New in MDaemon 24.5
Changes and New Features
Remote Administration (MDRA)
•There are several new image blocking options in Webmail Settings and Domain Webmail Settings that can be used to block HTML remote images in some or all messages. You have the option to allow the recipient to view the images if desired, or to "always" block those images with no option to view them. Finally, you can also apply the image blocking options to inline/embedded images.
•There is now a "Search Settings" link on the title toolbar at the top of the page. This feature is useful for more easily locating any of the many settings and pages within MDaemon. Simply start typing words contained in the setting or page that you are looking for, and a list of links to those locations will be listed below.
•MDaemon now includes OneDrive integration support for your Webmail users. Similar to the Google Drive and Dropbox integration features, MDaemon Webmail can present users with options to save message attachments directly to their Microsoft OneDrive Work or School account, and to edit and work with documents stored there. In order to enable this, a Client ID and Client Secret are required, which are obtained directly from Microsoft by creating an App using Microsoft's Azure Active Directory. An OAuth 2.0 authentication component is part of this app, which allows your Webmail users to sign-in to OneDrive and then authorize access to their OneDrive Work or School account through MDaemon. Once authorized, users can view their folders and files that are in OneDrive. Further, they can upload, download, move, copy, rename, and delete files, as well as copy/move files to and from the local document folders. The OneDrive setup process is similar to MDaemon's MultiPOP OAuth Integration feature.
•WebAuthn management tools were added to the Account Details page in the Account Editor and under My Account, displaying any passwordless sign-in or 2FA credentials that have been set up in MDRA or Webmail, .
•The Account Details page, in the Account Editor and under My Account, now includes the Password Recovery Email option.
•Added a Select All toggle button for the group membership editor.
•Added a confirmation dialog for the Delete and Delete All buttons at Messages and Queues | Deferred Queue
Webmail
Pro Theme
•Added options to underline the from header and italicize the to header in the message list at View Options | Message List Layout
•Added a "Recall" icon in the message list for messages in the Sent Items folder. Hovering over the icon for a deferred message will display the deferred until date. Click on the icon to recall the message.
•Added the ability to sort email templates using drag and drop Settings | Email Templates
•Added a skeleton "modified.css" at MDaemon/WorldClient/HTML/All/StyleSheets for any admin to modify the css in the Pro theme. The file is not overwritten on install.
•Added an option to "Display attachments in the message list" at Settings | Personalize. Some attachments, such as public key signatures, are excluded. Attachments are only displayed in the multiline view.
•Added an option to "Always display messages in multi-line format" in the message list at View Options | Message List Layout
•Added a settings search feature. Users can click the "Search Settings" option in the settings view and type a phrase to search for a setting. Users can then click on a result to be taken to the correct settings page.
•Added support for Microsoft OneDrive integration. To connect, go to Settings | Cloud Apps and click "Setup OneDrive". Microsoft does not allow personal accounts to be connected; only business and student accounts are permitted. Users can view their drives, folders, and files. They can also upload, download, copy, move, delete and even view files (using Microsoft's view link).
•When using "New Event", "New Task", or "New Note" features, attachments from the message are now added to the new item.
•Added a button to use AI to translate the body of a message next to the "Summarize" button
Other
•Added an option to toggle AM/PM time format for published calendars. Uses the user's UseAMPM setting by default.
•WorldClient and LookOut themes - Changed the default advanced search start date to one year ago
•Enabled per user AI setting by default (for new installs).
•Added HideDeleteAttachmentButton option. Must be set in the MDaemon\WorldClient\Domains.ini [Default:UserDefaults] section or per user in the User.ini [User] section
MDaemon Server
•On the Mailing List Editor's Settings page, the option to "Remove undeliverable email addresses from list membership" now lets you configure how many consecutive permanent delivery failures must occur before the member is removed. To prevent members from being removed after a single failure, the default value is 3.
•MDaemon always uses "relaxed" header canonicalization when generating ARC signatures.
•Saving the IP addresses of SMTP/IMAP/POP login attempts so new and previously-failed IPs can be reported is now optional. It is enabled by default, and the IP addresses can now also be pruned after they are a number of days old (365 by default). See the "IP History" settings on the SMTP Screening page.
•The Header text and HTML filename used in Attachment Linking messages can now be specified on the Attachment Linking page.
•The About dialog displays the registration keys for AntiVirus, MDaemon Connector, and ActiveSync if they are using different registration keys than MDaemon.
•The Webmail RelayFax screen is not displayed in the GUI unless RelayFax is installed or Webmail is using RelayFax.
•The low disk space warning emails now say which drive the warning is about.
•The weak passwords report now mentions how many accounts could not be checked because they're using AD authentication or non-reversible password encryption.
•After installing a new version, the entire MDaemon release notes will be emailed to admins instead of only the special considerations.
•Added domain names to the warnings logged at startup when a postmaster or abuse alias is missing.
•Location Screening has a new option to add the IP of an SMTP connection to the Dynamic Screening Block List if they attempt to authenticate when authentication is disabled. This option is enabled by default.
ActiveSync
•ActiveSync has long supported Folder Exclusions, to prevent an individual client from Syncing a selected folder. As of this version, it now supports Folder Exclusions at the Global, Domain, ClientType and Account level also. The XML API has been updated to allow for managing these within the ActiveSync operation.
Other
•Dynamic Screening - Instead of freezing an account when it has failed authentication too many times, it is added to the new Blocked Account List. Blocked accounts can still log in from Trusted IPs and IPs on the Dynamic Allow List. Accounts on the new Exempt Account List will not be added to the Blocked Account List.
•XMPP - There is now an Enable buddy list syncing option to automatically populate a users' buddy lists for the domain. This setting is also available per domain, and it is disabled by default.
•XMLAPI - Ability to download log files via FileTransfer Operation.
•XMLAPI - Manage and report Published Schedules URL for an account. One can now retrieve Published Schedule information for an account using GetUserInfo. It will be in the Publishing Element under the WorldClient Element for an account. To publish or retract a Calendar Folder via the API, see the FolderOperation 'publish' and 'retract' actions.
•ActiveSync Migration Client now supports OAUTH for migrations from Office 365.
•Improved Antivirus scanning exclusions.
•LetsEncrypt will change the FQDN and AlternateHostNames to use lower case characters.
MDaemon Server Release Notes
For a comprehensive list of these and all other additions, changes and fixes included in MDaemon 24.5.0, see the Release Notes.
New in MDaemon 24.0
Changes and New Features
MDaemon Server
•MDaemon can collect and send anonymous usage data to MDaemon Technologies. We will use this information to improve the product and its features to better meet the needs of our customers. This can be disabled by unchecking the "Send anonymous usage data" checkbox at Setup | Preferences | Miscellaneous. See our privacy policy for more information.
•The DKIM option to sign mailing list messages no longer requires content filter processing on each individual list message.
•The Bad Queue Summary email now has a link to delete all messages. As with the other links in the queue summary emails, this requires the "Include action link in summary email" option to be enabled and the Remote Administration URL to be set.
•Authenticated Received Chain (ARC) protocol - ARC is an email authentication protocol that lets intermediate mail servers digitally sign a message's authentication results. It provides an authenticated "chain of custody" for a message, allowing each server that handles the message to see what previous servers handled it and whether or not it was authenticated at each step. When a downstream mail server does DMARC verification and finds that SPF or DKIM have failed (due to forwarding or mailing list modifications, for example), it can look for ARC results from a trusted server and use them to decide whether to accept the message. ARC verification and signing can be enabled on the new ARC Settings dialog under Sender Authentication. For more information on the ARC protocol, see: RFC 8617: The Authenticated Received Chain (ARC) Protocol.
•Added support for SEM files without "blacklist" and "whitelist" in their names: BLOCKLIST.SEM, SENDERBLOCKLIST.SEM, RCPTBLOCKLIST.SEM, CREDSMATCHEXEMPTLIST.SEM, DMARCEXEMPTLIST.SEM.
•Changed the Hijack Detection account frozen notification email to say the exact reason the account was frozen.
•MDaemon disables the MDaemon Connector client auto-updater in versions before 7.0.6, to work around an auto-updater bug in those versions.
Remote Administration (MDRA)
•Document Links - This feature allows Webmail users to create temporary links to specific files contained in their personal documents folder. These links can be shared with anyone and will be active for 30 days and then automatically removed. The global default setting for this option is located on the Webmail Settings page. It can also be set per domain in the Domain Manager or per user in the Account Manager. Global Administrators can use the Document Links page to see what links are being shared, when they were created, how many times the linked file has been downloaded, and the last download. They can also use this page to revoke any link.
•The Status page now displays the license status and number of accounts used for MDaemon, MDaemon Connector, AntiVirus, and ActiveSync. This info is also displayed on the Registration page (click About and then Registration on the toolbar).
•There is now a Webmail Setting to "Disable hyperlinks in spam and messages that fail DMARC, DNSBL, or SPF authentication", which is enabled by default. You can optionally exempt messages from this when the From header matches a contact in the domain's or user's Allowed Senders contact lists. An exemption option for Allowed Senders was also added to the "Block HTML images" option on the same page.
•Added a Webmail Branding option to upload a custom background image for the Webmail sign-in page.
•You can now set MDaemon to "Allow WebAuthn Sign-In to bypass the Two Factor Authentication page" on the main Webmail Settings page, and on the corresponding Domain Manager Webmail page. Because WebAuthn is already a multi-factor form of authentication, using another form of Two Factor Authentication (2FA) after someone has already used WebAuthn to sign-in could be viewed as redundant or excessive by some users or administrators.
•Changed the list of registered credentials on the user settings page to only display Passwordless Sign-In credentials and added the same type of list to the Two Factor Auth Device Authentication portion of the page for the related registered credentials. You can access your user settings page by clicking your account name in the top-right corner of the navigation menu.
•Moved the proxy settings from the AV Config updater to Setup | Server Settings | Proxy Settings.
•A Delete button was added to the Message Search page under the Messages and Queues menu. Administrators can use this to delete messages from a user's mailbox. Global administrators can also now choose to search All Mailboxes for a given domain.
Webmail
Pro Theme
•The Pro theme now has an option to allow users to create temporary links to individual files in their Documents folder, which can then be shared with anyone. In the document list, the user creates the link by clicking a Link icon to the right of any listed file. Using that same icon, the user can delete a previously created link or replace the link with a new one, since links will be deleted automatically after 30 days. If a link exists for a file, an icon will appear before the file's name in the document list. In MDRA, the "Allow users to create temporary links to personal documents" option governing this feature is located on the Webmail Settings page (corresponding options are also in the Domain and Account Managers), and there is a Document Links page for viewing and managing the links your users have created.
•When viewing a message that you have previously replied to or forwarded, a note appears below the headers stating the date and time you replied to or forwarded it.
•There is now a notification bell icon in the top-right corner of the navigation bar, to review and "mark as seen" your past event and task Reminders. If you wish to remove the bell icon from the navigation bar, you can turn off that feature by disabling the "Display event and task reminders in the navigation bar" option on the Settings | Notifications page in Webmail.
•There is now a "Show Header Details" option at Settings | Personalize to always show the header details in the message views.
•Added instructions on how to use the availability UI on the Publish Schedule dialog.
•Upgraded the HTML editor, TinyMCE, from version 6.0 to version 6.8.
•Updated the translations for the in-browser instant messenger.
•Added a font option to the Settings | Personalize page.
•Added the ability to drag and drop attachments and documents download links to the desktop. Only works with Chrome-based browsers.
•Added a toggle arrow for the CC and BCC fields in the compose view.
•Reduced the list and menu padding for desktop browser sizes.
•After you copy or move a message to another folder, the next time you open the copy/move menu it will contain a new link to Copy or Move to the same folder used before. For example, if you copy a message to Inbox, the next time you open the shortcut menu there will be a new "* Copy to Inbox" option below the normal Copy option.
•Updated the text on the Publish Schedule page to use "Duplicate" instead of "Copy" for adding existing availability to other days.
•Updated the Folder Actions page.
Other Improvements
•Improved performance by reducing the amount of disk I/O.
•Empty hrefs in HTML anchors in emails will now be removed to prevent invalid behavior.
•Created an Allowed Senders public folder that is checked for the "Do Not Block Images for Allowed Senders" and "Do Not Disable Hyperlinks for Allowed Senders" Webmail options. This folder is currently only used by Webmail, not by the MDaemon server or Spam Filter.
•Added the user options "Request Delivery Confirmation" and "Request Read Confirmation" at Settings | Compose. When these are set to Yes, the corresponding checkboxes are activated in the Compose view.
•Added an option to "Do Not Disable Hyperlinks for Allowed Senders" at Settings | Personalize. When hyperlinks are disabled in a message, "Hyperlinks are disabled. Click here to enable them" will be displayed at the top of the message window.
•Added the ability to set the color of a calendar in the Pro theme. The setting is available by right clicking a calendar in the Calendars View, going to Settings | Folders and clicking on a calendar from the folder list, and while creating a new calendar in the New Folder dialog. The color setting is honored in LookOut and WorldClient themes.
•Changed the list of registered credentials on the Settings | Security page to only display Passwordless Sign-In credentials and added the same type of list to the Two Factor Auth Device Authentication portion of the page for the related registered credentials.
•Changed the "Import Messages" icon to a down arrow instead of an up arrow.
•Added more contrast between the read and unread status of messages in the message list.
•Updated CKEditor to v4.22.1.
ActiveSync
•Improved SmartForward/SmartReply Operation when <ReplaceMime/> is NOT specified.
Previous versions contained code that was compliant with the EAS 2.5 Spec for SmartForward. Furthermore, SmartReply did not support inline images in the replied to message. This new code supports this. The style css fragment that controls the div within which the replied to / forwarded message is placed, continues to be customizable. See the ActiveSync operation Samples ActiveSync_DomainSettings_*.xml and ActiveSync_GlobalSettings.xml. Unless explicitly specified, domain settings will use the global formatting settings.
•ActiveSync Management changes are logged to the AirSync-Mgmt log file.
•The ActiveSync server honors the Webmail option to use the X-Forwarded-For header.
Other
•XMLAPI - Added App Passwords management.
•Content Filter - Added support for foreign characters for rules editing and searches. Content filter configuration files (CFilter.ini and CF*.dat) have been converted to UTF-8. If you need to revert to a previous version and have non-ASCII characters in these files, convert them to ANSI or restore them from backup.
•Updated DQS SpamAssassin files for HBL content and fixes.
•Dynamic Screening - If you encounter "The network path was not found" errors, edit the registry at HKLM\SOFTWARE\Alt-N Technologies\MDaemon\DynamicScreening\Configuration and set Server to "." and UseCustomServer (DWORD) to 1.
•Updated ClamAV to version 1.0.6 LTS.
•MDaemon Connector has been updated to version 8.0.1.
•ActiveSync Management changes are logged to the AirSync-Mgmt log file.
•The ActiveSync server honors the Webmail option to use the X-Forwarded-For header.
MDaemon Server Release Notes
For a comprehensive list of these and all other additions, changes and fixes included in MDaemon 24.0.0, see the Release Notes.
New in MDaemon 23.5
Changes and New Features
Webmail
MDaemon supports the Web Authentication API (also known as WebAuthn), which Webmail users can utilize to have a secure, passwordless sign-in experience, by allowing them to use biometrics, USB security keys, Bluetooth, and more for authentication. WebAuthn can also be used for Two-factor Authentication (2FA), although if you are using both passwordless authentication and two-factor authentication then you can't use the same authentication method for both. You can find the WebAuthn settings on the Webmail Settings page of the MDaemon Remote Administration (MDRA) web-interface.
Visit: webauthn.guide, for more information on WebAuthn and how it works.
As of MDaemon 23.5.0, the Pro theme in MDaemon's Webmail client includes various Artificial Intelligence (AI) features to help assist your users in managing their email and increasing productivity. With these features, in MDaemon Webmail you can use AI (specifically ChatGPT by OpenAI) to get a summary of the contents of an email message, suggest a reply to a message based on criteria you choose, and help you compose a new message based on some of your own text and other criteria.
Webmail's AI message features are disabled by default for all domains. They can be enabled by using the "Enable AI message features" option on the Webmail Settings page or the Domain Manager's Webmail page. Webmail's AI message features are also disabled per user by default. You can enable them per user on the Account Editor's Web Services page, or as part of a Group controlled by an Account Templates. When the Domain setting is disabled, that takes precedence over the user setting. Therefore, none of that domain's users will be able to use the AI message features regardless of their user setting.
See: Webmail's AI Message Features, for more information and cautions about using these features. Further, you can find MDaemon Technologies' AI Usage Policy at our Artifical Intelligence (AI) Information Page. On that same page there is also a link to OpenAI's Terms of Use.
Theme Improvements
23.5.2
•Pro: Users can now click on the current folder, and it will reload the list view. All contacts, and all documents views will be turned off.
•Pro: Added the Advanced Compose setting at: Settings | Compose. When enabled, the CC and BCC fields will always be visible in the Compose view.
23.5.1
•Pro: Publish Schedule - Added optional location and comment fields that will be included in any event created through the schedule page.
•Pro: Improved the organization of the Folder Actions page.
23.5.0
•Pro and WorldClient: There is now an option to delete all attachments from a given message.
•Pro and WorldClient: Added a Description column to the Documents view.
•Pro: The Compose view contact picker now has a dialog for adding a contact with three fields (Name, Email, Mobile Phone).
•Pro: There are new Style options at: Settings | Personalize.
•Pro: Multiple event reminders are now supported.
Other Webmail Improvements
•Added a Public Schedule option, so that users can allow others to schedule a meeting.
•Separated the setup process for Two Factor Authentication email verification from the setup process for authenticator app verification.
•The Password Recovery feature now sends an email without revealing to the user where the email was sent. Two Factor Auth occurs after clicking the recovery link in the email.
•Changed how Webmail authenticates to MDaemon's SMTP server so the user's password is not needed.
•Added an option to "Mark deleted messages as read" at: Settings | Personalize.
•There is now an All Documents toggle button in the Documents view.
Remote Administration (MDRA)
There is now a Health Check page in MDRA at: Security | Health Check. This page provides a convenient list of important security settings consolidated onto a single page, and it displays each setting's current value and its default value. Where those values differ, the setting is highlighted so that Global Administrators can quickly review those particular settings and then restore any of them to their default values if desired. Each group of settings also has a shortcut icon next to it, so that you can jump to the page on which those settings are located. In addition, you can also view a list of all Health Check changes made during the current browser session, and undo any of those listed changes if necessary.
Other MDRA Improvements
•Added editor GUIs for all direct edit files.
•There is now an "X" icon that you can click to hide any given chart in the Traffic and Mailboxes summary report pages. To restore a hidden report, click your account name in the upper right corner of the page and then click the box next to the report you wish to restore.
•Added a Delete All button to the Mailing List Members page.
•As with Webmail, support for WebAuthn was added to MDRA, which gives users a secure, passwordless authentication method, and it can also be used as a Two Factor Authentication method. The WebAuthn options in MDRA are located on the Remote Admin Settings page. See: WebAuthn Support in the Webmail section above.
•The Public Folder Editor and Shared Folder Editor now has a Nest under option to choose the parent folder under which the selected public or shared folder will nest.
•Added some text to the Account Editor's Mailing Lists page to explain that a user might show up as a member of a mailing list due to membership in a Group.
•In the Message Search and Queues, added the ability to view the email message, in addition to being able to view its source. RAW messages are still only in text/plain.
•Added links to the Queues on the Status page.
•Added the ability to include multiple addresses (separated by commas) when adding new Access Rights to a Public Folder's Access Control page. You cannot add addresses when editing existing rights.
Security
•Updated ClamAV to 1.0.3.
•LetsEncrypt - Added support for TLS 1.3
•Updated SpamAssassin to 4.0.0.
XMLAPI
MDaemon 23.5.0 includes many additions and improvements to the XMLAPI. See the Release Notes for a complete list of these improvements.
Other
•Added an App Passwords option to delete an account's app passwords when the account's password is changed. The new option is on by default.
•Added a Restrictions page to the Account Templates. When an account is removed from a group with an account template that controls restrictions, the account's restrictions revert to their previous values, or possibly to another group's account template if the account is a member of multiple groups.
•The Location Screening option "SMTP connections are accepted but authentication is blocked" is now per country instead of global. Blocking SMTP connections prevents your server from receiving mail from a country. Allowing SMTP connections with authentication disabled lets your server receive mail from a country while blocking brute force / dictionary attacks from them. Protocols other than SMTP are not affected.
•Removed obsolete "Compose in new browser window" Webmail option from the UI.
•LetsEncrypt - Added support for TLS 1.3.
MDaemon Server Release Notes
For a comprehensive list of these and all other additions, changes and fixes included in MDaemon 23.5.2, see the Release Notes.
New in MDaemon 23.0
Changes and New Features
MDaemon Server
•(23.0.2) Added a MultiPOP option to send a notification email after multiple failures when checking a MultiPOP account. Since temporary failures are not uncommon, there is an option for how many consecutive failures it takes to trigger the notification. There is also an option for how many days to wait between notifications, to avoid sending too many of them. The content and recipients of the notification emails can be customized by editing \MDaemon\App\MPOPFailureNotice.dat. By default the notifications are sent after 5 failures, no more than once every 7 days, to the MultiPOP account owner.
•There is a new MultiPOP page under Server Settings. From this page you can enable/disable MDaemon's MultiPOP server, and use the "MultiPOP always deletes mail..." option (formerly located on the MultiPOP Collection page) to override the Leave a copy of message on POP server option for all users. This new page also contains OAuth 2.0 support options for MultiPOP mail collection from Gmail and Office 365.
MultiPOP OAuth 2.0 support for collecting mail from Gmail and Office 365 — OAuth 2.0 is modern authentication, which these services are now requiring as they disable support for legacy/basic authentication. In order for MDaemon's MultiPOP feature to use OAuth 2.0 to collect mail from Gmail or Office365 on behalf of your users, you must register your MDaemon server with Google or Microsoft, respectively, creating an OAuth 2.0 application using the Google API Console or Microsoft's Azure Active Directory. This is similar to the procedure required for using MDaemon's Dropbox Integration for your Webmail users. See the MultiPOP help topic for more information on configuring OAuth 2.0 support.
•MDaemon's IMAP server now supports keyword flags. This allows email clients such as Mozilla Thunderbird to store Message Tags on the server, which lets you see tags in one instance of a client that were set in another instance of the client.
| • | Improved the IMAP server's performance when opening large mail folders. |
Security
•(23.0.2) Added support for Spamhaus Data Query Service (DQS) to the Spam Filter. For more information on Spamhaus DQS, visit: https://info.spamhaus.com/getting-started-with-dqs
•There is a new Block Logon Policy Violations option on Dynamic Screening, that you can use if you wish to block any IP address that attempts to logon without using the full email address. This option is off by default. See the Systems page for more information on the corresponding option, "Servers require full email address for authentication".
•An Only for valid accounts option was added to expand the Ignore authentication attempts using identical passwords option on the Auth Failure Tracking page. Activate this option if you only wish to ignore the duplicate password authentication attempts when they are attempting to sign in to a valid account. This means that if, for example, a user updates his password in one client but another client is still running with the old password, that old client's sign-in attempts will still be ignored, since it will have the correct sign-in name. A bot trying random sign-in names with a similar password will not have that same benefit, and will be blocked as soon as it surpasses the auth failure threshold. This will help to defeat bots much quicker. The XML API DynamicScreen operation has also been updated to reflect these new features.
•A Content Filter » Attachments option was added to: "Add warning to top of message body if attachment is removed". When MDaemon removes an attachment from a message, for example because a virus was detected, it will add a warning message to the top of the message body. There is also a Warning button to use if you wish to review or modify that message's template. This option is enabled by default.
•Added the option to Exclude Trusted IPs from AntiVirus scanning.
•MDaemon sends a warning email to admins when SSL certificates configured for use by MDaemon, Webmail, or Remote Administration are about to expire.
| • | MTA-STS now has an exempt list, so problem domains can be made exempt instead of MTA-STS needing to be turned off when failures affect deliverability. |
•The ClamAV AntiVirus component was updated to version 0.105.2 (in MDaemon 23.0.1).
Webmail
•Google Drive Integration — Webmail can now be linked to your users' Google accounts to allow them to save message attachments directly to their Google Drive, and to edit and work with documents stored there. In order to enable this, an API Key, Client ID, and Client Secret are required. All are obtained directly from Google by creating an App using the Google API Console and registering your MDaemon with their service. An OAuth 2.0 authentication component is part of this app, which allows your Webmail users to sign-in to Webmail and then authorize access to their Google Drive account through MDaemon. Once authorized, users can view their folders and files that are in Google Drive. Further, they can upload, download, move, copy, rename, and delete files, as well as copy/move files to and from the local document folders. If the user wants to edit a document, clicking the option to view the file in Google Drive will allow the user to make edits to it in accordance with their permissions set in Google Drive. The Google Drive setup process is similar to MDaemon's Dropbox Integration and MultiPOP OAuth Integration features. See Google Drive Integration for more information.
•Added an option in all themes except Lite to "Enable Drag and Drop to move folders". The new option is located in Webmail on the Folders page under the Options menu, and it is enabled by default.
•Made the session cookie secure over HTTPS.
•Category changes notification now sent to MDaemon
•WorldClient no longer modifies the robots.txt file on startup.
•The built-in web server prevents the download of .dll files from the HTML directory.
•Added one to the maxlength of the new password input, so that the "Maximum of 15 characters" unmet requirement will show.
•Added reporting for sign-in attempts without a full email address, to support the new Dynamic Screening option to Block Logon Policy Violations.
•(23.0.2) Made the unsnooze option more visible with an orange highlight.
Pro Theme
•Added read receipts support.
•Added an option to disable the HTML editor context menu.
•Added the ability to resize the folder list.
Remote Administration (MDRA)
23.0.2
•Added AntiVirus option to "Exclude trusted IPs from AntiVirus scanning".
•Added the "Do not allow authentication on the SMTP port" option to SMTP Authentication.
•Added a Public Folder Manager option to specify an ActiveSync Display Name.
•Added four more filter options to the Account Manager: Admins Only, Non-Admins Only, Global Admins Only, and Domain Admins Only
•Added a page for the Spamhaus Data Query Service (DQS) to the Spam Filter. For more information on Spamhaus DQS, visit: https://info.spamhaus.com/getting-started-with-dqs
23.0.0
•In the Domain Manager, there is now a Webmail Setting to "Allow users to receive Two Factor Authentication verification codes over email", so that users can receive their verification code via an alternate email address rather than using the Google Authenticator app. This setting is enabled by default.
•Changed the default permissions when adding a new ACL entry to Lookup and Read.
•The Test buttons at: Spam Filter » DNS-BL » Hosts and Setup » Active Directory » Authentication are now disabled while the process is ongoing.
•The built-in web server prevents the execution and download of .dll files in the Templates directory.
•Users can now customize the appearance of the Remote Administration web-interface by clicking their user name (e.g. frank.thomas) in the top right corner of the window. There are options to switch the interface to Dark Mode, set the Font Size, and choose the preferred Language.
•Changed the account delete confirmation to use the custom confirmation feature.
•Added Dynamic Screening reporting for sign-in attempts without a full email address.
ActiveSync
•Added a Client Settings option to Block Sender when moving mail into Junk-Email folder. When enabled, upon a client moving an email to the account's Junk Email folder, the service will add the Sender or From address of that email to the Blocked Senders Contacts folder.
•You can now disable the Full Wipe button for ActiveSync clients if you choose, so that you can't do a remote Full Wipe on an ActiveSync device without first disabling the new Disallow Factory Reset Wipes option.
•Made BodyPreferences data human readable to make troubleshooting sync issues easier.
•Improve shutdown performance when clients are syncing huge mailboxes.
•Added the ability to define a custom display name for mailbox and public folders.
•Improved shutdown performance.
•ActiveSync clients can now send to Personal Distribution Lists in Contact folders.
•Changed layout of Client Settings Dialog in the GUI to add room for new settings.
Other
•(23.0.2) Content Filter - $LIST_ATTACHMENTS_REMOVED$ can be used in rule actions (e.g. "send note", "add warning...")
•In the MDaemon GUI, changed the default permissions when adding a new ACL entry to Lookup and Read.
•in the MDaemon GUI, added a warning pop-up if you attempt to set the Webmail, Remote Administration, or XMPP BOSH Server ports to have conflicting values.
•XMLAPI - Added Editor operation which can be used to edit MDaemon's various INI files
•Changed several plug-ins to allow newer versions to run so customers can test possible hotfix/patch versions.
•LetsEncrypt - Updated script to check orders that are ready or valid.
MDaemon Server Release Notes
For a comprehensive list of additions, changes and fixes included in MDaemon 23.0.2, see the Release Notes.
New in MDaemon 22.0
Changes and New Features
Webmail
Pro Theme
•While viewing a message, you can hover over the sender's name to open a pop-up, which contains options for adding the sender to your Contacts and Allowed or Blocked Senders folders.
•Compose, Message, Event, Contact, Task, and Note views can now open in a new window.
•You can now open the next unread message from the message preview pane and message view.
•Added message snippets to the message list when in multi-line mode.
•You can now make available an Edit Alias Display Names option for Pro theme users, located under Settings » Compose. This allows users to edit the display name of any alias associated with their account. Use the new "Allow users to edit their alias display names" Webmail Settings if you wish to allow this. Note: This option is only available in the MDaemon Remote Administration (MDRA) web-interface.
•Options and links that used to say "whitelist" or "blacklist" sender, now say "allow" or "block" sender. Additionally, the White List and Black List folders are now called "Allowed Senders" and "Blocked Senders".
•The Message List can be sorted by the Flag column.
•In the Tasks list, overdue tasks will now appear in red.
•Upgraded the XMPP client to version 4.4.0.
Other
•When strong passwords are required, there is now a list of password requirements that displays green and checked off as the user meets the requirements. Also added more descriptive error messages for what is wrong with an invalid password on submission.
•Compose Options now contains options for selecting the default "From:" address that will be used when composing, replying to, or forwarding a message.
•A "1 minute" setting was added to the List Refresh Time option, located on the Options » Personalize page.
•Added support for CSRFTokens on the Webmail Sign-in page. This is enabled when the "Use Cross-Site-Request-Forgery tokens" option is enabled on the Webmail Settings » Web Server page. If you are using custom templates for Webmail, add a hidden input to the Login form as follows: <input type="hidden" name="LOGINTOKEN" value=<$LOGINTOKEN$> />
•Public Calendar - Modified the List view to start on the current day and show the next 30 days.
•Added automatic conversion of URLs to hyperlinks in the message view.
•The names of default folders (Drafts, Sent Items, etc.) are translated into the Webmail user's language no matter which language of MDaemon is installed (previously only the English MDaemon did this).
•There is now an option to send Two Factor Authentication verification codes to a secondary email address.
•LookOut and WorldClient themes - Changed all list category display behavior to match.
•The Allowed Senders and Blocked Senders folders now have different icons to indicate that they are special folders.
Remote Administration (MDRA)
•Added a Two Factor Auth Exception IPs page in MDRA, located under the Main menu. This allows users to sign in to Remote Admin or Webmail without requiring 2FA, when connecting from one of the specified IP addresses.
•There is a new "Allow users to edit their alias display names" Webmail Settings option in MDRA. Activate this option if you wish to allow users to edit the display name of any alias associated with their account. They can do this by using the Edit Alias Display Names option, located in Webmail's Pro Theme.
•Changed autocomplete="off" to autocomplete="new-password" on password fields to stop Firefox from auto-completing passwords outside of the login page.
•Added the Notification Message Editor to the Content Filter's Notifications page.
•Added support for CSRFTokens on the Sign-in page. This is enabled when the "Use Cross-Site-Request-Forgery tokens" option is enabled on the Remote Administration Settings page in MDRA.
•Any remote or local Custom Queues you have created can be managed under the Messages and Queues section in MDRA.
Security
•MDaemon now supports TLS 1.3 on newer versions of Windows. Windows Server 2022 and Windows 11 have TLS 1.3 enabled by default. Windows 10 versions 2004 (OS Build 19041) and newer have experimental TLS 1.3 support that can be enabled for inbound connections by setting the following in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server
DisabledByDefault (DWORD) = 0
Enabled (DWORD) = 1
•MDaemon logs the cipher suite (e.g., TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) used by SSL/TLS connections.
•Added a Passwords option for strong passwords to require a special character. It is enabled by default for new installs and disabled by default for existing installs.
•AV Mailbox Scanner - When an infected message is found during mailbox scan MDaemon's infected counter will be incremented.
•AntiVirus - Updated ClamAV to version 0.104.3.
ActiveSync
•Improved FolderSync performance.
•The ActiveSync Connection Monitoring Dialog has a new right-click menu command to terminate a session and block a client.
•Added an option to the Client Settings dialog to allow Outlook to send mail using an alias. If Reply-To is set to a valid alias for the sending account, the message will be sent via that alias.
•Added support for EAS 16.1 Find command. Removed the protocol restriction preventing iOS from using EAS 16.1
Other
•Content Filter - Added support for $CONTACT...$ macros in the "Append a corporate signature" action. These macros can be used to personalize the signature with information from the sender's contact in their public contacts folder. See: Signature Macros for a full list of supported macros.
•Content Filter - Added an action to extract attachment and add attachment linking into the message.
•Summary Emails for the holding, quarantine, and bad queue may now have links to release, re-queue, or delete each message. This new "Include action link" option is enabled by default. Note: The Remote Administration URL must be set for the links to be generated.
•LetsEncrypt - Updated the script to work with PS 7.
•Added a Deferred Delivery Message Recall option to replace the 'Date:' header with the current date and time when a message is released from the Deferred Queue. It is disabled by default.
•MDaemon Connector has been updated to version 7.0.7.
•XMLAPI - Added support for forwarding scheduling.
MDaemon Server Release Notes
For a comprehensive list of additions, changes and fixes included in MDaemon 22.0, see the Release Notes.
New in MDaemon 21.5
Major New Features
App Passwords
App Passwords are very strong, randomly-generated passwords for use in email clients and apps, to help make your email apps more secure since they can't be protected by Two-Factor Authentication (2FA). 2FA is a secure way for a user to sign in to Webmail or MDaemon Remote Administration (MDRA), but an email app can't use it, because the app must be able to access your email in the background without you having to enter a code from your authenticator app. The App Passwords feature allows you to create strong, secure passwords for use in your apps, while still keeping your account password secured by 2FA. App Passwords can only be used in email apps, they cannot be used to sign in to Webmail or MDRA. This means that even if an App Password were somehow compromised, the unauthorized user still wouldn't be able to get into your account to change your password or other settings, but you, however, would still be able to sign in to your account with your account password and 2FA, to delete the compromised App Password and create a new one if needed.
App Password requirements and recommendations
•In order to create App Passwords, 2FA must be enabled for the account (although you can turn off this requirement if you choose).
•App Passwords can only be used in email apps—they cannot be used to sign in to Webmail or MDRA.
•Each App Password is displayed only once, when it is created. There is no way to retrieve it later, so users should be ready to enter it into their app when it is created.
•Users should use a different App Password for each email app, and they should revoke (delete) its password whenever they stop using an app or when a device is lost or stolen.
•Each App Password lists when it was created, when it was last used, and the IP address from which it last accessed the account's email. If a user finds something suspicious about the Last Used or Last IP data, the user should revoke that App Password and create a new one for his or her app.
•When an account password is changed, all App Passwords are automatically deleted—a user cannot continue using old App Passwords.
Requiring App Passwords for SMTP, IMAP, ActiveSync, and more
There is an account option on the Account Editor's Settings page that you can use to "Require app password to log in to SMTP, IMAP, ActiveSync, etc."
Requiring App Passwords can help protect an account's password from dictionary and brute force attacks via SMTP, IMAP, etc. This is more secure because even if an attack of this sort were to guess an account's actual password, it wouldn't work and the attacker wouldn't know, because MDaemon would only accept a correct App Password. Additionally, if your accounts in MDaemon are using Active Directory authentication and Active Directory is set to lock an account after a number of failed attempts, this option can help prevent accounts from being locked out, because MDaemon will only check the App Passwords, not try to authenticate to Active Directory.
Other New Features and Improvements
Pro Theme
•The Mobile theme is now called the Pro theme. It was expanded and improved to be responsive and adaptable for use on different kinds of devices and screen sizes, without sacrificing features.
•Added Cross-Site-Request-Forgery tokens for more secure transactions. The feature is disabled by default. To enable it through MDRA go to Main | Webmail Settings | Web Server and check "Use Cross-Site-Request-Forgery tokens".
•Added an option at Settings | Personalize to enable Dark mode, to display the Pro theme with a dark background.
•Added a link to "Track my package" in opened messages.
•Carrier tracking numbers being watched by default are: USPS, UPS, OnTrac, FedEx, and DHL.
•The default configuration file is at: \MDaemon\WorldClient\package_tracking.json
•Admins can add more carriers by creating the file: \MDaemon\WorldClient\package_tracking.custom.json, using the same format as the default package_tracking.json file. At least one service name, a tracking URL, and at least one valid regular expression is required. Include service names that may appear in a message to reduce the chances of false positive matches.
•Added the Message List Layout dialog to the smaller browser size. Only the Message List Density setting is displayed.
•Added a password strength meter.
•Added the image slideshow feature for the Message View.
•Added a card view for the Contacts list.
•Moved the "New item" button from the toolbar to the space above the folder list for desktop sizes.
•Added a plus icon next to "Personal" to create a new calendar in the calendar view.
•Added an event tooltip with Edit options and Send an Email to an Attendee option.
•Made the search bar always visible for browser window widths of 1200px or greater.
•Added a dialog to allow users to remove a contact from the the BlackList when adding them to the WhiteList and vice-versa.
•Added an error message when there is an error creating or renaming a folder.
•Added support for HTML notes in Events, Contacts, Tasks, and Notes.
•Replaced the current HTML editor (CKEditor) with Jodit.
•Changed the basic header view to show the From email address.
•Added the Voice Recorder.
Other Webmail Improvements
•Added an Unsubscribe link next to the From address when the List-Unsubscribe header exists in a message. This can be disabled in Webmail at Settings | Personalize.
•Added ability to import email into the current message list.
•Updated the Dropbox integration to use the refresh_token provided by Dropbox to reconnect users without interaction with the OAuth dialog. When the access_token expires, Webmail will attempt to use the refresh_token to get a new access_token. No longer necessary settings have been removed from the Cloud Apps page. The admin does NOT need to make any changes to the Dropbox app at Dropbox.com.
•Search All / Subfolders requests no longer search unsubscribed folders when unsubscribed folders are hidden.
•Added a checkbox named "Skip Search" to exclude specific folders from Search All / Subfolders requests.
•Added a setting in Remote Admin that allows the Two-Factor Authentication Remember Me checkbox to be hidden.
•Added a blur effect for the background when the user session is expired.
•Added an Automatic CC and BCC feature at Settings | Compose.
•Added an option to: WorldClient\Domains.ini [Default:Settings] PreventComposeWithAlias, to prevent composing messages with an alias. The setting is off by default.
•Lite theme - Added auto-save draft message to the Compose view.
•Added an option in the Options | Folders view to allow users to skip contact folders in auto-complete searches. Added the option in the right click menu as well.
•Added a Webmail log entry for the User-Agent when a user logs in.
•Added a notification in the Compose view if a local recipient has their autoresponder enabled.
•WorldClient theme - Added a paperclip icon to event tiles that have attachments.
•Maximum attachment size is set to 25 MB for new installs.
•Changed the "Delete All" folder action to "Empty Folder"
•WorldClient theme - Added "Change Password" and "Change Recovery Email" buttons to the Security page
Remote Administration (MDRA)
•Added the ability to drag and drop content filter rules. The copy, edit, and delete buttons are now on each respective rule.
•Added Cross-Site-Request-Forgery tokens for more secure transactions. The feature is enabled by default. To disable it go to: Main | Remote Admin Settings | Settings and uncheck "Use Cross-Site-Request-Forgery tokens".
•Added a password strength meter to some password fields.
•Added the option: "Enable Two-Factor Authentication Remember Me," to Setup | Domain Manager | Edit | Webmail Settings and Main | Webmail Settings | Settings.
•Added Blocked IPs and Refused IPs reports for Dynamic Screening.
•Added the Groups and Client Types views under ActiveSync.
•Updated the ActiveSync Diagnostics and Tuning pages.
•Added a browser usage by OS chart and table at Reports | Traffic | Webmail Login Statistics.
•Added buttons to open a Browse Users and Browse Groups pop-up, to add them to mailing lists, at: Main | Mailing Lists | Edit | New. Only Domain or Global Admins have access to the buttons.
•Added Account Only Wipe options at Main | My Account | ActiveSync Clients and at ActiveSync | Client Management.
•Change logging has been added. It will log every change that is made via Remote Administration.
•Updated Message Recall to match the MDaemon GUI.
•Added the "Extract attachments from winmail.dat" option at Security | Content Filter | Compression.
•Added Slovenian language to MDaemon Remote Administration.
Other MDaemon Improvements
•Added support for SMTP Command Pipelining (RFC 2920). MDaemon will send MAIL, RCPT, and DATA commands in batches instead of individually, which improves performance over high latency network links. SMTP pipelining is always enabled for inbound connections. It is enabled by default for outbound connections, but can be disabled at Setup | Server Settings | Servers & Delivery | Servers.
•Added support for SMTP CHUNKING (RFC 3030). CHUNKING allows non-line-oriented messages to be transferred. It is enabled by default for inbound connections, but disabled by default for outbound. Bare line feeds in received messages are converted to carriage return line feeds by default. These defaults can be changed by setting [Special] SMTPChunkingInbound=Yes/No, SMTPChunkingOutbound=Yes/No, and SMTPChunkingAllowBareLF=Yes/No in \MDaemon\App\MDaemon.ini.
•Content Filter - Updated the default restricted attachments list.
•Content Filter - Added rule action to add attachment to message.
•ActiveSync Server start/stop entries are written to MDaemon's System log.
•Clustering - Added support for synchronizing reminders from secondary nodes.
•Dynamic Screening - Added option to Log Locations using ISO-3166 Codes instead of names.
•XMLAPI - Added support for ActiveSync AlwaysSendMeetingUpdates setting.
•XMLAPI - Added support for semaphore file creation.
•XMLAPI - Added Support to report/modify settings from Setup/Server Settings/Logging.
•MDaemon Instant Messenger - Improved group chat feature by adding ability to multi-select chat buddies for group chat. Also added an option to auto-accept chat room requests.
•Location Screening has a new option to control whether or not the X-MDOrigin-Country header is added to messages. It is enabled by default.
•There is now an Accounts setting for whether to allow users to sign in using aliases, located at: Accounts | Account Settings | Aliases | Settings. It is enabled by default.
•MDaemon Connector has been updated to version 7.5.0.
•The default delivery confirmation message text (in \MDaemon\App\Receipt.dat) has been changed to use the $HEADER:X-RCPT-TO$ macro instead of $RECIPIENT$ to avoid disclosing the actual email address an alias resolves to.
MDaemon Server Release Notes
For a comprehensive list of additions, changes and fixes included in MDaemon 21.5, see the Release Notes.
New in MDaemon 21.0
Major New Features
Persistent Chat Rooms
MDaemon's XMPP server now supports persistent chat rooms, which do not need to be recreated every time all users leave the room. Configure them at: Setup | Web & IM Services | XMPP.
Virus/Spam Misclassification Reporting
When on the Quarantine, Bad, or Spam Trap queue screens in the MDaemon GUI, a right-click popup menu option was added to report messages to MDaemon.com as false positives or false negatives. Similar options have also been added to MDaemon Remote Administration. The messages will be analyzed and passed along to third-party vendors for corrective action.
ActiveSync Migration Client (ASMC) GUI
A GUI has been created to assist in running ASMC (ASMCUI.exe in MDaemon's \app\ folder). It allows you to store your options and recall them at a later time. ASMC supports migrating mail, calendars, tasks, notes, and contacts from ActiveSync servers that support protocol version 14.1. Documentation for it can be found in MDaemon's Docs folder, at: \MDaemon\Docs\ActiveSync Migration Client.html.
Webmail Mobile Theme Improvements
Greatly expanded and improved the Mobile Theme for Webmail users. See RelNotes.html located in MDaemon's \Docs\ folder for a complete list of the many features that have been added.
Clustering Improvements
A significant number of improvements have been made to MDaemon's Cluster Service:
•Added a Multi-Node Mail Routing option, where mail queues are shared between the cluster nodes. Having multiple machines process and deliver the messages allows them to split the work more evenly and prevents messages from being stuck in the queues of any machines that are down.
•SSL certificates are now replicated from the primary to secondary nodes.
•Queues on secondary nodes are frozen during the initial data replication, which improves responsiveness during startup.
•Replication is paused as soon as MDaemon shutdown starts, eliminating clustering-related shutdown delays.
•Cluster nodes may be added using IP address or DNS name.
•The shared network paths can now be managed more easily from the new Shared Network Paths screen.
•Logging and diagnostics tools are provided on the new Diagnostics screen.
Other New Features and Changes
Remote Administration (MDRA)
Dozens of options have been added to MDaemon's Remote Administration interface. For a complete list of these options and other changes to MDRA, see RelNotes.html located in MDaemon's \Docs\ folder.
Content Filter
Added ability to search for restricted files inside 7-Zip compressed files.
Autoresponders
Autoresponders now support Unicode (UTF-8), allowing the text to be in any language.
IMAP Filters
IMAP filtering rules can now search the message body for particular text.
Webmail
•You can now attach an event to a new email by right-clicking the event and choosing the "Send" option in the LookOut and WorldClient themes, and from the event preview in Mobile theme.
•All New Account Creation features have been removed.
•When you publish a calender (share a Public Access link to it), new options allow you set its default calendar view (e.g. month/week/day) and publish a Free/Busy calendar link.
•Added an option to skip the IP persistence check on a per user basis. In MDRA edit a user account, go to Web Services and check "Skip IP persistence check for Webmail sessions".
•Added ability to search the CC field in advanced search.
•Added Maximum Messages sent per day to the displayed quotas.
User Interface
•Setup | Mobile Device Management has been removed and replaced by the ActiveSync Management dialog at Setup | ActiveSync.
•The ActiveSync Client Settings screen has been removed. Customize client settings on the Tuning, Domains, Groups, Accounts, and Clients screens.
•The ActiveSync Client Type screen has menu commands to whitelist and blacklist client types.
•Added screens at Setup | Message Indexing for the configuration of real-time and nightly maintenance of the search indexes used by Webmail, ActiveSync, and Remote Administration.
•Several plugins now share a common Diagnostics configuration screen.
•The MDRA and Webmail browser-based help systems have been updated with a new responsive theme, to make them more useable across different types of devices.
XML API
•The appearance of the XML API documentation portal can be customized globally and by domain. See the "Changes and development notes" in the help portal (ie. http[s]://ServerName[:MDRAPort]/MdMgmtWS) or view the file \MDaemon\Docs\API\XML API\Help_Readme.xml on disk using Internet Explorer for more information. A sample company.mail directory is provided at \MDaemon\Docs\API\XML API\Samples\Branding.
•Added Alias operation to simplify Alias management, resolve and report aliases.
•Added FolderOperation Search action to search messages.
•Added support for the Cluster Service to QueryServiceState and ControlServiceState.
Archiving
•When a message is sent between local accounts, both "in" and "out" archive copies will be created if both "Archive inbound mail" and "Archive outbound mail" are enabled.
•The option to archive spam messages, which was removed in version 20.0, is back.
•Spam messages released from the Spam Trap are archived.
Component Updates
•MDaemon Connector has been updated to version 7.0.0.
•Spam Filter: updated to SpamAssassin 3.4.4. and removed deprecated settings in local.cf.
•AntiVirus: ClamAV updated to version 0.103.0, and Cyren AV engine updated to version 6.3.0.2.
•XMPP Server: Updated database backend to version SQLite 3.33.0.
MDaemon Server Release Notes
For a comprehensive list of additions, changes and fixes included in MDaemon 21.0, see the Release Notes.
New in MDaemon 20.0
MDaemon Cluster Service
MDaemon's new Cluster Service is designed to share your configuration between two or more MDaemon servers on your network. This makes it possible for you to use load balancing hardware or software to distribute your email load across multiple MDaemon servers, which can improve speed and efficiency by reducing network congestion and overload and by maximizing your email resources. It also helps to ensure redundancy in your email systems should one of your servers suffer a hardware or software failure. See: Cluster Service, for more information on setting up an MDaemon server cluster on your network.
New SMTP Extensions
The RequireTLS effort in IETF is finally finished, and support for this has been implemented. RequireTLS allows you to flag messages that must be sent using TLS. If TLS is not possible (or if the parameters of the TLS certificate exchange are unacceptable) messages will be bounced rather than delivered insecurely. RequireTLS is enabled by default, but the only messages that will be subject to the RequireTLS process are messages specifically flagged by a Content Filter rule using the new Content Filter action, "Flag message for REQUIRETLS...", or messages sent to <local-part>+requiretls@domain.tld (for example, arvel+requiretls@mdaemon.com). All other messages are treated as if the service is disabled. Additionally, several requirements must be met in order for a message to be sent using RequireTLS. If any of them fail, the message will bounce back rather than be sent in the clear. For more information about these requirements and how to set up RequireTLS, see: SMTP Extensions. For a complete description of RequireTLS, see: RFC 8689: SMTP Require TLS Option.
SMTP MTA-STS (RFC 8461) - Strict Transport Security
The MTA-STS effort in the IETF has finished, and support for this has been implemented. SMTP MTA Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers (SPs) to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate. MTA-STS support is enabled by default. See: SMTP Extensions for more information on setting this up, and MTA-STS is fully described in RFC 8461: SMTP MTA Strict Transport Security (MTA-STS).
TLS Reporting allows domains using MTA-STS to be notified about any failures to retrieve the MTA-STS policy or negotiate a secure channel using STARTTLS. When enabled, MDaemon will send a report daily to each STS-enabled domain that it has sent (or attempted to send) mail to that day. There are several options provided for configuring the information that your reports will contain. TLS Reporting is disabled by default and discussed in RFC 8460: SMTP TLS Reporting.
Domain/Company-wide MDPGP Encryption with a Single Key
MDPGP now supports encrypting messages between domains using a single encryption key for all users. For example, suppose 'Domain-a' and 'Domain-b' wish to encrypt all emails sent between them but do not wish to setup and police individual encryption keys for every user account within the domain. This can now be done as follows:
'Domain-a' and 'Domain-b' each provide the other with a public encryption key via any method they like. For example, they can email the keys to one another by right-clicking on an existing public key in the MDPGP UI and selecting 'Export & Email Key.' If they wish to create new keys dedicated for this purpose they can click the 'Create keys for a specific user' button and choose the '_Domain Key (domain.tld)_ <anybody@domain.tld>' item which has been put there for this purpose (although any key will work). Once each side has received the other's key they click the 'Import Domain's Key' button on the MDPGP UI and enter the domain name to which all emails will be encrypted using the provided key. The system does not create a key in the dropdown list for every one of your domains. You can use the key that is provided for all your domains or you can create domain specific keys yourself if you wish.
If either side already has a public key they wish to use and it is already on the key-ring they can right-click on the key in the MDPGP UI and select 'Set as a Domain's Key'. However, do not use a key for which you also have the corresponding private key. If you do, MDPGP will encrypt a message and then immediately see that the decryption key is known and promptly decrypt that very same message.
At this point MDPGP creates a Content Filter rule called 'Encrypt all mail to <domain>' which will invoke the encryption operation on every email sent to that domain. Using the Content Filter means that you can control this process by enabling or disabling the Content Filter rule. You can also tweak the rule to fine-tune the criteria you wish to employ before messages are encrypted (for example, maybe you want to do this same thing but for two domains or for only certain recipients within the domain). The Content Filter provides the flexibility to achieve this.
Encrypting Outbound Mail Based on the Receiving IP Address
MDPGP has a new checkbox and setup button where you can map IP addresses to specific encryption keys. Any outbound SMTP session delivering a message to one of these IPs will first encrypt the message using the associated key just prior to transmission. If the message is already encrypted by some other key no work is done. This is useful (for example) in situations where you want to make sure all messages sent to certain key partners, suppliers, affiliates, etc are always encrypted.
Macros for Mailing List Messages
The Mailing List Editor » Routing screen has some new options which will allow for macros to be used within the message body of list posts. This will allow you (for example) to personalize each list message. Macros have been supported for a long time in list mail header and footer files, but they have never been supported in the message body. Since the macros are related to individual list members, this option is only compatible with lists that are configured to "Deliver list mail to each member individually." Additionally, for security purposes you can set this option to require that the list's password be provided in order to use macros in the message body. If you choose not to require a password, then any list member who is allowed to post to the list will be allowed to use them. See the Mailing List Routing screen for more information, and for the list of macros that can be used.
Improved Hijack Detection System
Hijack Detection has some new options to help prevent accounts from being used to blast out spam due to their passwords being stolen. One common characteristic of spam email is that the messages are often sent to a large number of invalid recipients, due to the spammer attempting to send them to old email addresses or otherwise guess new ones. Therefore if an MDaemon account begins sending messages to a notable number of invalid recipients in a short amount of time, that is a good indication that the account has been hijacked and is being used to send spam. To prevent this, MDaemon can now track the number of times that an authenticated user tries to send an email to an invalid recipient. If this happens too many times within too short of a time frame, you can have MDaemon freeze the account (the postmaster will get an email about this and they can respond to re-enable the account). This can help to stop a hijacked account automatically, before it does too much damage. Note: As part of this work, the From Header Modification options were moved to their own From Header Screening page, to make room for the new Hijack Detection options.
Deferred Message Queue and Improved Message Recall
To help improve the efficiency of the Message Recall system and Deferred-Delivery header support, MDaemon now has a dedicated queue for deferred messages. Previously, the Inbound queue could become clogged with deferred messages, which could slow down the delivery of non-deferred mail. The new, Deferred queue helps to solve that problem. Messages in the Deferred queue are placed there by the system and have the date they are set to leave the queue encoded into the file name. MDaemon checks the queue once per minute and when it's time for messages to leave the queue they are moved to the Inbound queue and subject to normal message processing/delivery.
Additionally, MDaemon now tracks the Message-IDs of the most recent email sent by each authenticated local user, which means users can now recall the last message they sent (but only the last message they sent) simply by putting RECALL (alone by itself) as the Subject in a message sent to the mdaemon@ system account. There is no need to find and paste the Message-ID of the message you want to recall when it was the last message sent. Recalling any other message still requires the Message-ID be included in the Subject text or the original message from the users SENT folder attached to the recall request.
In addition to remembering the most recent email sent by each authenticated user, MDaemon also remembers the locations and Message-IDs of the last 1000 emails sent by all authenticated users. Consequently, this makes it possible to recall messages right out of user mailboxes even after they've been delivered. So, messages will disappear from user mail clients and phones if they are recalled. Note: this is of course only possible for messages sent to other local users; once MDaemon has delivered a message to some other server it is no longer under MDaemon's control and therefore cannot be recalled.
Authentication Failure Log
There is a new Authentication Failures log file that contains a single line with details for every SMTP, IMAP, and POP logon attempt that fails. The information includes the Protocol used, the SessionID so you can search other logs, the IP of the offender, the raw Logon value they tried to use (sometimes this is an alias), and the Account that matches the logon (or 'none' if no account matches).
Authentication When Forwarding/Routing Mail
There are several forwarding options in MDaemon where you can now add authentication credentials. This means that several files in the \APP\ folder (e.g. forward.dat, gateways.dat, MDaemon.ini, and all Mailing List .grp files) that now have the potential to contain obfuscated logon and password data in a weakly encrypted state. As always, you should therefore use the operating system tools at your command, as well as any other measures you choose, to secure the MDaemon machine and directory structure from unauthorized access. Authentication credential options were added to: Unknown Mail, Mailing List Routing, Gateway Editor » Forwarding, Gateway Editor » Dequeuing, and Account Editor » Forwarding.
Host Authentication
Host Authentication is a new screen where you can configure port, logon, and password values for any host. When MDaemon sends SMTP mail to that host the associated credentials found here will be used. Please note that these credentials are a fallback and are only used when other more task-specific credentials are unavailable. For example, if you configure an Auth logon/password using the new Account Editor » Forwarding or Gateway Manager » Dequeuing options, then those credentials are used and they supersede what is configured here. This feature works with host names only (not IP addresses).
Improved Custom Queues and Message Routing
You can now specify a host, logon, password, SMTP return-path, and port for any remote queue. If provided, all messages in the queue are delivered using these new settings. However, by design it still remains possible for individual messages within the queue to have their own unique delivery data, which will take priority over these new settings. Additionally, you can now set up as many remote queues as you want, filter mail into them using the Content Filter based on whatever criteria you choose, give to each queue its own delivery schedule, and have completely different routing take place based on your wishes.
Improved Domain Sharing
For some time Domain Sharing has performed lookups on SMTP MAIL sender values as needed. However, messages were often refused with 'Authentication Required' and yet there is no way authentication can be performed when the sender account resides on a different server. This has been addressed and MDaemon can accept mail without requiring authentication from accounts that are found to exist on other servers. This can be disabled with a new Security Manager option at: Sender Authentication » SMTP Authentication. If you would rather not perform Domain Sharing lookups on the SMTP MAIL sender at all you can completely disable that with a Domain Sharing option.
Domain Sharing also has a new option that enables sharing of mailing lists. When a message arrives for a mailing list a copy is created for each Domain Sharing host that also keeps a version of that list (a query is made to check). When these hosts receive their copies they will make delivery to all the members of that list which they serve. In this way mailing lists can be split across multiple servers with no loss in functionality. For this to work each Domain Sharing host must include the other hosts' IP addresses in their Trusted IPs configuration.
Finally, Domain Sharing has an Advanced button that opens a file where you can configure domain names that are allowed to use Domain Sharing. When nothing is in this file (the default condition) then all your domains can use Domain Sharing. See the instructions at the top of the file for more information.
Improved Control Over Message Forwarding
Preferences » Miscellaneous has a new option that allows administrators to prevent account mail forwarding from sending emails outside the domain. If a user configures mail forwarding for their account to send to a foreign domain the message will be moved to the Bad Message queue. This setting only applies to messages that are forwarded using the mail forwarding options for the account.
Account Editor » Forwarding has a new Schedule button that will let accounts configure a schedule for when forwarding starts and stops. This is also included on the corresponding Account Templates screen. These settings configure the date and time forwarding starts and the date and time that it stops, but forwarding will only happen on the days of the week you select.
The Forwarding Address field in the New Accounts Template now works with account macros. The only macros with data at the point of new account creation however are those related to the account user's full name, domain, mailbox, and password values. So (for example) if you want every new account to forward to the same email address but at a different domain you can put this in the Forwarding Address field: $MAILBOX$@example.com. Macros also work in the Send As, AUTH Logon, and AUTH Password fields.
Forwarding a message now updates the forwarding account's last access time. This means that accounts which do nothing else but forward mail are no longer potentially deleted for inactivity. Note: The forwarding must actually occur and not be defeated by other configuration options such as restrictions on where the forwarder can send mail or being 'off-schedule'. Just having a forwarding address configured will not automatically flag the account as active.
Improved SMTP Authentication
Sender Authentication » SMTP Authentication has two new options. First, the "Do not allow authentication on the SMTP port" option will completely disable AUTH support over the SMTP port. AUTH will not be offered in the EHLO response and will be treated as an unknown command if provided by the SMTP client. The other option is to "...add their IP to the Dynamic Screen if they attempt it anyway." This option will add to the Dynamic Screen the IP address of any client that attempts to authenticate when AUTH is disabled. The connection will also be immediately terminated. These settings are useful in configurations where all legitimate accounts are using the MSA (or other) port to submit authenticated mail. In such configurations the assumption is that any attempt to authenticate on the SMTP port must be from an attacker.
Improved Account Management
The Account Manager's filtering options have been expanded. You can now also choose to display accounts based on whether or not they are Enabled, are using MultiPOP, are near quota (70%), are near quota (90%), or are not forwarding. You can also search the account description field for any text you want and select accounts based on that. Further, the shortcut/right-click menu has new options to add or remove all the selected accounts from or to mailing lists and groups. It also has an option to Copy an existing account in order to create a new one. All settings of the existing account are copied to the new account except Full Name, Mailbox, Password, and Mail Folder. Finally, the Account Editor's IMAP Filters screen has a new button called Publish for adding a new rule to the account being edited and to every other account in that account's domain. This can save some time when a new rule is needed for everyone.
Enable "Do Not Disturb"for Entire Domain
The Domain Manager's Host Name & IP screen has a new setting that lets you enable "Do Not Disturb" for a domain. When active, the domain will refuse all connections from all users for all services, but it will still accept incoming messages from the outside world. Further, you can schedule when 'Do Not Disturb' starts and stops. For example, if you configure May 1, 2020 to June 30, 2020 from 5:00pm to 7:00am, Monday thru Friday, then that means no mail services will be available for that domain's users on those days of the week beginning at 5:00pm and resuming at 7:01am, so long as the current date falls between May 1 and June 30, 2020. Erasing the scheduled start date deactivates the schedule and has the effect of putting the domain on 'Do Not Disturb' forever.
Improved Archiving
MDaemon's simple message archiving system has been changed to be more efficient and consistent. Archiving now work as follows: When a message is delivered from the Local Queue(s) to a user's mail folder an archive copy will be created at that time (in the 'IN' folder of the recipient, if so configured). When a message is picked up from the Remote Queue(s) for SMTP delivery (whether delivery succeeds or not) an archive copy will be created at that time (in the 'OUT' folder of the sender, if so configured). You will see lines like "ARCHIVE message: pgp5001000000172.msg" in the Routing log or you might see lines like "* Archived: (archives)\company.test\in\frank@company.test\arc5001000000023.msg" in the Routing log when Local and Remote mail is processed. Further, a 'ToArchive' queue now exists as a system queue (not exposed in the UI). This queue is checked at regular intervals for messages which have been dropped there (manually, or by a plugin, or otherwise). When messages are found there they are immediately archived and deleted. If messages are found which are not eligible for archiving then they are simply deleted. The name of the queue is \MDaemon\Queues\ToArchive\. The Routing screen/log will show details whenever a message is successfully archived. Also, Archiving of encrypted messages is now handled more consistently. By default unencrypted copies of encrypted messages are stored in the archive. If a message can't be decrypted, the encrypted form will be stored instead. If you would rather have encrypted versions stored, then there is an option to allow you to do so. Additionally, there is now an option to archive messages sent to public folder submission addresses, which is enabled by default. Finally, the following types of messages are never archived: Mailing List traffic, Spam (the option to do so has been deprecated and removed), messages with viruses, system-level messages, and autoresponders.
More Efficient Logging
MDaemon no longer creates empty log files. When items are disabled on the Settings screen their associated log file will not be created at startup. Log files that may already exist when an item is disabled are left in place (not removed). If a log file is missing when an item is enabled then the required log file will be created instantly. This change applies to all log files that the core MDaemon engine manages. Log files for Dynamic Screening, Instant Messaging, XMPP, WDaemon, and WebMail run external to MDaemon and therefore haven't changed. Several other logging-related changes include: making ATRN session logs look correct, making all logs consistent in colors and how they log Session and Child IDs, and the MultiPOP server no longer tears-up and tears-down sessions for accounts that are already over quota and therefore there is no longer wasteful logging in these cases. Finally, the Router log was only logging INBOUND and LOCAL queue message parsing. It now also logs REMOTE queue parsing when delivery attempts are made. This way you don't have to search the Router log and the SMTP(out) logs to see when a message was processed.
Improved Active Directory Integration
You can now configure MDaemon's Active Directory integration feature to create an MDaemon account when you add someone to an Active Directory group, and when you remove someone from an Active Directory group their corresponding MDaemon account will be disabled (but not deleted). To utilize this functionality, you must use an alternative Active Directory search filter. See: Active Directory » Authentication, for more information.
On Active Directory's Authentication screen there is now a separate "Contact search filter" option for contact searches. Previously, contact searching was done using the user search filter. There's also a separate test button for the contact search filter. Active Directory searches have been optimized so that when the search filters are identical a single query updates all data. When they are different two separate queries are necessary.
The following fields have been added to the ActiveDS.dat file templates, so that they are included in contact records when Active Directory monitoring creates or updates address books: abTitle=%personalTitle%, abMiddleName=%middleName%, abSuffix=%generationQualifier%, abBusPager=%pager%, abBusIPPhone=%ipPhone%, and abBusFax=%FacsimileTelephoneNumber%.
Public folder contacts are now deleted by default when the associated account is deleted from Active Directory. However, the contact is only deleted if it was created by the Active Directory integration feature. The setting to control this is located on the Active Directory Monitoring screen.
When the Active Directory monitoring system creates or updates an account and finds a mailbox value that is too long to fit in MDaemon's limited space for the mailbox value, it will truncate the mailbox value as before but now it will also create an alias using the full size mailbox value. Also, when an account or alias is created, the note's section of the account's Administrative Roles screen is updated for auditing purposes.
The Mailing List Manager's Active Directory screen now allows you to enter an Active Directory attribute for the full name field of list members.
Changes to account properties in Active Directory can trigger the recreation of an MDaemon account, even when the account was previously deleted within MDaemon. To keep accounts from being recreated in this way, a new option was added to Active Directory Monitoring. By default, accounts will not be recreated when they were manually deleted within MDaemon.
Improved From Header Screening
The "From Header Modification" options were moved from the Hijack Detection screen to their own From Header Screening screen, and new options were added. Such as, From Header Screening can now check "From:" header display-names for anything that looks like an email address. If one is found and it does not match the actual sending email address then the displayed address can be replaced with the actual email address. For example, if you are using this feature and the "From:" header looks like this: "From: 'Frank Thomas <friend@friend.test>' <enemy@enemy.test>" then it would be changed to: "From: 'Frank Thomas <enemy@enemy.test>' <enemy@enemy.test>".
Check for Compromised Passwords
MDaemon can now check a user's password against a compromised password list from a third-party service. It is able to do this without transmitting the password to the service, and if a user's password is present on the list it does not mean the account has been hacked. It means that someone somewhere has used the same characters as their password and it has appeared in a data breach. Published passwords may be used by hackers in dictionary attacks, but unique passwords that have never been used anywhere else are more secure. See Pwned Passwords for more information.
On the Security Settings' Passwords screen, MDaemon now has an option to prevent an account's password from being set to one that is found in the compromised passwords list. It can also check a user's password every certain number of days when they log in, and if it is found, send a warning email to the user and postmaster. The warning emails can be customized by editing message template files in the \MDaemon\App folder. Since instructions for how a user should change their password may depend on whether the account is using a password stored in MDaemon or using Active Directory authentication, there are two template files, CompromisedPasswordMD.dat and CompromisedPasswordAD.dat. Macros can be used to personalize the message, change the subject, change the recipients, etc.
Additional Features and Improvements
With over 250 new features and improvements included in MDaemon 20, there are many not listed in this section. For a comprehensive list of additions, changes and fixes included in MDaemon 20.0, see the Release Notes.
See:
