanitize Active Content content rule.
-
Text and word rapping in the Gateway Branding page now works as intended on the login page.
-
Amendments have been made to an issue where the Avira anti-virus scanner was left enabled on the peers, despite disabling it and applying that configuration to the peers.
-
Under the Policy Summary tab, the rule description for Sophos message processing failures has been updated to include the name and UUID of the content rule.
-
When running the Connectivity Test for SMTP servers, the results now correctly indicate when servers are "not in use".
-
Improvements have been made in the Search Criteria panel when configuring an LDAP Synchronized List to enforce a DN setting for the list.
-
PostgreSQL logging now uses the system time zone for new installations, instead of GMT.
-
Amendments have been made to an issue where the Installation Wizard was not correctly displayed when hosted on a NIC Team or Bond.
-
Amendments have been made to an issue where importing an Address List failed, consuming a large amount of CPU. Now the process, including domain validation is carried out as intended with no CPU spikes.
-
When PMM is operating in the Lite mode, the management task, Send user a manage trusted senders link, now works as intended.
-
The Connectivity Test for SMTP Servers now checks the correct list of servers.
-
Attachments with the "#" character in the file name are no longer renamed when downloaded from Held Messages.
-
Amendments have been made to an issue where message processing failed with an error; Sophos AV Error 0xc21d0307, 127.0.0.1:4010, 30.
-
The Ignore duplicate occurrences option in lexical expressions now works as intended, and counts a specific lexical expression only once when detected multiple times.
December 2022
Version 5.5.0
December 5, 2022
Enhancements
-
MS Office formats have been split into CDA /XML format types so that you can specifically select one or the other in rules which have media type selection.
Fixes
-
Python3 code has been updated to run with version 3.8. This resolves CVE-2021-3177. Note that the "python3" package may still be installed after upgrade and require manual removal.
-
Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults. Apache Commons Text has been upgraded to 1.10.0 where applicable to null this threat.
-
A fix has been applied so that PDF files no longer cause memory exhaustion.
-
A fix has been applied so that a Redact Text rule correctly redacts the selected text from a PDF.
-
A fix has been applied so that TNEF messages display as expected after Active Content Sanitization.
-
Fixed an issue in the 5.4.3 release where messages could fail to process when the "Log A Message" action was triggered.
-
The possibility of creating a cross-site scripting (XSS) attack in the admin user interface using a malicious crafted message tracking URL has been removed.
-
Fixed an Export Reports issue where "Send to Me" would send the report to the administrator rather than the logged in user.
-
It is now possible to use the "Detect Lexical Expression" rule to detect expressions in a From: header that is syntactically incorrect.
-
Clearswift is committed to providing software that can perform in a secured Red Hat environment with a high overall STIG security score against the DISA STIG profile. Red Hat has released a new version of the scap-security-guide package v0.1.63 (https://access.redhat.com/errata/RHBA-2022:6576 ) on RHEL7, which contains an update to the DISA STIG profile to version V3R8. This new profile version introduces several additional requirements but was released too late for these to be factored into the Gateway v5.5 release. As a result, these will be observed as additional findings in any STIG evaluation report using this new profile. These extra findings do not represent a reduction in the security of the Gateway software but are additional configurations that could be implemented to improve the overall system security. However, remediating these rules without proper evaluation carries the risk that the enhanced protection they introduce may conflict with correct system operation. Clearswift will be working to evaluate these new rules to determine their impact on the system and will make modifications to the product to allow for automatic remediation in a future release.
July 2022
Version 5.4.3
July 15, 2022
Enhancements
-
In the Detectable Types selection list within the Detect Lexical Expression, Detect Media Types and Redact Text content rules, support has been added for iCalendar. This means the Gateway can provide better deep content inspection of some types of meeting requests and calendars.
-
The update URLs for Sophos Anti-Virus are now "https" rather than "http". For example, https://sav-update-1.clearswift.net/SOP64/sopupdates.txt
-
Proactive Alerts have been modified to restrict any potentially sensitive information being sent to Clearswift via unsecured email. An ability to modify the message body of the Proactive Alerts emails has been introduced, so when working with customer support, and with communication over TLS, more diagnostic information can be sent. Please note that using the Proactive Alerts feature requires a license.
-
Detailed logging is available from the Policy Enforcement service. Logging levels is configurable from System > Gateway Settings > Policy Engine Settings, and provides more assistance with problem investigations when required.
-
When a message triggers multiple content rules in a policy route, the Policy Summary tab under the Messages > Held Messages only displayed a filtered list of these rules, whereas all the triggered rules were listed under the Structure tab > PrimaryRules and SecondaryRules properties. Now, all the triggered content rules are listed under the Policy Summary tab, and the rule(s) which caused the message to be held are displayed in bold.
Fixes
-
A fix has been applied to an issue where informs were not sent correctly if the Analyze Properties content rule was configured to detect multiple document properties, and to generate an inform.
-
In PMM the Italian translation for "The message will be delivered shortly" has been corrected.
-
A fix has been applied to an issue with Cockpit where Software Updates > Check for Updates could contain out-of-date information. Now, the caches are correctly cleared by clicking the Check for Updates button.
-
A fix has been applied to an issue where SCOM server configuration in Cockpit could be lost after a product upgrade.
-
A fix has been applied to an issue where the Gateway’s UI rejected an input of special characters which were eligible to be used for the local part of the email address.
December 2021
Version 5.4.2
December 21, 2021
-
In response to the recent global security alert (CVE-2021-45105) on Apache Log4j, we have fixed the vulnerability on the affected versions of the Secure Gateway products.
Version 5.4.1
December 17, 2021
Enhancements
-
Management links in Informs now follow PMM configuration (HTTP/HTTPS).
-
The product icon for Secure Exchange Gateway has been updated.
Fixes
-
Some macro-enabled Visual Basic .xlsm files were failing to process and causing the message to be held as Malformed Data. This has now been resolved.
-
Computer Graphics Metafile (CGM) files were not available in the Detectable Types selection list within the Detect media types content rule. This has now been resolved.
-
If an FTP backup configuration is enabled, the password was previously held in plain text in the file /var/cs-gateway/diag/diag-config.xml. This is now encrypted.
-
When configuring a Redact Text rule, for UK postcodes (which consist of multiple parts, e.g. AB1 0CD), only the first portion of the UK postcode was being redacted. This has now been fixed.
-
It was previously not possible to sanitize active content for xlsm created in the recent version of M365. This has now been fixed.
-
A fix has been applied so that when running a Connectivity Test for Avira, it no longer erroneously fails and shows servers as unavailable.
-
Microsoft Project (.mpp) files were failing to process with errors. This has now been resolved.
-
A fix has been applied to the Sanitize Active Content rule, whereby active content was being incorrectly detected.
-
In response to the recent global security alerts (CVE-2021-44228 and CVE-2021-45046) on Apache Log4j, we have fixed the vulnerability on the affected versions of the Secure Gateway products.
September 2021
Version 5.4.0
September 27, 2021
New Features
-
Enhanced protection is now included by checking the reputation of entered URLs against the Sophos Real-time Malicious URL List. This list contains up-to-date information of all known and emerging malware and is regularly updated to offer maximum security.
Enhancements
-
For increased security, the Postgresql database has been upgraded from V9.6 to V13.3.
Fixes
-
Listening on port 81 has been turned off and the port disabled.
-
Unlicensed rules can now be deleted from a policy route.
-
A fix has been applied so that when the gateway receives a connection from an unidentified host, it no longer causes a crash error.
-
PDF files are now created correctly following steganography or text redaction changes.
-
The search facility in the PMM portal now works as expected.
-
It is no longer possible to add invalid IP addresses to a connection tab.
-
The install process on systems with large RAM and hard disk capacities has been streamlined.
-
The Clearswift product name is now clearly identified within Cockpit.
July 2021
Version 5.3.0
July 29, 2021
Enhancements
-
An extra two rows have been added to the Product Information table on Cockpit Clearswift page to show whether Red Hat or Clearswift online updates are enabled.
Fixes
-
Fixed an issue where the "Upgrade is available" alarm would never be raised if using a non-English system locale.
-
If you change the gateway branding text and add multiple lines, they all display on a single line. This has now been fixed.
-
Fixed an issue where new SCOM servers could not always be added in the "Monitoring Services" page in Cockpit.
-
The 5.2 upgrade overwrote the keystore, reverting the custom UI certificate back to the Clearswift self-signed cert. This has now been fixed.
June 2021
Version 5.2.0
June 3, 2021
-
PDF rendering has been improved, following steganography or redaction changes applied by the Gateway.
-
XLSX files were being detected as active content when no active content was present. This has now been fixed.
-
An Avira AV Error stating that not all file contents could be scanned, has been resolved.
-
Processing documents such as PDFs and RTFs has been improved, resulting in more efficient detection of active content.
-
PDF detection and processing has been enhanced in this release to correct a number of issues, including the Gateway becoming unresponsive.
-
You can now disable XLM macros from being detected by adding a configuration to the CDA and ZIP format managers. For more information, refer to the online help topic on Sanitization.
-
The gdb and valgrind RPMs can now be removed after product installation. This should be performed using the yum utility in Cockpit Terminal. Please note that these will be automatically reinstalled upon every product upgrade, so the removal process will need to be repeated each time.
March 2021
Version 5.1.0
March 1, 2021
New Features
-
PMM Portal users can add a domain to Trusted Senders to allow messages from any email address in that domain is trusted. This is particularly useful for allowing recurring mail to be delivered, such as newsletters.
Enhancements
-
Kaspersky anti-virus has been upgraded to version 8.9.
-
Branding changes have been applied to the user interface including new product logos. SECURE Exchange Gateway is now Secure Exchange Gateway.
-
Secure Exchange Gateway now has its own unique installation ISO and download location.
Fixes
-
Static Hostnames can contain alias names of over 40 characters.
-
An update to the Avira anti-virus engine has resolved a number of issues, including the detection of Eicar, and consistent use of downloaded definitions.
-
Excel macro detection has been significantly improved in this release.
-
A custom setting has been added to help FTP backups work more effectively.
September 2020
Version 5.0.0
September 08, 2020
New Features
- Red Hat Cockpit replaces server console for administrators. Cockpit is an integrated web interface used for managing your network configuration, software updates, and system management.
Enhancements
- This version of the Gateway runs on RHEL 7.8, enabling more accessible software updates, a number of technical improvements from RHEL 6, timely security fixes, and a more robust operating system.
- You can now use the Search text box at the top of a reference list to search for a particular entry within a list. This includes Lexical Expressions, Content Rules, Hosted Domains, Email Routing, and MTA Groups.
- Support for the SMBv1 protocol is no longer mandatory, due to security vulnerabilities. This version of the Clearswift SECURE Exchange Gateway still supports SMBv1, but SMBv2 will take precedence if available. The Gateway no longer requires a server to support SMBv1 in order to establish a connection.
- You can now configure a lexical expression to ignore any duplicates of a unique string that matches that expression. This reduces false positives, where a string might be repeated in a file or attachment.
- Detection of lexical expressions has been enhanced, so that the count of multiple matches is recorded per attachment or document.
- The user interface has been resized to be more responsive to screen-size. Additionally, sensitive terminology has been updated where possible, replacing slave/master with worker/controller in log files. Blacklists and whitelists are now referred to as block lists and allow lists respectively.
Fixes
- A weighted term now only counts once if it is repeated across multiple worksheets, if ‘Each expression may trigger only once for each part of the message’ is selected.
- UI access controls have been significantly updated and tightened, restricting permissions to the correctly privileged users.
- An admin account opening multiple tabs while logged in to the Gateway, presented the risk of cross-site-request forgery (CSRF) if a malicious page was open in a browser. This vulnerability has been resolved in this release.
- Only the Installation Wizard page is accessible if the Gateway has not been fully configured.
- The branding text appears on the login page, and was editable without authentication. This has been resolved in this release.
- The Kaspersky anti-virus engine now installs correctly.
- Failure to detect 'undisclosed-recipients:;' in the To: field when configured as a lexical expression. This issue has been resolved.
September 2020
Version 4.11.2
-
The %localdate% token in a Message Area Release Notification could show the incorrect timestamp for messages sent from the local time zone.
-
Occasionally, applying configuration could result in the loss of Message Tracking events relating to the delivery of the message.
-
The Sanitize Message rule could fail to detect some formats of URL in HTML href links.
-
The handling of attachments with incorrectly encoded filenames has been improved. It is now possible to inspect the held message.
-
Where a message was processed on multiple policy routes, it was possible for the attachments of the message to be duplicated in the Message Transaction log.
-
Various problems with message formats have been fixed in this release.
October 2019
Version 4.11.1
Enhancements
-
Sanitization of URLs in documents.
-
Improved security of PMM digest links.
-
Improved searchability of Lexical Expressions, Email Addresses, and URL Lists.
Fixes
-
Line breaks in Annotation Content written in plain text did not appear in emails received in Outlook.
-
When configuring the Gateway using the installation wizard, licenses were marked as invalid if you selected the Turkish locale (tr_TR.UTF-8) with US keyboard settings and the time zone GMT+2, using the Server Console.
-
When configuring an Active Directory forest, the credentials panel accepted an invalid user name if no password was entered. This rendered the Test Authentication to be successful without a specified password.
-
In the Gateway, the ability to search for messages with an empty sender by specifying <> in the Sender field was not working.
-
OCR extraction did not work on all images due to a problem with processing.
-
If a Gateway was configured to Bounce Address Tag Validation (BATV) sign outbound messages, and the original sender requested a DSN (Delivery Status Notification), the DSN was incorrectly sent to the BATV address.
August 2019
Version 4.11.0
Enhancements
-
Configure HTTPS in PMM Digest Only Mode.
-
Sanitization and redaction of metadata in GIFs and PNGs.
-
Detect and inspect content in RAR5 archive files.
-
Content sanitization occurs regardless of the read-only flag in XMP data.
Fixes
-
Reports did not filter on parameters containing an underscore character "_". This issue was resolved and reports are displayed as expected.
-
The Gateway offered a limited set of ciphers and there was no customer-override available. If none of the Email Gateway ciphers were supported by the SFTP server, the SFTP option could not be used. This has been resolved in this release by replacing the low-security cipher.
-
When reprocessing the original or modified message, the reprocessing sometimes failed with a different error message than was given during processing the first time. Reprocessing will now give the same result given for initial processing.
April 2019
Version 4.10.0
New Features
-
Mail Domains and Routing enables you to add load balancing and failover hosts for message delivery.
-
The Gateway can now use Optical Character Recognition (OCR) to redact text in images.
Enhancements
-
Additional TLS information (version and cipher name) is now provided on inbound and outbound connections in Message Tracking and SMTP logs.
-
You can now detect and process High Efficiency Image File formats (HEIF and HEIC).
-
Sophos anti-virus has been upgraded to version 2.6
-
Kaspersky anti-virus has been upgraded to version 8.8.
Fixes
-
A problem has been fixed where email addresses of the form 'abc@local' could not be used in the Identify function on the Mail Policy Routes page.
-
A problem has been fixed where Sanitize Active Content sometimes failed on PDF files held in 7z compressed files.
-
In PMM portal, when users with full access to test another user mailbox created an additional mailbox, the mailbox was displaying incorrectly in PMM Portal, even though it was displayed correctly in the Gateway UI. Attempts to delete the mailbox were unsuccessful. This issue has now been fixed, and the shared mailbox is displayed correctly in PMM portal and can be correctly deleted, as necessary.
-
A problem has been fixed where the Memory Low and Memory Critical alarms failed to trigger correctly when configured in specific instances.
-
The performance of tracking data processing has been improved by the addition of a new database index. Previous issues with delays in processing audit data have now been fixed.
-
Occasionally, random lines in the transaction logs were truncated in the message subject. This caused issues for messages exported to management systems.
-
Postgres configuration settings have been increased to improve the performance of large queries, for example, when retrieving a list of a user's PMM messages.