MDaemon Server v20.0 Release Notes

MDaemon 20.0.2 - September 22, 2020

SPECIAL CONSIDERATIONS

[16456] Hosted email options with MDaemon Private Cloud are now available. To learn more, please visit: http://www.altn.com/Products/MDaemon-Private-Cloud/.

FIXES

• [10307] fix to Webmail - compose text may have the wrong font size in Firefox
• [23858] fix to ActiveSync - high CPU and memory usage when syncing particular HTML messages
• [23928] fix to ActiveSync - error when accessing shared mail folders
• [23932] fix to MDRA - possible crash
• [23908] fix to Gateway Manager does not save changes after the first time Apply is clicked
• [23816] fix to Content Filter - HDR files not being deleted from CFilter\Temp automatically
• [23886] fix to Content Filter/AV/Spam Filter activities possibly not being logged on 64-bit installs
• [23889] fix to Outbreak Protection - MDOP header not being added to message before being moved to quarantine folder
• [23959] fix to distribution list/contact group downloaded via CardDAV is not displayed correctly in eM Client

MDaemon 20.0.1 - August 18, 2020

SPECIAL CONSIDERATIONS

[16827] The network resource access settings at Setup | Preferences | Windows Service now configure the MDaemon service (and the Remote Administration and XMPP Server services) to run as the specified account, instead of MDaemon running as SYSTEM and then it running specific processes and threads as that account. The installer will update the services to run as the specified account when updating to this version.

[23399] Because of changes to and deprecation of many settings in clamd.conf, the installer will now overwrite existing clamd.conf.  If you have customized your clamd.conf you may need to review and make changes to clamd.conf after installation.

CHANGES AND NEW FEATURES

• [23267] MDRA - Added the X-MDaemon-Deliver-To default header condition to Content Filter rule editor.
• [23369] Mobile theme - Added mini calendar in the left menu for jumping to dates.
• [23371] Mobile theme - Added side by side calendars for desktop sizes.
• [23387] Mobile theme - Added the ability to play audio file attachments in the message view.
• [23388] Mobile theme - Added ability to import an S/MIME certificate to a contact from a signed message.
• [23377] WorldClient and Mobile themes - Changed the "change password" page that shows up after login to highlight the Current Password.
• [23239] WorldClient and Mobile themes - Added the ability for users to view the password that they are typing as a means to confirm for themselves that they are typing it correctly.
• [23490] MDRA - Darkened the background color of the primary navigation menu to increase the contrast between it and the secondary menu.
• [23559] MDRA - Added an option to enable/disable the ability for users to view the password that they are typing under Main | Webmail Settings | Settings and Domain Manager | Edit | Webmail Settings.
• [23574] Clustering - When clustering is enabled MDaemon writes the machine's FQDN to the Received header instead of the domain's FQDN. The machine name is also included in the Subject of Queue Summary emails.
• [22627] DNS lookups using EDNS0 that fail with an "incorrect packet format" error are now retried without EDNS0. After enough of these failures, EDNS0 will be disabled.
• [23492] The VBR certification host "vbr.emailcertifcation.org" has been deprecated and removed from VBR settings.
• [22765] Antivirus - In Quarantine Queue, attachments that cannot be scanned or detected as containing macro will show "WARNING! attachment cannot be scanned ($ATTACHMENTFILENAME$)" and "WARNING! macro detected ($ATTACHMENTFILENAME$)".
• [23101] The default permissions for a domain's public contacts folders is now read-only instead of read/write. Existing permissions are not changed though so check the permissions on your folders and adjust them to your liking.
• [23663] When creating a new mailing list "Allow subscription requests" is disabled by default.
• [23789] ClamAV - Updated to version 0.102.4.

FIXES

• [23113] fix to Mobile theme - translations are not working in the calendar view
• [23186] fix to Mobile theme - "Back" navigation always takes users to the first page
• [22959] fix to Mobile theme - When using IIS, inline images do not show up in messages or drafts
• [23270] fix to LookOut theme - Settings pages are missing their titles
• [23397] fix to Webmail - If a user enters an optional password that is too long for a published calendar the request will not complete in a timely fashion
• [23399] fix to Antivirus - will now report ClamAV "Heuristics.Limits.Exceeded" as non-scan instead of a virus
• [23403] fix to SMTP screening logging saying "Dynamic screening"
• [23407] fix to Mobile theme - Unable to save start/end time values after editing autresponder
• [23167] fix to MDMigrator - Unable to import more than a single alias
• [23488] fix to Task Due Date set to a day in the future when using CalDAV Synchronizer
• [23491] fix to MDRA - Recipient Blacklist editor does not add items correctly if there's an entry with unmatched double quotes
• [23509] fix to Mobile theme - Contacts list stuck loading when all contacts selected
• [23554] fix to Mobile theme - date picker calendar not translated
• [23561] fix to Webmail - MDPGP results string has HTML tags enclosing the key id
• [23549] fix to Webmail - MDPGP options - subject may be overridden incorrectly
• [23545] fix to Outlook task assignment messages are corrupted by winmail.dat attachment extraction
• [23567] fix to MDRA - missing radio button at Security | AntiVirus | AntiVirus
• [23560] fix to MDRA - Dropbox Integration settings not saving
• [23432] fix to SSL/TLS session resumption does not work
• [23579] fix to meeting organizer's calendar item loses formatting and hyperlinks when an attendee accepts the meeting request
• [23596] fix to Mobile theme - Password Recovery screen will not allow password to be changed
• [21016] fix to Webmail - attachment filenames encoded according to RFC 2231 are not decoded
• [23601] fix to Mobile theme - From select field is missing in the Compose view
• [23600] fix to Mobile theme - Dates typed into date entry field revert to the previous value
• [23609] fix to Webmail - possible crash when importing iCalendar file into calendar
• [23633] fix to Dynamic Screening notifications about IPs blocked by SMTP Screen that are already on the blacklist
• [23626] fix to possible MDaemon.exe crash when generating DMARC aggregate reports
• [23635] fix to possible crash in WorldClient.dll
• [22290] fix to Webmail - When forwarding certain messages, cke_protected is added to the body
• [23648] fix to Webmail - Share Folder option missing when user has admin permissions but not edit permissions
• [23657] fix to deleted account may reappear in GroupWareUsers.dat when enabling MDaemon Connector for another account
• [23634] fix to MDRA - Location Screening - Unable to save Whitelist entries since Save button is unavailable
• [23573] fix to Mobile theme - Email templates show up with \\ at the end of each line
• [18461] fix to tray icon problems with config session - also added a 'Reset Tray Icon' to tray and Help menus which will stop the flashing and return status message to normal
• [23678] fix to the default domain's IP is used for all other domains
• [23676] fix to Mobile theme - User experience - Nothing to indicate that you have to enter your current password when changing the recovery email address
• [23677] fix to Mobile theme - Sign In button is not enabled until the password meets minimum length requirements
• [23686] fix to Mobile theme - Calendar list view is not translated
• [23685] fix to MDRA - The forwarding address field's max length is only 72 characters
• [23673] fix to Mobile theme - Forgot password page has "null" in the email address field
• [23451] fix to content filter possibly causing a message to go missing
• [23670] fix to messages in the Deferred queue with no To header are moved to the Bad queue
• [23654] fix to SPF "Maximum number of 'void' lookups" setting may not work properly
• [22815] fix to AV Updater proxy settings not written to freshclam.conf
• [23715] fix to AD Monitoring - A change in an AD account causes MultiPOP or Forwarding to be disabled
• [23730] fix to AD Monitoring issues when accounts are removed from a group
• [23717] fix to folder permissions may be changed when exporting to public address book
• [23688] fix to clustering replication may fail due to an unexpected error
• [23656] fix to Webmail - XSS vulnerabilities
• [23776] fix to MDRA - Domain missing in Domain Manager for domain admins
• [23777] fix to Webmail - Edge reveal icon displayed next to Webmail reveal icon in password fields
• [23780] fix to Mobile theme - Columns settings page may not load
• [23502] fix to XMPP server - server not sending user's presence back to them
• [23660] fix to non-ASCII characters in account administrator notes may be corrupted
• [23805] fix to possible crash in WorldClient.dll
• [23800] fix to ASMC - Mail item Add operations overwrite previously added message files
• [23786] fix to default autoresponder text (OutOfOffice.rsp) is not translated
• [23844] fix to contact and calendar items may fail to sync to the Outlook mobile app

MDaemon 20.0.0 - June 16, 2020

SPECIAL CONSIDERATIONS

[8930] Please carefully read the section in the full release notes labeled as task [8930] as it involves changes to the Active Directory integration system and you may find things that were broken in the past now starting to work. Please be aware of all changes made in that area and carefully read that section of these release notes.

[22733] MDaemon 20.0 requires Windows 7, Server 2008 R2, or newer.

[12190] Setup|Preferences|Miscellaneous has two new checkboxes that control whether system generated notification emails periodically sent to the Postmaster alias should also be sent to Global and Domain level administrators. By default, these options are both enabled. Domain administrators are restricted to receiving only those emails which are for their domain and the Release Notes. Global administrators receive everything including the Queue Summary report, Statistics report, Release Notes, 'No Such User' found (for all domains), Disk Error notifications, Account Freeze and Disable notifications for all domains (which, like Domain admins, they can unfreeze and re-enable), warnings about licenses and beta test versions about to expire, Spam Summary reports, and perhaps others as well. If you do not feel it appropriate for your administrators to receive these notifications you must disable these settings.

[22604] How autoresponders are stored has changed. The text for an accounts autoresponder is now stored as OOF.MRK within the account's DATA folder which is a new sub-folder inside the account's root mail folder. Autoresponder script files are no longer kept in the APP folder and they are not shared between accounts. When MDaemon starts for the first time it will migrate all existing autoresponder files and settings to the correct places for every account. The AUTORESP.DAT file is obsolete and will be deleted along with every account specific .RSP file (OutOfOffice.RSP and non-account specific files will remain for reference and sample purposes). If you wish to quickly assign a single autoresponder configuration to multiple accounts you can use the new Publish button found at Account Editor|Account Settings|Autoresponder. This button will copy the existing autoresponder script text and all settings for the current account to other accounts that you select. There is also a button at Accounts|Account Settings|Autoresponders|Settings that lets you edit the default autoresponder script (OutOfOffice.rsp). This default is copied into an accounts OOF.MRK if the OOF.MRK is missing or empty.

[22738] How account signature files are stored has changed. Signature files are now stored as SIGNATURE.MRK within the account's DATA folder which is a new sub-folder inside the account's root mail folder. When MDaemon starts for the first time it will migrate all existing signature files to the correct places for every account. The root MDaemon Signatures folder will no longer contain account specific signature files however it remains in place as it may still contain items needed by WebAdmin and the Content Filter. The original Signatures folder was backed up to \Backup\20.0.0a\Signatures\ prior to migration. Finally, every account's ADMINNOTES.MRK has been moved from the account's root mail folder to the new DATA sub-folder.

[8014] Security|Spam Filter|White List (automatic) has had the default value changed to disabled for the option '...only whitelist addresses that authenticate using DKIM'. Having this enabled turns out to be a little restrictive for many and prevents address book whitelisting from working for MultiPOP and DomainPOP mail. Re-enable the setting if this is not to your liking.

[22512] Setup|Preferences|UI 'Center all UI dialogs' has been reset to a default of 'enabled' for everybody. If you prefer otherwise you can disable it. This prevents screens from being created partially out of frame (which is better IMO) but it also makes multiple overlapping screens harder to select at times.

[22515] Security|Security Manager|Screening|Location Screening - The default for this feature has been changed from disabled to enabled. When Location Screening is enabled the connecting country/region will always be logged (if known) even when the particular country/region is not being actively blocked. So, even if you do not wish to block any country you can still enable Location Screening (without selecting any countries to block) so that country/region can be shown and logged. Since the default setting for this has changed upgraders should take a look at their Location Screening configuration for correctness. MDaemon will insert the header 'X-MDOrigin-Country' that lists the country and region for content filtering or other purposes.

[19910] The hard-coded fixed size limit of 2 MB for spam filter scans has been removed. There is now no theoretical limit to the size of a message that can be spam scanned. It is still possible to configure your own limit in case this is a problem but configuring 0 (zero) now means no limit. Additionally, the size limit has been converted from KB to MB and your existing value has been automatically converted or set to zero. You should check it at Security|Spam Filter|Settings and make sure this value is set how you want.

[21527] Added 'Sender Domain' and 'Recipient Domain' columns to the Queues screens in the main UI. As a result of this a one-time reset of saved column widths had to be done. Once you set the column widths to your liking they will be remembered.

[18617] By default now the Host Screen is applied to MSA connections. You can disable this at Security|Security Manager|Screening|Host Screen if you like.

[2356] By default MDaemon IMAP, WebMail, and ActiveSync servers no longer provide access to the shared folders of disabled accounts. You can change this with a new settings at Setup|Server Settings|Public & Shared Folders.

MAJOR NEW FEATURES

[14587] Clustering

MDaemon's new Cluster Service is designed to share your configuration between two or more MDaemon servers on your network. This makes it possible for you to use load balancing hardware or software to distribute your email load across multiple MDaemon servers, which can improve speed and efficiency by reducing network congestion and overload and by maximizing your email resources. It also helps to ensure redundancy in your email systems should one of your servers suffer a hardware or software failure. More information on setting up MDaemon in a cluster can be found in the MDaemon Help file.

[17087] REQUIRETLS (RFC 8689)

The RequireTLS effort in IETF is finally finished. Support for this has been implemented. RequireTLS allows you to flag messages which MUST be sent using TLS. If TLS is not possible (or if the parameters of the TLS certificate exchange are unacceptable) messages will be bounced rather than delivered insecurely. For a complete description of RequireTLS see the RFC specification and especially the Abstract, Introduction, and Security Considerations sections.

RequireTLS is enabled by default. You can disable it with a new switch at Security|Security Manager|SSL & TLS|SMTP Extensions. It's fine to leave the service enabled. Only messages specifically flagged by a rule you must create using a new Content Filter action or messages sent to <local-part>+requiretls@domain.tld (for example, arvel+requiretls@mdaemon.com) are subject to the RequireTLS process. All other messages are treated as if the service was disabled. Several requirements must occur before a message will be sent using RequireTLS. If certain of them fail the message will not be sent and will bounce back rather than be sent in the clear. The requirements are:

• RequireTLS must be enabled via the switch mentioned above
• The message must be flagged as needing the RequireTLS treatment
• DNS lookups for recipient MX hosts must use DNSSEC (see below), or the MX must be validated by MTA-STS (see [16696])
• The connection to the receiving host must use SSL (STARTTLS)
• The SSL certificate of the receiving host must match the MX host name and chain to a trusted CA
• The receiving mail server must support REQUIRETLS and say so in the EHLO response
• If any of these steps fail the message is not delivered and is bounced back to sender.

RequireTLS requires DNSSEC lookups of MX record hosts, or the MX must be validated by MTA-STS. You can configure DNSSEC at Security|Security Manager|SSL & TLS|DNSSEC by specifying criteria whereby lookups will request DNSSEC service. DNSSEC requires appropriately configured DNS servers which is your responsibility. MDaemon's IP Cache and MX Hosts files have been updated to accept DNSSEC assertions. There's a new checkbox at Setup|Server Settings|DNS & IPs|IP Cache and you'll find fresh instructions at the top of the MX Hosts file for how to take advantage of this.

RequireTLS is an important advance against several possible attacks on email security and we are proud to have been a participant in this effort. Hopefully in the coming year all mail systems will deploy this.

[18705] DOMAIN/COMPANY-WIDE MDPGP ENCRYPTION WITH A SINGLE KEY

MDPGP now supports encrypting messages between domains using a single encryption key for all users. For example, suppose 'Domain-a' and 'Domain-b' wish to encrypt all emails sent between them but do not wish to setup and police individual encryption keys for every user account within the domain. This can now be done as follows:

'Domain-a' and 'Domain-b' each provide the other with a public encryption key via any method they like. For example, they can email the keys to one another by right-clicking on an existing public key in the MDPGP UI and selecting 'Export & Email Key.' If they wish to create new keys dedicated for this purpose they can click the 'Create keys for a specific user' button and choose the '_Domain Key (domain.tld)_ <anybody@domain.tld>' item which has been put there for this purpose (although any key will work). Once each side has received the other's key they click the 'Import Domain's Key' button on the MDPGP UI and enter the domain name to which all emails will be encrypted using the provided key. The system does not create a key in the dropdown list for every one of your domains. You can use the key that is provided for all your domains or you can create domain specific keys yourself if you wish.

If either side already has a public key they wish to use and it is already on the key-ring they can right-click on the key in the MDPGP UI and select 'Set as a Domain's Key'.

Do not use a key for which you also have the corresponding private key. If you do, MDPGP will encrypt a message and then immediately see that the decryption key is known and promptly decrypt that very same message.

At this point MDPGP creates a Content Filter rule called 'Encrypt all mail to <domain>' which will invoke the encryption operation on every email sent to that domain. Using the Content Filter means that you can control this process by enabling or disabling the Content Filter rule. You can also tweak the rule to fine-tune the criteria you wish to employ before messages are encrypted (for example, maybe you want to do this same thing but for two domains or for only certain recipients within the domain). The Content Filter provides the flexibility to achieve this.

[18705 PART 2] ENCRYPTING OUTBOUND MAIL BASED ON RECEIVING IP

MDPGP has a new checkbox and setup button where you can map IP addresses to specific encryption keys. Any outbound SMTP session delivering a message to one of these IPs will first encrypt the message using the associated key just prior to transmission. If the message is already encrypted by some other key no work is done. This is useful (for example) in situations where you want to make sure all messages sent to certain key partners, suppliers, affiliates, etc are always encrypted.

[9745] MACROS FOR MAILING LIST MESSAGES

The Mailing List Editor|Routing screen has some new options which will allow for macros to be used within the message body of list posts. This will allow you (for example) to personalize each list message. Macros have been supported for a long time in list mail header and footer files but never the message body until now. Since the macros are related to individual list members this option is only compatible with lists that are configured to "Deliver list mail to each member individually." That's why these options are on the Routing screen. For security purposes (probably you don't want all list members to be able to use this) you can select a checkbox which requires that the list's password be provided or no macros will be expanded. The list password is an old setting and can be found on the Moderation screen. If you don't provide a password that means any list member with "Write" privileges will be able to submit a post with macros so I recommend using a password /or/ enabling this feature for lists that have all "Read-only" members but who knows, it's up to you really. Here are the current macros available for use:

• $LISTNAME$ - the name of the mailing list (ie.. md-beta)
• $LISTDOMAIN$ - the domain of the mailing list (ie.. mdaemon.com)
• $SENDER$ (or $POSTER$) - the email address of the person sending the message
• $EMAIL$ - the email address of the list member
• $FULLNAME$ - the full name of the list member (if available)
• $FIRSTNAME$ - the first name of the list member (if available)
• $LASTNAME$ - the last name of the list member (if available)

The list member name parsing code can handle "First Last" and "Last, First" formats OK.

[19572] IMPROVED HIJACK DETECTION SYSTEM

Security|Security Manager|Screening|Hijack Detection has been improved. There are some new controls which will cause MDaemon to count the number of times that an authenticated user tries to send an email to an invalid recipient. An invalid recipient is defined as a 5xx error code in response to a RCPT command when trying to send the user's mail. If too many of these errors occur within too short a time frame you can have MDaemon freeze the account (the postmaster will get an email about this and they can respond to re-enable the account). This is a powerful measure to protect against accounts who have had their passwords stolen and are blasting out spams. I'm assuming that most of the attempted spams will result in a "5xx User Unknown" error fairly often. This should help prevent hijacked accounts from doing too much damage.

As part of this work the From Header Modification controls had to be moved to their own screen to make room for the new hijack detection controls. The From Header Screening settings can now be found at Security|Security Manager|Screening|From Header Modification.

[22391] DEFERRED MESSAGE QUEUE AND IMPROVED MESSAGE RECALL

MDaemon now has a dedicated queue for deferred messages. Messages are deferred as part of the Message Recall and Deferred-Delivery header support. Previously, the INBOUND queue was clogged up with deferred messages slowing down the system from delivering non-deferred mail. You can see there is a Deferred queue listed with the other queues in the tool window now and there's a Deferred sub-tab of the Queues root-tab so you can inspect the content of the DEFERRED queue. Messages in the DEFERRED queue are placed there by the system and have the date they are set to leave the queue encoded into the file name. MDaemon checks the DEFERRED queue once per minute and when it's time for messages to leave the queue they are moved to the INBOUND queue and subject to normal message processing/delivery. Activity is logged to the Routing tab/log file.

The Message Recall system no longer requires any delay or time spent in the DEFERRED queue. So, you can set the delay time to 0 if you want. However, this risks the strong possibility of the message you want to recall being delivered so a delay of at least 1 or 2 minutes is recommended. Otherwise you give your users very little time to realize they want to recall, send the recall request, and have time left over for MDaemon to process the request. But, also consider that since the recall system is now able to remove recalled messages from the remote queue(s) where there might already be a delay it didn't seem necessary to force a second delivery delay by making you use the DEFERRED queue needlessly. However, if you have your MDaemon setup to immediately deliver everything that gets into the remote queue(s) the instant it arrives there then you should consider using a delay value (something besides 0); otherwise recall won't have time to remove mail from the remote queue(s).

MDaemon now tracks the Message-IDs of the most recent email sent by each authenticated local user. This means users can recall the last message they sent (but only the last message they sent) simply by putting RECALL (alone by itself) as the Subject in a message sent to the mdaemon@ system account. There is no need to find and paste the Message-ID of the message you want to recall when it is the last message sent that needs to be recalled. Recalling any other message still requires the Message-ID be included in the Subject text or the original message from the users SENT folder attached to the recall request.

In addition to remembering the most recent email sent by each authenticated user MDaemon also remembers the locations and Message-IDs of the last 1000 emails sent by all authenticated users. This completely eliminates any need to ever iterate across mail folder content which would be a prohibitive performance drain. There's a new control at Setup|Server Settings|Message Recall that will allow you to increase this 1000 value if you want (if you have a busy server). Recall attempts will fail if the message being recalled isn't within the last 1000 emails sent (or whatever value you set). This has made it possible to recall messages right out of user mailboxes even after they've been delivered. So, messages will disappear from user mail clients and phones if they are recalled.

Messages sent to multiple recipients will ALL be recalled by a single request. The Message Recall system does not work without the X-Authenticated-Sender header to provide security and keep others from recalling messages they did not originate. Therefore, the option to disable this header (found at Setup|Preferences|Headers) will be overridden if Message Recall is enabled.

[13710] AUTHENTICATION FAILURE LOG

The Security root-tab has a new sub-tab called 'Auth Failures' and there is a corresponding new log file. This tab/log will contain a single line with details on every SMTP, IMAP, and POP logon attempt that fails. The information includes the Protocol used, the SessionID so you can search other logs, the IP of the offender, the raw Logon value they tried to use (sometimes this is an alias), and the Account that matches the logon (or 'none' if no account matches).

You can right-click on a line in this tab and have the IP address of the offender added to the blacklist(s).

[4915] AUTHENTICATION WHEN FORWARDING / ROUTING MAIL

Several places in the code that forward messages have had authentication capability added. This means that several files in the \APP\ folder including forward.dat, gateways.dat, MDaemon.ini, all Mailing List .grp files, and possibly others now have the potential to contain obfuscated logon and password data in a very weakly encrypted state. The encryption is strong enough to defeat an over-the-shoulder glance but it is not strong enough to defeat hackers. As we always warn you, use the operating system tools at your command and any other measures to secure the MDaemon machine and directory structure from unauthorized access.

[4915] The Setup|Server Settings|Servers & Delivery|Unknown Mail screen has had new options added which let you specify an AUTH logon and password for use with the host value specified on that screen. Also, the screen has been laid out differently and some text labels updated to better explain what some of these options do.

[9333] The Mailing List Editor|Routing screen has had new controls added which let you specify an AUTH logon and password for use with the host value specified on that screen.

[22385] The Gateway Manager|Forwarding screen has had new options added which let you specify an AUTH logon and password for use when forwarding a message to another domain/host. Also, the screen has been laid out differently and some text labels updated to better explain what some of these options do.

[22413] The Gateway Manager|Dequeueing screen has had new options added which let you specify an AUTH logon and password for use when dequeueing mail to a remote domain/host/IP. Also, the screen has been laid out differently and some text labels updated to better explain what some of these options do.

[22427] The Account Editor|Account Settings|Forwarding screen has had new options added which let you specify an AUTH logon and password for use when forwarding mail to a remote domain/host/IP. Also, the screen has been laid out differently and some text labels updated to better explain what some of these options do.

[17402] HOST AUTHENTICATION

Setup|Server Settings|Host Authentication is a new screen where you can configure port, logon, and password values for any host. When MDaemon sends SMTP mail to that host the associated credentials found here will be used. Please note that these credentials are a fallback and are only used when other more task specific credentials are unavailable. For example, if you configure a logon and password using the new Account Editor forwarding controls (see task 22427 above) or the new Gateway Manager|Dequeueing controls (see task 22413 above) or any of the many other task specific settings then those credentials are used and they supersede what is configured here. This feature works with host names only (not IPs). I was able to easily code for one or the other (for now) so host names are more user friendly. Also please note that the UI for this is simple and doesn't (please Lord) need complication.

Many years ago I added logon and password capability to the MXCACHE.DAT file as a quick-fix for customers with immediate needs. This remains in place however the logon and passwords in that file are unencrypted. You now have the same functionality with this new Host Authentication feature so you no longer need to hack the MXCACHE.DAT file. Host Authentication uses HostAuth.dat where logon and password data is encrypted (however weakly) and it has a UI so it's better than MXCACHE.DAT hacks. If you want you can manually edit HostAuth.dat with notepad and enter plain-text logon and password values (which MDaemon will encrypt for you). See the instructions at the top of HostAuth.dat for how to do it.

[4085] IMPROVED CUSTOM QUEUES AND MESSAGE ROUTING

Queues|Mail Queues|Custom Queues has been improved. You can now specify a host, logon, password, SMTP return-path, and port for any remote queue. If provided, all messages in the queue are delivered using these new settings. However, it still remains possible in some circumstances that individual messages within the queue might have their own unique delivery data and if so then that data takes priority over these new settings. This is by design and is not a mistake.

Now, the UI for this leaves something to be desired but it can't be improved right now. The UI does not (and will not) show logon and password data in the list-view. The UI cannot edit an existing entry (you must delete and recreate an entry to change it). The UI Add and Remove buttons do their work instantly - there is no pressing CANCEL to undo changes. If you make changes they are done. Please don't ask for a better UI because I can't do it. But these limitations are minor compared to the functionality gained. You can now setup as many remote queues as you want, filter mail into them using the Content Filter based on whatever criteria you choose, give to each queue its own delivery schedule, and have completely different routing take place based on your wishes.

[8504] IMPROVED DOMAIN SHARING

[16798] For some time Domain Sharing has performed lookups on SMTP MAIL sender values as needed. However, messages were often refused with 'Authentication Required' and yet there is no way authentication can be performed when the sender account resides on a different server. This has been addressed and MDaemon can accept mail from accounts that are found to exist on other servers without requiring authentication. This can be disabled with a new checkbox at Security|Security Manager|Sender Authentication|SMTP Authentication. If you would rather not perform Domain Sharing lookups on the SMTP MAIL sender at all you can completely disable that with a new checkbox at Setup|Server Settings|Domain Sharing. These checkboxes are enabled by default.

[8504] Setup|Server Settings|Domain Sharing has a new checkbox that enables sharing of mailing lists. When a message arrives for a mailing list a copy is created for each Domain Sharing host that also keeps a version of that list (a query is made to check). When these hosts receive their copies they will make delivery to all the members of that list which they serve. In this way mailing lists can be split across multiple servers with no loss in functionality. For this to work each Domain Sharing host must include the other hosts IPs in their Trusted IP configuration (Security|Security Manager|Security Settings|Trusted IPs). Otherwise list messages might be refused with a 'Sender is not a member of the list' type error.

[8723] Setup|Server Settings|Domain Sharing has a new Advanced button which opens a file where you can configure domain names that are allowed to use Domain Sharing. When nothing is in this file (the default condition) then all your domains can use Domain Sharing. See the instructions at the top of the file for more information.

[12628] IMPROVED CONTROL OVER MESSAGE FORWARDING

[12628] Setup|Preferences|Miscellaneous has a new checkbox that allows administrators to prevent account mail forwarding from sending emails outside the domain. If a user configures mail forwarding for their account to send to a foreign domain the message will be moved to the Bad Message queue. This setting only applies to messages that are forwarded using the mail forwarding options for the account.

[12791] The Account Editor|Forwarding tab has a new 'Schedule' button that will let accounts configure a schedule for when forwarding starts and stops. Also, this is included in the Account Templates as well. These settings configure the date and time forwarding starts and the date and time that it stops but forwarding will only happen on the days of the week you select.

[12927] The Forwarding Address field in the New Account Template now works with account macros. The only macros with data at the point of new account creation however are those related to the account user's full name, domain, mailbox, and password values. So (for example) if you want every new account to forward to the same email address but at a different domain you can put this in the Forwarding Address field: $MAILBOX$@otherdomain.com. Macros also work in the Send As, AUTH Logon, and AUTH Password fields (these are new) in case that is useful for you.

[12455] Forwarding a message now updates the forwarding account's last access time (ie the LastAccess=date gets updated in the account's hiwater.mrk file). This means that accounts which do nothing else but forward mail are no longer potentially deleted for inactivity. Note that forwarding must actually occur and not be defeated by other configuration options such as restrictions on where the forwarder can send mail or being 'off-schedule' (see 12791 in this document), etc. Just having a forwarding address configured will not automatically flag the account as active - the forwarding needs to actually happen.

[15076] IMPROVED SMTP AUTHENTICATION

[15076] & [15265] Security|Security Manager|Sender Authentication|SMTP Authentication has had two new options added. 'Do not allow authentication on the SMTP port' will completely disable AUTH support over the SMTP port. AUTH will not be offered in the EHLO response and will be treated as an unknown command if provided by the SMTP client. Also, '...add their IP to the Dynamic Screen if they attempt it anyway' will add the IP address of any client that attempts to AUTH when AUTH is disabled to the Dynamic Screen. The connection will also be immediately terminated. These settings are useful in configurations where all legitimate accounts are using the MSA or other port to submit authenticated mail. In such configurations the assumption is that any attempt to authenticate on the SMTP port must be from an attacker.

[10458] IMPROVED ACCOUNT MANAGEMENT

[10458] The Account Manager has been improved. You can now select accounts that are enabled, or are using MultiPOP, or are near quota (70%), or are near quota (90%), or are not forwarding. You can also search the account description field for any text you want and select accounts based on that.

[14105] The Account Manager right-click menu has had new options added which let you add or remove all the selected accounts from or to mailing lists and groups.

[23083] The Account Manager right-click menu has a new option which lets you copy an existing account when creating a new account. All settings of the existing account are copied to the new account except Full Name, Mailbox, Password, and Mail Folder.

[11427] The Account Editor|Account Settings|IMAP Filters has a new button called Publish that adds the new rule to the account being edited and to every other account in that account's domain. This should save some time when a rule is needed for everybody. Also fixed a problem with the rule editor which was allowing duplicate rules to be added.

[9921] ENABLE 'DO NOT DISTURB' FOR ENTIRE DOMAIN

[9921] The Domain Manager|Host Name & IP screen has a new settings that lets you enable "Do Not Disturb" for a domain. When active the domain will refuse all connections from all users for all services but still accept messages from the outside world. You can schedule when 'Do Not Disturb' starts and stops. For example, if you configure April 1, 2020 to May 31, 2020 from 5:00pm to 7:00am, Monday thru Friday then this means that no mail services will be available for that domain's users on those days of the week beginning at 5:00pm and resuming at 7:01am so long as the current date falls between April 1 and May 31, 2020. Erasing the scheduled start date deactivates the schedule (and has the effect of putting the domain on 'Do Not Disturb' forever).

[22678] IMPROVED ARCHIVING

MDaemon's simple message archiving system has been changed to be more efficient and consistent. Setup|Server Settings|Archiving now does its work as follows: When a message is delivered from the Local Queue(s) to a user's mail folder an archive copy will be created at that time (in the 'IN' folder of the recipient if so configured). When a message is picked up from the Remote Queue(s) for SMTP delivery (whether delivery succeeds or not) an archive copy will be created at that time (in the 'OUT' folder of the sender if so configured). You will see lines like "ARCHIVE message: pgp5001000000172.msg" in the Routing log or you might see lines like "* Archived: (archives)\company.test\in\frank@company.test\arc5001000000023.msg" in the Routing log when Local and Remote mail is processed.

Mailing list traffic is never archived. Spam is never archived (the option to do so has been deprecated and removed from Setup|Server Settings|Archiving). Messages with viruses are never archived. System level messages are never archived and finally autoresponders are never archived.

A 'ToArchive' queue now exists as a system queue (not exposed in the UI). This queue is checked at regular intervals for messages which have been dropped there (manually, or by a plugin, or otherwise). When messages are found here they are immediately archived and deleted. If messages are found which are not eligible for archiving then they are simply deleted. The name of the queue is \MDaemon\Queues\ToArchive\. The Routing screen/log will show details whenever a message is successfully archived.

[20579] Archiving of encrypted messages is now handled more consistently. By default unencrypted copies of encrypted messages are stored in the archive. If a message can't be decrypted then the encrypted form will be stored instead (because what other choice is there?) If you would rather have encrypted versions stored then you can check a new checkbox at Setup|Server Settings|Archiving.

[22693] Setup|Server Settings|Archiving has an option to archive messages sent to public folder submission addresses. This is especially needed now that submissions addresses are not required to be an actual account on the server (see 12311 below). This option is enabled by default.

[15960] MORE EFFICIENT LOGGING

[15960] Setup|Server Settings|Logging|Settings screen ran out of room so some of the items had to be moved to a new screen called (drum roll please) Setup|Server Settings|Logging|More Settings. This was necessary as part of the task to prevent the creation of log files for items which have logging disabled. For example, if you disable 'Log SMTP activity' then there is no reason to create an empty SMTP log file. MDaemon no longer creates empty log files. When items are disabled on this screen their associated log file will not be created at all on startup. Log files that may already exist when an item is disabled are left in place (not removed). If a log file is missing when an item is enabled then the required log file will be created instantly. For example, if you have not been logging POP activity there will be no POP log file. If you then enable POP logging the required log file appears. From now on we do not carry around empty log files for services we don't use (or services we do use but don't care about logging). This change applies to all log files that the core MDaemon engine manages (which is most of them). Log files for Dynamic Screening, Instant Messaging, XMPP, WDaemon, and WebMail run external to MDaemon and haven't been updated so they behave as before. But, we are getting closer to perfecting the logging system. As a result of this work if you change the logging 'mode' option at Setup|Server Settings|Logging|Log Mode MDaemon must be restarted.

[22480] Several logging related changes such as making ATRN session logs look correct; making all logs consistent in colors and how they log Session and Child IDs; the MultiPOP server no longer tears-up and tears-down sessions for accounts that are already over quota and therefore there is no longer wasteful logging in these cases.

Also, the Router log was only logging INBOUND and LOCAL queue message parsing. It now also logs REMOTE queue parsing when delivery attempts are made. This way you don't have to search the Router log and the SMTP(out) logs to see when a message was processed.

[22617] IMPROVED ACTIVE DIRECTORY INTEGRATION

[8930] Use of Active Directory groups with MDaemon has been debugged and now works as expected. When you add someone to an Active Directory group they will be added to MDaemon. When you remove someone from an AD group their MDaemon account will be disabled (but not outright deleted - I'm relunctant to do that in a automated way as it results in the complete loss of account folders and mail data which I feel is something best left to an admin to do directly).

Within Active Directory adding a user to a group or adding a group to a user (either way) is not considered a change to the user (which MDaemon is looking for and needs) but it is considered a change to the group only. This fact caused me a lot of headaches. To solve this issue (in addition to a lot of new code) MDaemon needs a search filter that looks for changes to the group AND changes to users who are members of the group. The query for the group change is needed because MDaemon now tracks the 'members' attributes that are returned. The query for users who are members of the group is needed because that's where the user's data comes from. The group query doesn't return that.

So, to setup a proper search filter for a group called 'MyGroup' this will work:

(|(&(ObjectClass=group)(cn=MyGroup)) (&(objectClass=user)(objectCategory=person)(memberof=cn=MyGroup,ou=me,dc=domain,dc=com)))

Replace the 'ou=' and 'dc=' bits with something appropriate to your network.

There is still some room for improvement here during the v20 series but this is finally working correctly now (let's hope).

[12696] When you configure 'Alias=%proxyAddresses%' in ActiveDS.dat MDaemon will create an alias for every value returned by that attribute so long as it's an SMTP type address (X500 and other types are ignored).

[16403] Accounts|Account Settings|Active Directory|Authentication has a new control that lets you specify a separate (different) search filter for contact searches. Previously, contact searching was done using the user search filter. There's also a separate test button for the contact search filter. AD searches have been optimized so that when the search filters are identical a single query updates all data. When they are different two separate queries are necessary. The layout and labels on some of the controls on this screen had to be modified to make things fit. Also, the Page Size control was removed. It can still be manually altered if more than 1000 is needed.

[20853] The following fields have been added to the ActiveDS.dat file templates so that they are included in contact records when Active Directory monitoring creates/updates address books: abTitle=%personalTitle%, abMiddleName=%middleName%, abSuffix=%generationQualifier%, abBusPager=%pager%, abBusIPPhone=%ipPhone%, abBusFax=%FacsimileTelephoneNumber%. If these create problems for you or you don't want them included when contacts are created you can comment out these templates in ActiveDS.dat using notepad.

[6444] The ActiveDS.dat file [CharacterConvert] processing has been improved to allow single characters to be replaced with two characters (for example, ß will be converted to SS). Open ActiveDS.dat with notepad to see the default conversions that will be made. Also, conversion will take place on the Alias values (if any) as well as the Mailbox value by default.

[11729] Public folder contacts will now be deleted when the associated account is deleted from Active Directory. The contact is only deleted if it was created by the Active Directory integration feature. A new setting at Accounts|Account Settings| Active Directory|Monitoring lets you disable this if you wish.

[22617] When Active Directory monitoring system creates or updates an account and finds a mailbox value that is too long to fit in MDaemon's limited space for the mailbox value it will truncate the mailbox value as before but now it will also create an alias using the full size mailbox value. Also when accounts and aliases are created the accounts Administrator Notes data will be updated for auditing purposes.

[22578] List Manager|Active Directory 'Test these settings' button result text was setup for localization. The results will also display the Base DN used for the test.

[22661] List Manager|Active Directory now allows you to enter an AD attribute for the full name field of list members. You can still specify only an email address AD attribute if you wish but to also fetch full name values for list members setup the AD attribute like this: 'displayName, Email' rather than just 'Email'. The first attribute specified should point to the AD attribute where the full name resides (usually that will be 'displayName'). The second is the email attribute.

[22589] Text which appears in the Active Directory screen/log is now setup for localization and colors added.

[22657] MDaemon no longer creates an account for an AD group object. Previously, when a search filter included an AD group MDaemon would create an account for that group. But what's really in mind here is to create accounts for members of an AD group and not for the AD group object itself - which lacks several properties necessary for a proper MDaemon account anyway.

[23019] Changes to account properties in Active Directory can trigger the recreation of that same account within MDaemon even when the account had previously been deleted using the MDaemon GUI (or web administration). To keep accounts from being recreated in this way a new checkbox has been added to Accounts|Account Settings|Active Directory|Monitoring. The checkbox is enabled by default (don't recreate accounts deleted using the GUI).

[22613] IMPROVED FROM HEADER SCREENING

[22613] 'From Header Modification' has been renamed 'From Header Screening' and some new features have been added. Security|Security Manager|Screening|From Header Screening has a new checkbox that will check 'From' header display-names for anything that looks like an email address. If one is found and it does not match the actual email address then it is replaced with the actual email address. For example, if the 'From:' header looks like this: From: "Frank Thomas <friend@friend.com>" <enemy@enemy.com> then it will get changed to this: From: "Frank Thomas <enemy@enemy.com>" <enemy@enemy.com>. This option is disabled by default. Also, there's a new checkbox to apply all the settings on this screen to non-authenticated mail only. As before, only messages to local users are eligible for these settings.

[21601] CHECK FOR COMPROMISED PASSWORDS

MDaemon can check a user's password against a compromised password list from a third-party service. It is able to do this without transmitting the password to the service. If a user's password is present on the list it does not mean the account has been hacked. It means that someone somewhere has used the password before and it has appeared in a data breach. Published passwords may be used by hackers in dictionary attacks. Unique passwords that have never been used anywhere else are more secure. See Pwned Passwords for more information.

At Accounts | Account Settings | Other | Passwords, MDaemon has an option to not allow an account's password to be set to one that is found in the list. It can also check a user's password every so many days when they log in, and if it is found, send a warning email to the user and postmaster. The warning emails can be customized by editing message template files in the \MDaemon\App folder. Since instructions for how a user should change their password may depend on whether the account is using a password stored in MDaemon or using Active Directory authentication, there are two template files, CompromisedPasswordMD.dat and CompromisedPasswordAD.dat. Macros can be used to personalize the message, change the subject, change the recipients, etc.

[16696] SMTP MTA-STS (RFC 8461) - STRICT TRANSPORT SECURITY

The MTA-STS effort in the IETF has finished. Support for this has been implemented. SMTP MTA Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers (SPs) to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate.

MTA-STS is enabled by default. It can be disabled at Security|Security Manager|SSL & TLS|SMTP Extensions.

To set up MTA-STS for your own domain, you will need a MTA-STS policy file that can be downloaded via HTTPS from the URL https://mta-sts.domain.tld/.well-known/mta-sts.txt, where "domain.tld" is your domain name. The policy text file should contain lines in the following format:

version: STSv1
mode: testing
mx: mail.domain.tld
max_age: 86400

Mode can be "none", "testing", or "enforce". There should be an "mx" line for each of your MX hostnames. A wildcard can be used for subdomains, such as "*.domain.tld". Max age is in seconds. Common values are 86400 (1 day) and 604800 (1 week).

Also needed is a DNS TXT record at _mta-sts.domain.tld, where "domain.tld" is your domain name. It must have a value in the format:

v=STSv1; id=20200206T010101;

The value for "id" must be changed every time the policy file is changed. It is common to use a timestamp for the id.

[21595] SMTP TLS Reporting (RFC 8460)

TLS Reporting allows domains using MTA-STS to be notified about any failures to retrieve the MTA-STS policy or negotiate a secure channel using STARTTLS. When enabled, MDaemon will send a report daily to each STS-enabled domain that it has sent (or attempted to send) mail to that day.

TLS Reporting is disabled by default. It can be enabled at Security|Security Manager|SSL & TLS|SMTP Extensions. Also make sure DKIM signing is enabled (at Security|Security Manager|Sender Authentication|DKIM signing) because TLS Reporting emails are supposed to be signed.

To set up TLS Reporting for your domain, you must create a DNS TXT record at _smtp._tls.domain.tld, where "domain.tld" is your domain name, with a value in the format:

v=TLSRPTv1; rua=mailto:mailbox@domain.tld

Where mailbox@domain.tld is the email address you want reports for your domain to be sent.

CHANGES AND NEW FEATURES

MDPGP

• [22710] MDPGP decrypt operation is no longer limited to using the recipient's key to decrypt blocks. If the encryption was performed by a different key and MDPGP knows that key then the block will be decrypted.
• [22713] MDPGP no longer logs decryption or verification failures due to not having the necessary key (unless debug logging is enabled).
• [22806] MDPGP right-click menu text updated to better explain what options are for and what they do.
• [22823] MDPGP no longer wastes cycles/logs/headers immediately verifying signatures that it itself just finished calculating and inserting unless there is a local recipient of the signed message found.
• [17877] The Content Filter has a new 'Sign with user's private key' action.
• [22929] MDPGP encrypt/decrypt/sign/verify operations will happen even when MDPGP (or individual services themselves) are disabled if the operations are invoked via a content filter rule, the command line utility, or the IP-to-Key mapping system (see 18705).
• [23289] MDPGP will not include version identifiers within encrypted and/or signed message bodies if the option to hide version information is enabled at Setup|Preferences|Headers.

USER INTERFACE

• [22634] The layout of the Setup|Server Settings|Server Settings screen has been changed to add some sub-node groupings. It was becoming a giant catch-all.
• [20211] When editing a mailing list the account picker object will pre-select existing local members and will remove de-selected local members.
• [22349] UI was updated to add a few toolbar buttons, group menu items, and fix several small annoying things.
• [22393] The Mail|MDaemon tab now uses the color system (yellow means valid command found, red otherwise).
• [22415] The 'ETRN requests require authenticated sessions' checkbox was moved from Gateway Manager|Settings to Gateway Manager|Dequeueing where the rest of the ETRN related options are located.
• [14448] Each queue tab in the UI will remember its own sort order and column widths.
• [19238] Tab key will navigate between the tool window and the tab windows in the main UI. Pressing space on a tool window node will toggle expand and collapse states. Use the left and right arrow keys to move through tabs.
• [22491] Setup|Server Settings|Servers & Delivery|Sessions 'Limit simultaneous connections by IP to' was renamed 'Maximum simultaneous connections from any single IP'.
• [19983] Added separator bar to Account Editor|MultiPOP screen to help indicate that the bottom two options on that screen apply to all MultiPOP entries.
• [15200] Copy buttons have been added to the Domain Manager, Gateway Manager, List Manager, Groups Manager, and Templates Manager which let you copy the settings of the currently selected item into a newly created item. The only setting not replicated is the mail folder of a new Gateway because that must be specific to the new Gateway.
• [22585] Re-worked code which was needlessly updating UI elements when running as a service.
• [22565] The Account Editor|Administrative Notes edit box where an admin can enter notes about an account has been moved to the Account Editor|Administrative Roles screen.
• [18729] Updated text of warning message that appears when deleting a DKIM selector.
• [22770] Added colors to DKIM log/screen. Orange for signing, green for verifying, red for errors.
• [22633] The Domain Manager no longer auto-expands all the domain nodes anymore. This was creating difficulty getting at a certain domain when many exist. Only the first domain root node is expanded.
• [8249] The Account Editor|Settings screen has a new button that shows you all the shared folders the account has access to.
• [23115] Some key MDaemon UI screens are now restricted to a single instance of it at a time.

SECURITY

• [10324] Security|Security Manager|Security Manager|Reverse Lookups - previously there was a single white list for all the functions on this screen. This single white list covered PTR, EHLO, and MAIL reverse lookups. Now there are three white lists - one for each function. The old single white list now serves only for PTR lookups. New white lists serve the EHLO and MAIL lookup functions. The old single white list was copied into the two new white lists so that existing behavior is preserved. However, the old white list which now serves only the PTR function may still contain domain and host names. These serve no purpose for PTR lookups. Keeping them in the file is OK but they are just wasting space. I don't have a good routine to remove them safely so I left them in there (no harm done). You can use the PTR White List button and remove them from the PTR white list when you have time.
• [14345] Account Editor|Mail Services has a new setting that allows you to restrict SMTP access to LAN IPs only (Security|Security Manager|Other|LAN IPs). This way you can prevent accounts from sending mail unless they are connected to your network. If the account tries to send mail from an outside IP the connection will be refused and dropped. This also works fine with account templates.
• [14772] Security|Security Manager|Screening|Sender Blacklist 'Delete messages sent from blacklisted senders (otherwise, put in bad queue)' now applies to MultiPOP and DomainPOP collected mail (and really any blacklisted mail that somehow finds its way into the local or remote queue(s)).
• [22422] Security|Security Manager|Screening|Sender Blacklist option to notify senders that their message was refused has been deprecated and removed. I found out that it was actually spamming postmasters and not senders. I don't want to do either of those things. This change made the files Refusal.rsp and LocOnly.rsp obsolete (no code uses them so they have been removed). As part of this work the SetupPreferences|Miscellaneous 'Delete messages sent from blacklisted senders (otherwise, put in bad queue)' was moved to Security|Security Manager|Screening|Sender Blacklist.
• [22358] Setup|Preferences|UI has a new checkbox that governs whether the Subject: line data is shown in MDaemon UI tabs and written into log files. To preserve existing behavior the setting is enabled by default (show/log the Subject: data). Note that the Subject: line can contain information the sender of a message would not wish to display and wouldn't want tracked into log files. Disabling this switch is strongly recommended. Also, mailing lists can have a password which users place in the Subject: line. I don't have a good way at present to strip this password out before it is shown and logged by the UI (it is stripped out before list messages are sent to members) so if you have mailing lists that use a password you should disable this switch.
• [20820] Account restrictions on inbound mail are no longer defeated by a 'From:' header address that is missing the @domain.com bit. Previously such addresses were treated as if sent from the default domain. Also, RFC message compliance checks on inbound SMTP will refuse as illegal any message that has a 'From:' header address missing its @domain.com bit.
• [20382] SMTP connections refused by the IP/Dynamic Screen mechanisms now reply with code 530 (was code 421).
• [22524] Setup|Server Settings|Servers & Delivery|Sessions has two new checkboxes which allow you to control whether or not Trusted IPs and/or Reserved IPs are included when the 'Limit simultaneous connections to any single IP' is calculated. The default is to not count them.
• [22619] The default key bit size when MDaemon creates RSA keys (DKIM, BATV, etc) was changed from 1024 to 2048. The dns_readme.txt file generated when creating DKIM keys has been updated with additional instructions related to use of longer keys.

MESSAGE PROCESSING/QUEUES

• [19681] Queues|Mail Queues|Retry Queue has a new setting where you can put a number of minutes to delay subsequent message delivery attempts following an SMTP temporary (4xx) error. This solves a problem where MDaemon was trying to deliver the same messages over and over again too quickly. With this new change the next delivery attempt on the message is delayed a number of minutes which greatly increases processing efficiency and reduces log waste. The default is to delay the next attempt for 3 minutes but you can change it to what you prefer (or to zero to disable it). Delayed messages will sit in the RemoteQ as before but will be ignored by the message spooling code during the delay. If a message comes off a delay and again experiences an SMTP temporary error it will again be delayed the configured number of minutes.
• [22698] The Gateway Editor|Domain screen has a new option that makes the gateway use the retry queue mechanism when delivering mail. This is disabled by default meaning that gateway mail will be held in the gateway folder forever - even if it can't be delivered. In the past there was a secret global setting that forced all gateways to use the retry queue (or not). This is now a per-gateway option and the secret setting is gone. Please check your gateways and configure how you like.
• [19489] If a temporary DNS error occurs during A record processing messages will no longer be immediately bounced. Instead, they will remain queued for later delivery and bounced according to queue lifetime limits.
• [22609] By default MDaemon will now attempt delivery to every A record for each MX host on errors or failures. Sometimes an MX will have multiple A records configured in DNS and MDaemon was only picking one at random and trying to connect and delivery to it. If this failed for any reason (there are lots of reasons) then MDaemon simply gave up on that MX host entirely and moved on. Now MDaemon will attempt each of the remaining A records (randomly) and only move on to the next MX if all of them fail. If for some reason this causes a problem for you it can be disabled via a new switch at Setup|Server Settings|Servers & Delivery|Sessions.
• [22615] In support of 22609 the MX Cache and Windows Hosts file editors have been converted to use MDaemon's internal file editor object rather than Notepad and both files are kept in memory now rather than read from the disk all the time. Internal functions that read the IP Cache and Windows Hosts files now honor all IPs that match the host you're looking for (in support of 22609) and multiple IPs to the same host are supported everywhere.
• [22863] The IP Cache and its white list data are kept in memory now rather than read from disk so often.
• [22895] The IP Cache white list file now accepts wild-cards and CIDR notation when entering host names and IP addresses.
• [22828] The custom queues UI and system allows queues to be created and placed under the MDaemon root queue folder now at all times.

MAILING LISTS

• [15295] Mailing list membership and Sender Blacklist checks will be performed when each RCPT command is received. In the past these checks were only being performed after the DATA and message body were received. Making this change will improve deliverability of multi-RCPT messages when one (or more) RCPT values are rejected.
• [21132] The Mailing List Manager|Subscription screen has two new settings which (1) cause the list processor to ignore subscription requests unless they come from a member of the same domain as the list itself and (2) cause the list processor to ignore subscription requests unless they come from a member of any local domain on the MDaemon server. Subscription requests from other domains are ignored when these options are set.
• [20457] The Mailing List Editor|Headers screen has a new checkbox which causes the 'From' header to be replaced with the list's name and email address.
• [13690] The Mailing List Editor|Members screen no longer automatically sorts list members when its created. Customers report that doing so ruins sort orders that they need and have already performed. You can still change the sort order by clicking the column headers. Also, UP and DOWN buttons have been added and you can multi-select members to move around as needed.
• [22596] Mailing List reminder emails are now sent using the list's SMTP bounce-back address as reverse-path (if there is one) rather than always sending with NULL reverse path. This prevents problems with message rejection due to BATV policies.
• [22603] The 'From' header on mailing list reminder emails changed to this form: '\"MDaemon at fqdn (MDaemon@domain.tld)\" <noreply@domain.tld>" to avoid triggering autoresponders.
• [10518] The content of a file called UnSubUser.dat (if it exists) will be appended to the email sent to users when they unsubscribe from lists.

MESSAGE DEQUEUEING

• [18143] Setup|Server Settings|Dequeuing (formerly called Mail Release) has been placed under the control of the Domain Manager which means that you will now find per-domain settings for dequeueing inside the Domain Manager. Even though many dequeue sessions are now possible they will all happen according to the same "do dequeue every X times remote mail is processed" mechanism from previous versions. That still works fine. All dequeue sessions must complete before the next round of them can occur. I think in some future version this might be put on its own schedule.

LOCALIZATION

• [21010] The 'No Such User' email that is (depending on configuration) generated when an email arrives for a non-existing user has been localized. Remember that you can control the content of this email by creating a file called NoShUser.dat in the \MDaemon\App\ folder if you ever want custom text sent.
• [12160] Went through the code and setup every MDaemon system-generated message to accept localized text.
• [22583] Many strings used by the Minger server were setup for localization.

QUOTA SYSTEM

• [8546] All macros related to user accounts (ie.. $EMAIL$, $MAILBOX$, $DOMAIN$, etc..) can now be used in the NearQuota.dat file. This is the file that is put into user mailboxes when they are getting close to being over quota limits.
• [17880] When a 'Near Quota' warning email message is place into a user's INBOX the system log will be updated to say so. The log isn't updated if the warning message already exists in the users INBOX and is just being updated. This way users can't delete the warning and say they never got it. If the log is updated over and over you know that the user is deleting the warning and possibly ignoring it.
• [22533] In the past cached quota values were only reset if the daily quota report was being generated and sent out. Now cached quota values are always reset as part of the daily maintenance routine if you enable this with a new switch at Accounts|Account Settings|Other|Quotas (default is disabled).

MINGER

• [20328] Straightened out the problems with Minger results on over quota accounts. Minger queries are supposed to exhibit the same behavior that the SMTP server code itself would do in relation to over quota accounts. 1. Minger query will result in an 'account disabled' response code when the following conditions are met (all of them): (a) the account is over quota and (b) the over quota account is provided to the SMTP server in the MAIL command and (c) Accounts|Account Settings|Other|Quotas 'Refuse outgoing messages sent from over quota accounts' is checked. In this case the account is trying to originate mail and they cannot because they are over quota. 2. Minger query will result in an 'account disabled' response code when (a) the account is over quota and (b) the over quota account is provided to the SMTP server in the RCPT command and (c) Accounts|Account Settings|Other|Quotas 'Refuse incoming messages sent to over quota accounts' is checked. In this case someone is trying to send a message to the over quota account and that is not allowed. I had thought about adding a new response code to specifically indicate an over quota condition but this creates interoperability problems between versions.

PUBLIC & SHARED FOLDERS

• [7983] Setup|Server Settings|Public & Shared Folders has a new checkbox where you can set whether you want disabled accounts to be removed from the domain's public contacts folder and re-added back when re-enabled. This option is enabled by default to prevent disabled accounts from showing up in WebMail's auto-complete system.
• [12311] The requirement that a public folder's submission address be a valid existing account has been removed. The address must be local but doesn't have to be an existing account. The SMTP server will accept it.

GROUPS & TEMPLATES

• [18942] In previous versions Groups could apply Templates and Templates could apply Groups. This was creating some crazy logic and preventing controls from acting how you'd expect. It also setup a sort of race condition where things were turning on and off other things and it was just confusing as hell. Starting now Groups can apply Templates but only the New Account Defaults template can apply Groups. Since the only way to apply a Template is with a Group anyway there is nothing gained by having Templates that apply Groups (except for the New Account Defaults template).

LOGGING

• [22701] MDaemon will add a line to log saying that no options were enabled to deal with unknown user mail rather than just deleting the message silently without saying anything when this is the case.
• [22679] As part of the midnight cleanup event MDaemon will write the names and email addresses of every account deleted that day to the day's system log. This way all deleted accounts all appear together in one place for log searching (search the system log for 'Accounts deleted today'). MDaemon still logs individual account deletions in real time to system log as before.
• [8296] The IMAP session log will include "* Message <file.msg> deleted" for tracking purposes.

WEBMAIL

• [22297] Mobile theme - Added a radio button to indicate which note color is being selected for notes in the note list.
• [22660] Mobile theme - Added PIM Attachments for Events, Contacts, Tasks, and Notes.
• [22711] Mobile theme - Added the contact picture to the contact edit view.
• [22659] Mobile theme - Added sub navbar for Contacts, Tasks, Notes, and Documents views for Desktop browser sizes.
• [22740] Mobile theme - Added external popout view/edit windows for Events, Contacts, Tasks, and Notes for Desktop browser sizes.
• [22751] Mobile theme - Moved the settings navbar view links to the left side of the view for Desktop browser sizes.
• [22494] Mobile theme - Added a confirmation dialog when deleting a message attachment.
• [22658] Mobile theme - Added a dialog for increasing or decreasing the message list density, and moved the message preview position to the same dialog.
• [22568] Mobile theme - Added an advanced search option to the message list.
• [22570] Mobile theme - Added ability to search all folders or search all sub folders in message list advanced search.
• [22768] Mobile theme - Added auto complete support for email addresses in the compose view.
• [23161] Webmail - The X-Mailer header of generated messages no longer includes the version when MDaemon's "Hide software version identification ..." option is enabled.

REMOTE ADMINISTRATION

• [22869] MDRA - Added DNSSEC page and RequireTLS option.
• [22211] MDRA - No longer require users to expand ActiveSync under Mobile Devices to get the ActiveSync sub menu, because ActiveSync is the only item under Mobile Devices.
• [22874] MDRA - Updated Mail List editor settings to match the MDaemon GUI.
• [22992] MDRA - Added the Custom Queues dialog at Setup | Mail Queues/DSN | Custom Queues.
• [22875] MDRA - Added the Authentication and Monitoring pages under Setup | Active Directory.
• [23062] MDRA - Added RequireTLS, Sign, Encrypt, and Decrypt actions to Security | Content Filter.

OTHER

• [22736] LetsEncrypt: Added a -Staging switch that can be passed on the command line so the LetsEncrypt staging system can be easily used for testing instead of the live system.
• [21419] Mail session ID values were increased to 8 digits so they roll-over less often.
• [22309] Improved shutdown process to better inform as to the steps and order of operations being performed.
• [22700] Some internal code re-factoring was done to keep Gateway data in memory rather than going to disk for it all all the time.
• [20009] Removed code which was needlessly referencing obsolete Standard/Lite versions.
• [8200] Greatly increased speed of account delete operation when there are public folders with large numbers of messages in them.
• [6408] MDStats (Queue and Stats Manager) no longer automatically loads the mail and folder content of the first user when you select 'User Folders'. This avoids needless cycles and frustration especially when the first user isn't the one you are wanting to look at (making you wait for no reason).
• [7854] Setup|Server Settings|DomainPOP|Parsing has a new checkbox which disables the sending of warning emails to postmaster when no addresses are found by the parsing process.
• [22482] Security|Spam Filter|DNS-BL|Settings has a new checkbox to exempt DNS-BL lookups from taking place on mail collected over ATRN dequeue sessions. This setting is disabled by default but you can enable it if your smart-host is perhaps already doing DNS-BL checks on your stored mail.
• [9866] Added $FROM$, $FROMDOMAIN$, and $FROMMAILBOX$ macros for use with certain content filter actions which honor macros. These always expand to the email address found in the 'From' header and are therefore different from $SENDER$, $SENDERDOMAIN$, and $SENDERMAILBOX$ which prefer the email address found in the 'Sender' header (when present).
• [22964] Reduced disk I/O in message parsing routine.
• [22836] AVUpdater - Cyren AV updater verifies the server URL with the SSL certificate when using HTTPS.
• [23347] ClamAV - Updated to version 0.102.2.
• [22975] Antivirus - Added the ability to choose what time mailbox virus scanning runs.
• [23085] The MDHealthCheck.exe tool and associated files have been deprecated and removed. We will be adding Recommended links within MDRA for this in the future.
• [23152] When reading the DNS servers from Windows, MDaemon ignores the deprecated IPv6 site-local default addresses (fec0:0:0:ffff::1 - fec0:0:0:ffff::3).
• [20892] ActiveSync PIM validation will add a modification timestamp to items that are missing one.
• [23178] Updated MDaemon Connector to version 6.5.2.
• [15897] Messages sent to disabled accounts by ActiveSync clients will generate a DSN now.

FIXES

• [22389] fix to Routing log not logging correct or complete file creation data for routed mailing lists
• [22409] fix to some non-localized data in Routing log (there's probably lots more still to fix)
• [22441] fix to Queues tab / Remote and Local sub-tabs not showing custom queue content
• [17587] fix to account editor not enabling mail services properly at times
• [17822] fix to alias editor losing items - to edit an item do a slow double-click on it
• [17726] fix to several problems with MultiPOP collected mail with accounts at or near quota limits
• [18803] fix to RelayFax fax path permitting invalid or non-existing directories
• [18461] fix to tray icon problems with config session - also added a 'Reset Tray Icon' to tray and Help menus which will stop the flashing and return status message to normal
• [22469] fix to secondary DNS servers not tried following an MX lookup 'server is having technical problems' error
• [17054] fix to Outbreak Protection changes made via Remote Admin not taking immediate effect
• [22480] fix to ATRN session code sometimes ending as if an error occurred when technically it didn't
• [19668] fix to ATRN messages refused with 'Authentication Required' when the 'AUTH must match address in 'From:' header' option enabled
• [22481] fix to Gateway rename operation not moving and renaming the Gateway's mail folder
• [14223] fix to Bayesian learning system not working on some OS flavors due to long file name troubles
• [19824] fix to RelayFax properties screen accepting invalid email addresses
• [22509] fix to never being able to get off an autoresponder schedule once you start one. Also added text to the UI to explain that wiping the schedule start-date deactivates the schedule. Also fixed several problems related to warning being given when they shouldn't and warnings not given when they should
• [22511] fix to account delete operation not updating groupwareusers.dat file immediately
• [17066] fix to forwarding unknown local mail not deleting original when configured to do so
• [22544] fix to moderated list submissions refused when sent from an alias
• [22555] fix to log files not writing data to disk from time to time
• [20704] fix to content filter COPY TO action not working with mailing lists at times
• [22582] fix to several data types being logged even when disabled in log settings
• [22590] fix to screen flashing/flickering when deleting large numbers of users at once
• [22611] fix to SMTP server accepting RCPT with a comma in it only to have mangled and not delivered properly later
• [22614] fix to MDaemon rejecting as invalid a local-part with 'forbidden' characters even in quoted-string form (which makes them NOT 'forbidden')
• [22616] fix to possible 'IP=IP for X minutes' wastefully added to IPCache.dat file by auto-cache system
• [19860] fix to ODMR server routing failed deliveries to smart host. We are the smart host in these cases!
• [22625] fix to gateway mail folders not cleared of orphaned lck files on a restart
• [19260] fix to content filter 'copy to user' action not allowing more than about 45 characters
• [19792] fix to ODBC mailing list not logging error when data-store offline/missing
• [22636] fix to ODBC selector wizard sometimes returning syntax error in query string when using test button
• [22663] fix to ODBC selector wizard missing + char in query string when using test button
• [2389] fix to ODBC selector wizard not creating proper query string for tables with spaces in them
• [22637] fix to MDaemon not prompting to restart the server when the log file path changes (this is required)
• [22640] fix to From Header Screening not wrapping the header it creates when it gets too long
• [22647] fix to From Header Screening including empty display-names in the header it creates
• [2347] fix to Mailing List rename not updating content filter rules
• [21080] fix to header translation on the From header defeating simple message archiving system
• [21619] fix to messages released from quarantine queue not getting archived
• [22690] fix to CF sometimes sending notifications to spam honeypot addresses
• [22696] fix to IP Cache editor allowing duplicate values to be entered
• [22695] fix to Alias Editor in Account Editor hiding selected item with blue bar
• [22725] fix to Minger sender lookups using Domain Sharing settings for Gateways rather than the settings for the gateway. Also, Domain Sharing no longer needs to be enabled for these Gateway checks to be performed.
• [22731] fix to massive POP server logs because option to log multiline responses not honored for client (only server) processing
• [20769] fix to MDPGP encrypt operation preventing domain and user signatures from being added to message prior to encrypt operation
• [22798] fix to Content Filter MDPGP dialog allowing selection of keys that aren't on the key-ring
• [22796] fix to custom and gateway queues not loading content into queue window when double clicked
• [22803] fix to MDPGP not logging ops like disable key, delete key, create key properly
• [22799] fix to MDPGP not send results email when a key import operation fails
• [22801] fix to MDPGP key export email having incorrect text when fetching key for self
• [22804] fix to MDPGP text logged when keys disabled/enabled/created not including key ID
• [22773] fix to MDPGP some --pgp commands working even when service turned off
• [22822] fix to MDPGP writing out LastSessionID all the time wasting disk and cycles
• [22848] fix to MDPGP auto-key generation making keys for the MDaemon system account
• [22962] fix to MDPGP not working with domain sharing properly
• [22829] fix to MXHost parser not handling cases of IP addresses with spaces around the brackets
• [22842] fix to log file midnight roll-over routine logging half its actions in the next day's system log file
• [22840] fix to default domain fqdn value not written to domains.dat
• [22849] fix to gateway mail not routing to bad queue when unable to create gateway mail folder
• [22857] fix to white list not checked before putting something on the black list
• [22846] fix to MDRA - DKIM Signing adding blank selector
• [22853] fix to Mobile theme - Messages sent with text/plain section empty
• [22816] fix to Mobile theme - Using contact picker wipes out addresses entered in prior fields
• [22500] fix to Mobile theme - "Ignore attempts using identical passwords" is being ignored
• [22762] fix to WorldClient theme - Some month names are incorrect in French and other languages
• [22854] fix to Mobile theme - Calendar - Certain month name lengths cause the arrow to be moved to the next lines
• [22778] fix to MDRA - Saving autoresponder causes MD UI to not show line breaks
• [22681] fix to MDRA - In account's Mailing Lists tab, non-ASCII characters in Type values are incorrectly decoded
• [22499] fix to MDRA - The Authorize Client button is missing on the Client Management screen
• [22621] fix to Webmail - tab characters are inserted into long message subject values
• [22769] fix to CalDAV - Potential memory corruption and crash
• [20503] fix to MDSpamd - When debug logging is enabled then messages in RAW queue might not be deleted
• [22923] fix to routed list mail with no remote recipients creating orphaned files in remote queue
• [22934] fix to mailing list refusing posts from Active Directory list members at times
• [22876] fix to Mobile theme - Checkbox letter shows bracket for email address of format <address@domain.com>
• [22974] fix to Antivirus - when mailbox scanning is started with config session the process will stop when the user logs off computer
• [22990] fix to MDRA - Gateway Manager | Forwarding allows invalid email address
• [23012] fix to Active Directory not allowing Comments template to be commented out of ActiveDS.dat file
• [23056] fix to vCard 4.0 distribution list/contact group uploaded via CardDAV is saved as a regular contact
• [23021] fix to MDRA - Spambot Detection - saved Whitelist changes are not applied to MDaemon
• [22937] fix to MDRA - Hijack detection whitelist button is not enabled when it should be
• [22899] fix to MDRA - "Unable to format string" error occurs when editing mailing list settings
• [22212] fix to MDRA - ACL names on Edit ACL screen wrapping
• [23018] fix to Mobile theme - iOS - When viewing public calendars, the domain is not displayed in the folder name
• [23010] fix to Mobile theme - Unsubscribed public contacts and calendar folders are still available
• [23058] fix to WorldClient theme - When printing an event that exists at the end of the month the date is one day ahead
• [23065] fix to Minger returning that all email addresses are valid for gateway domains
• [23090] fix to Webmail - Chrome - Audio notifications cause the sound file to be downloaded instead of played
• [23074] fix to error email not sent to admins on SA update download/unzip/install fail
• [23105] fix to Mobile theme - When switching from Mobile theme to WorldClient or LookOut themes, the user gets a blank page
• [22378] fix to MDMigrator Unable to export message, pConvSess->MAPIToMIMEStm failed [0x80070005] in WriteMimeMessage
• [23128] fix to Mobile theme - setting a date for an event that is within the Timezone bias of UTC results in the date being set to the following day
• [23124] fix to Configuration Session active session window may display a partial log line at the top
• [23120] fix to WorldClient and LookOut themes - Page 1 of tasks appears in print preview regardless of which page of tasks is selected
• [23139] fix to DOMAINS.SEM not reloading all domain data properly or creating domains that were added
• [23140] fix to MDRA - Account Editor->Mail Services Enable MDaemon Connect should require IMAP
• [23141] fix to crash when Active Directory search string too long
• [23142] fix to domain data being left in WorldClient\Domains.ini after domain deleted
• [22311] fix to Antivirus being enabled after upgrading
• [23166] fix to option to freeze accounts when disabled in active directory causing accounts to be disabled rather than frozen
• [23163] fix to MDRA - When editing a rule with group member condition, User-defined condition gets selected
• [23164] fix to MDRA - Whn creating a rule, if you select condition "If RECIPIENT is member of group" you cannot save the group if only one exists
• [23171] fix to Cyren AV updater running when Cyren AV is disabled
• [20270] fix to Dynamic Screening UI does not list more more than 427 blacklist entries
• [23215] fix to MDPGP signing mail sent to self (or to all local recipients) when configured not to do so
• [23216] fix to DSN reporting on empty failed recipient list as if wasn't empty
• [23217] fix to LookOut theme - When including a remote email address as an event attendee, the next local address overrides the remote address
• [23220] fix to slow processing of a particular meeting invitation
• [23225] fix to MDRA - Usage button does not work under Mobile | Policy Manager
• [23226] fix to MDRA - A device is duplicated when assigning a policy at Mobile | Client Management
• [23229] fix to CfUpdate.dat is missing after a fresh install
• [23245] fix to Mobile theme - Japanese - Opening a saved draft displays only "Loading"
• [23073] fix to DMARC sp= policy not being ignored when policy record lives at sub-domain of org-domain
• [23246] fix to Account Editor allows a weak password to be set when strong passwords are required if "Account must change password" is checked
• [23290] fix to CardDAV - a distribution list member added in eM Client from the user's address book (existing contact) is not synchronized to MDaemon
• [23300] fix to MDPGP sometimes trying to import a public key that does not exist in a message
• [23314] fix to .tmp files are sometimes created in the APP folder rather than the TEMP folder
• [23316] fix to IPCache.dat file being rewritten excessively
• [23299] fix to STARTTLS white list not being honored in all cases
• [23450] fix to MD GUI crash
• [23440] fix to MDRA - Unable to enable/disable 2FA options
• [23459] fix to WEBDAV - ETag HTTP header is not enclosed in quotes
• [23460] fix to WEBDAV - If-Match HTTP header is ignored
• [23513] fix to ActiveSync - Certain messages with non-ASCII characters are not displayed correctly in Outlook
• [23656] fix to Webmail - XSS vulnerabilities