-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hallo,
MDaemon versi 14.5 release pagi ini. MDaemon 14.5.0 - October 21, 2014 ftp://ftp.dutaint.com/altn-mdaemon/md1450_en.exe http://www.altn.com/Downloads/MDaemon-Mail-Server-Free-Trial/ SPECIAL CONSIDERATIONS [13265] The two options to hide local IP addresses and local LAN IP addresses when processing message headers have been deprecated and removed from Ctrl+O | Preferences | Headers. They have now been replaced by a single option which hides reserved IP addresses. That was always the intent of the older two options anyway. This new option is enabled by default and prevents use of reserved IPs from appearing in certain MDaemon created message headers. Reserved IPs are as defined by various RFCs and include: (a) 127.0.0.* (b) 192.168.*.* (c) 10.*.*.* and (d) 172.16.0.0/12. If you want or need to do the same for your domain IPs (including LAN domains) then you can set this switch in MDaemon.ini manually: [Special] HideMyIPs=Yes (default is No). [13332] The option "POP3, IMAP, and WorldClient passwords are case sensitive" has been deprecated and removed from Ctrl+O | Preferences | Miscellaneous. Passwords are now always case-sensitive. Allowing otherwise breaks security best practices and is incompatible with hash-based authentication mechanisms (APOP, CRAM-MD5) and secure (hash-based) password storage. As a result of this some of your users may need to update their password in their mail client. [13786] The SPF cache file now caches a domain's actual SPF policy record taken from DNS rather than the final result of SPF processing. Your old SPFCache.dat file can not be migrated and so was renamed SPFCache.dat.old in case there are settings in there you need to refer to. You can delete SPFCache.dat.old at any time. [13121] DomainKeys has been deprecated (see below). As a result the content filter action to sign messages with DomainKeys will be ignored. If you were using this action in any of your rules you may want to either change them to sign with DKIM instead or delete them if they are no longer needed. Lengkapnya ada di lampiran. MAJOR NEW FEATURES [11196] DMARC (Requires MDaemon PRO) [9843] NEW LOOK FOR MDAEMON REMOTE ADMINISTRATION [10279] ACTIVESYNC SERVER NOW SUPPORTS SERVER-SIDE MAIL SEARCHING (Requires MDaemon PRO and active ActiveSync Software License Renewal Coverage) [13231] IMPROVED MAILING LIST ENGINE [13263] IMPROVED SMTP SERVER [13312] IMPROVED SENDER AUTHENTICATION - -- syafril - ------- Syafril Hermansyah MDaemon-L Moderators, running MDaemon 14.5.0-64 bit, SP 4.5.0-64 Harap tidak cc: atau kirim ke private mail untuk masalah MDaemon. There are three kinds of men. The ones that learn by readin’. The few who learn by observation. The rest of them have to pee on the electric fence for themselves. --- Will Rogers -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlRHAPsACgkQJDdq0WWNVhZFSwCgi/6NQHcc6N7F2SAbVqAFNWYF bfUAoJNHW+XSe8BeM9G0xVrrX2Y8J/Iy =sCvv -----END PGP SIGNATURE----- -- --[MDaemon-L]------------------------------------------------ Milis ini untuk Diskusi antar pengguna MDaemon Mail Server. Netiket: http://www.netmeister.org/news/learn2quote Arsip: http://mdaemon-l.dutaint.com Dokumentasi : http://mdaemon.dutaint.co.id Henti Langgan: Kirim mail ke MDaemon-L-unsubscribe [at] dutaint.com Berlangganan: kirim mail ke MDaemon-L-subscribe [at] dutaint.com Versi terakhir MD 14.5, SP 4.5, BES 2.0.2, OC 3.0, SG 3.0.2
MDaemon Server v14 Release Notes MDaemon 14.5.0 - October 21, 2014 SPECIAL CONSIDERATIONS [13265] The two options to hide local IP addresses and local LAN IP addresses when processing message headers have been deprecated and removed from Ctrl+O | Preferences | Headers. They have now been replaced by a single option which hides reserved IP addresses. That was always the intent of the older two options anyway. This new option is enabled by default and prevents use of reserved IPs from appearing in certain MDaemon created message headers. Reserved IPs are as defined by various RFCs and include: (a) 127.0.0.* (b) 192.168.*.* (c) 10.*.*.* and (d) 172.16.0.0/12. If you want or need to do the same for your domain IPs (including LAN domains) then you can set this switch in MDaemon.ini manually: [Special] HideMyIPs=Yes (default is No). [13332] The option "POP3, IMAP, and WorldClient passwords are case sensitive" has been deprecated and removed from Ctrl+O | Preferences | Miscellaneous. Passwords are now always case-sensitive. Allowing otherwise breaks security best practices and is incompatible with hash-based authentication mechanisms (APOP, CRAM-MD5) and secure (hash-based) password storage. As a result of this some of your users may need to update their password in their mail client. [13786] The SPF cache file now caches a domain's actual SPF policy record taken from DNS rather than the final result of SPF processing. Your old SPFCache.dat file can not be migrated and so was renamed SPFCache.dat.old in case there are settings in there you need to refer to. You can delete SPFCache.dat.old at any time. [13121] DomainKeys has been deprecated (see below). As a result the content filter action to sign messages with DomainKeys will be ignored. If you were using this action in any of your rules you may want to either change them to sign with DKIM instead or delete them if they are no longer needed. MAJOR NEW FEATURES [11196] DMARC (Requires MDaemon PRO) Support for DMARC (Domain-based Message Authentication, Reporting, and Conformance) has been added. DMARC defines a scalable mechanism by which a mail sending organization can express, using the Domain Name System, domain level policies and preferences for message validation, disposition, and reporting, and a mail receiving organization can use those policies and preferences to improve mail handling. The DMARC specification and full details about what it does and how it works can be found here: http://www.dmarc.org/. DMARC allows domain owners to express their wishes concerning the handling of messages purporting to be from their domain(s) but which were not sent by them. Possible message handling policy options are "none" in which case MDaemon takes no action, "reject" in which case MDaemon refuses to accept the message during the SMTP session itself, and "quarantine" in which case MDaemon places the following header into each message for easy filtering into your user's Junk E-mail folder: "X-MDDMARC-Fail-policy: quarantine". This header is only added when the result of the DMARC check is "fail" and the resulting DMARC policy is something other than "none." It is possible to configure MDaemon to accept messages even though DMARC requests that they be rejected. In fact, this is the default operational mode. In these cases MDaemon will place an "X-MDDMARC-Fail-policy: reject" header into the message in case you want to filter more seriously on that. DMARC supersedes ADSP and the message disposition features of SPF. However, you can still use all of them together with DMARC. ADSP and SPF message rejection now takes place after DMARC processing if DMARC verification is enabled. DMARC depends in part upon the use of a "Public Suffix List." A "Public Suffix" is one under which Internet users can directly register names. Some examples of public suffixes are .com, .co.uk and pvt.k12.ma.us. A "Public Suffix List" is a list of all known public suffixes. MDaemon uses the one maintained for the community by the Mozilla Foundation that is found here: https://publicsuffix.org/. A copy of this list is installed into your \App\ folder as effective_tld_names.dat. There is currently no comprehensive or single authoritative source for such a list which is an issue the Internet community should address. Over time this file will grow obsolete and must be replaced by downloading it afresh from https://publicsuffix.org/list/effective_tld_names.dat and saving it to your \App\ folder. MDaemon will periodically and automatically download and install this file as part of the daily maintenance event approximately once every two weeks. Various controls to govern this can be found on the new DMARC configuration screens. The DMARC log and the new DMARC window within the Security tab inside the main UI will contain the results of the update and all other DMARC processing operations. You can set a different file download URL if needed but the data downloaded must conform to the format specified by Mozilla for their file. You can read about this at the URL mentioned above. MDaemon strictly follows the parsing algorithm specified by Mozilla. Create a (possibly empty) file called "PUBLICSUFFIX.SEM" and place it in MDaemon's \App\ folder if you replace or edit the effective_tld_names.dat file yourself and need MDaemon to reload it without a reboot. To use DMARC as a mail sender you must publish a DMARC TXT record within your domain's DNS setup. Information on how this record is defined and structured can be found at http://www.dmarc.org. When you publish a DMARC record to your DNS you may begin receiving DMARC reports from many different sources via email. These reports are provided as a compressed XML file whose format is governed by the DMARC specification. Consuming these reports is outside the scope of MDaemon's DMARC implementation. However, the data within these reports can provide important insight into a domain's mail flow, improper domain use, DKIM signing integrity, and SPF message path accuracy/completeness. The addresses to which these reports are sent is configured by you when you create your DMARC record. When setting up a DMARC record for one or more of your domains take care with use of p=reject. Take particular care if your domain provides email accounts for general use by human users. If such users have signed up for any mailing lists, make use of a mail forwarding service, or expect to use common things like "share this article with a friend" you should know now that a DMARC p=reject policy could make those things entirely impossible and if so you'll hear about it. DMARC p=reject is perfectly appropriate and useful but only when it is applied to domains that control how their email accounts are used (for example, transactional mail, automated (i.e. non-human) accounts, or to enforce corporate policies against use of the account outside organizational boundaries). DMARC p=reject is especially bad for mailing lists and if careful steps are not taken this can result in list members being automatically removed from your mailing lists. To mitigate this, the following steps should be taken: (I) For mail receivers: (a) do not allow anyone to post to any of your mailing lists if they are from a domain that publishes restrictive DMARC policy (ie.. any policy other than "none") or (b) failing that, configure all your lists to alter the From: header within messages from such posters. MDaemon 14.5 has new configuration options within the Mailing List Editor that can do all that work for you. If you don't want to do either of those things then at least make sure you disable the mailing list feature that automatically removes members who refuse to accept mailing list traffic. Otherwise, a message sent through your list by (for example) u...@yahoo.com will result in the instant removal of every aol.com list member along with any and all other list members whose mail systems are DMARC compliant. MDaemon 14.5 automatically configures all your lists to be DMARC safe so that none of your list members will be removed by enabling the From: header mitigation described above for all your lists. (II) For mail senders: by all means publish a DMARC record for your domains and specify an email address to receive reports but take care not to use p=reject unless you are sure its appropriate (which it very well may be). In order to support DMARC aggregate reporting MDaemon will store data which it will need later in order to generate aggregate reports according to the DMARC specification. MDaemon ignores the DMARC "ri="; tag and only produces DMARC aggregate reports that cover from 00:00:00 UTC to 23:59:59 UTC for a given day. At midnight UTC (which is not necessarily midnight local time) MDaemon consumes this stored data to generate the reports. MDaemon needs to be running at this time or the stored data could grow and grow and never be consumed. Therefore, if you do not run your MDaemon 24/7 you should not enable DMARC aggregate reporting. DMARC aggregate reporting is disabled by default. In order to support DMARC failure reporting RFC 5965 "An Extensible Format for Email Feedback Reports", RFC 6591 "Authentication Failure Reporting Using the Abuse Reporting Format", RFC 6652 "Sender Policy Framework (SPF) Authentication Failure Reporting Using the Abuse Reporting Format", RFC 6651 "Extensions to DomainKeys Identified Mail (DKIM) for Failure Reporting", and RFC 6692 "Source Ports in Abuse Reporting Format (ARF) Reports" have been fully implemented. Failure reports are created in real-time as the incidents which trigger them occur. MDaemon implements DMARC AFRF type failure reports and not IODEF type reports. Therefore, only values of "afrf" in the DMARC "rf=" tag are honored. See the DMARC specification for complete details. Multiple failure reports can be generated from a single message depending upon the number of recipients in the DMARC record's "ruf=" tag and upon the value of the "fo=" tag times the number of independent authentication failures which were encountered by the message during processing. When the DMARC "fo=" tag requests reporting of SPF related failures MDaemon sends SPF failure reports according to RFC 6522. Therefore, that specification's extensions must be present in the domain's SPF record. SPF failure reports are not sent independent of DMARC processing or in the absence of RFC 6522 extensions. When the DMARC "fo=" tag requests reporting of DKIM related failures MDaemon sends DKIM and ADSP failure reports according to RFC 6651. Therefore, that specification's extensions must be present in the DKIM-Signature header field and the domain must publish a valid DKIM reporting TXT record in DNS and/or valid ADSP extensions in the ADSP TXT record. DKIM and ADSP failure reports are not sent independent of DMARC processing or in the absence of RFC 6651 extensions. See the various specifications referenced herein for complete details. DMARC failure reporting is disabled by default. Important Note: A DMARC record can specify that reports should be sent to an intermediary operating on behalf of the domain owner. This is done when the domain owner contracts with an entity to monitor mail streams for abuse and performance issues. Receipt by third parties of such data may or may not be permitted by your privacy policy, terms of use, or other similar governing document. You should review and understand if your own internal policies constrain the use and transmission of DMARC reporting and if so you should disable DMARC reporting as appropriate. DMARC requires use of STARTTLS whenever it is offered by report receivers however there's no way to predict or police this. However, you should enable STARTTLS if you haven't already (see Ctrl+S | SSL & TLS | MDaemon). There is a white list for use with DMARC verification. This white list is for IPs only. A match to this white list causes DMARC processing to be skipped. DMARC also interacts with the SPF and DKIM white lists. If they cause SPF or DKIM processing to be skipped then DMARC processing will also be skipped. Naturally, when both SPF and DKIM are entirely disabled then DMARC processing will be skipped. DMARC also honors the Approved List which can white list based on verified DKIM identifiers and/or SPF paths from sources you trust. So, for example, if a message arrives that fails the DMARC check but has a valid DKIM signature from a domain on the Approved List the message is not subject to punitive DMARC policy (i.e..the message is treated as if the policy were p=none). The same happens if SPF path verification matches a domain on the Approved List. So, take note that your existing Approved List is now also a DMARC white list. Finally, DMARC has been integrated with MDaemon's VBR system and a new option has been added to Ctrl+S | Sender Authentication | VBR Certification which allows you to ignore punitive DMARC policy on messages that fail a DMARC check but otherwise have a verified identify vouched for by at least one of your trusted VBR service providers. This option is enabled by default. For more information on VBR see https://www.altn.com/email-certification/. Congratulations on VBR (RFC 5518) achieving Standards-Track status! The Authentication-Results header has been extended to include DMARC processing results. Note that Authentication-Results includes some data in comments for debugging purposes including the DMARC policy requested by the domain owner which is not necessarily the action taken on the message. For example, when the result of a DMARC check is "pass" it does not matter what the DMARC policy states as policy is only applied to DMARC checks which "fail". Similarly, when the result of a DMARC check is "fail" and the policy is "reject" the message may be accepted anyway for local policy reasons. Use of this header for filtering should take all this into account. Alternatively, filter for "X-MDDMARC-Fail-policy: quarantine" or "X-MDDMARC-Fail-policy: reject" to filter these messages into spam folders or whatever you want to do. MDaemon strips out the "X-MDDMARC-Fail-policy:" header from every incoming message. Messages must conform to DMARC section 15.1 with respect to the RFC 5322 From header or they are not processed which basically means that the absence of a single (one and only one) properly formed (according to RFC specifications) RFC5322 From field renders the message invalid generally and therefore invalid for DMARC processing. Several new screens have been added at Ctrl+S | Sender Authentication where you can set various options related to DMARC use. DMARC requires SPF and/or DKIM verification to be enabled as it is based upon the verified identities that those two mechanisms provide. You can't make productive use of DMARC for inbound mail without one or both of those technologies enabled. The UI will try to enforce this. DMARCReporter is a tool that reads DMARC XML reports and transforms them into easier to read HTML. This tool has been installed into your \MDaemon\App\ folder. See DMARCReporterReadMe.txt for instructions on use. [9843] NEW LOOK FOR MDAEMON REMOTE ADMINISTRATION Massive updates were done to the Remote Administration interface. "Mobile Device Management" is now a top-level menu item for easier access. Some other menus were relocated to align Remote Administration more closely with MDaemon's layout. Accordingly, menus have been utilized where appropriate. Context-sensitive help has also been added. [10279] ACTIVESYNC SERVER NOW SUPPORTS SERVER-SIDE MAIL SEARCHING (Requires MDaemon PRO and active ActiveSync Software License Renewal Coverage) MDaemon's ActiveSync server now supports searching messages on the server. Please refer to your ActiveSync client's documentation to find out if it supports this feature and how to use it. The search indexes are stored on the server in the folders being searched in files named SrchData.mrk and SrchIndex.mrk. [13231] IMPROVED MAILING LIST ENGINE The mailing list engine has had several improvements. [13196] The mailing list editor has been slightly reworked. All the header manipulation related settings have been removed from the Settings page and put on their own new Headers page. Also, the option to set the list's precedence value has been deprecated and removed. Similarly the option to insert the list's name into the 'To:' header 'Display Name' has been removed as an unnecessary duplicate of the radio button option on the same screen that does the same thing. [13198] Added a new option to the mail list editor which will allow you to reject messages sent to the list from authors whose domain publishes a restrictive DMARC policy ("p=reject" or "p=quarantine"). This option is enabled by default. By publishing restrictive policy these domain owners are effectively making it impossible for their users to participate in any mailing list or forwarding service or "mail this article" type of service. That may well be what they intend. However, allowing the mailing list engine to accept such messages can lead to unrelated members being automatically unsubscribed. You wouldn't need to enable this option if you use the new From: header alteration option but better safe than sorry (see [13160]). Also, you wouldn't need to do this as long as your list does NOTHING to invalidate a valid DKIM signature (if there is one) but lists do that all the time and for perfectly good reasons (like adding a label to the Subject:, adding footers to the message body, etc). [13160] Added a new option to the Mailing List Editor Headers screen which allows you to alter the From: header value on incoming posts from authors whose domain publishes restrictive DMARC policy. This option is enabled by default and should stay enabled. As much of the previous From: header data is preserved as possible. This should help with the recent issues mailing list administrators have experienced due to the DMARC "p=reject" policies at Yahoo, AOL, and some others. FYI, as it depends on DMARC data being available this option doesn't really do anything when DMARC processing is disabled. Any time the From: header is changed by this feature the original From: header data will be moved into the Reply-To: header but only if (1) the message has no Reply-To: header to begin with and (2) only if the mailing list configuration itself does not specify a custom Reply-To: for all list messages. [5102] Support for List-ID (RFC 2919) has been added. List-ID allows you to enter a short description for your mailing list which is included in the List-ID message header. This description is optional and if not provided the List-ID header will contain just the list identifier by itself. An example header with a description looks like this: List-ID: "Discussion of the current MDaemon Beta" <md-beta.altn.com>. An example without a description looks like this: List-ID: <md-beta.altn.com>. The email address of the mailing list itself is used as the list's unique identifier (note that the "@" is changed to a "." character to safely comply with the specification). The List-ID header is stripped from incoming messages sent to local mailing lists but not from incoming messages sent to local users from outside mailing lists. [13201] Support for List-Post, List-Subscribe, List-Unsubscribe, List-Help, List-Owner, and List-Archive mailing list headers (RFC 2369) has been added. These headers are added to list messages if URLs for each are specified in the new controls found within the mailing list editor on the Moderation tab (because that's where there was room for them). These must be URLs as specified in RFC 2369 (for example: mailto:ar...@altn.com). See that document for examples. Whatever you put into these controls will be inserted into all mailing list messages. If the data is improperly formed it won't achieve any results. When a List-Unsubscribe value is provided MDaemon will use it rather than other possible auto-generated values. [13230] Support for sending mailing list monthly subscription reminders has been added. When enabled, MDaemon will send the text of a reminder message to each list member on the first day of each month. You can control the content of the reminder message using some new controls on the Mailing List editor Reminders page. The following macros are available for use within the reminder message: $LISTADDRESS$ which expands to the mailing list's email address $LISTNAME$ which expands to the local-part of the mailing list's email address $UNSUBADDRESS$ which expands the list's unsubscribe address (the MDaemon system address basically) $MEMBERADDRESS$ which expands to the email address of the list member receiving the reminder You can copy and paste whatever HTML you want from your favorite HTML editor into the control. If you'd rather send the reminders on a different day of the month, change it by editing MDaemon.ini and setting [Special] ListReminderDay=X (default is 1). [13242] The option to configure a list's Reply-To value has been enhanced in the UI with radio buttons to allow you to more easily select (1) Leave any Reply-To unchanged (2) Put list's name in Reply-To (3) Put arbitrary email address in Reply-To. [13263] IMPROVED SMTP SERVER MDaemon's SMTP server has had some improvements [13243] Support for RFC 3463 (Enhanced Mail System Status Codes) has been added. These codes allow for much finer grained reporting and automation. As a result of this, nearly all of MDaemon's SMTP server protocol strings have been changed to include the enhanced codes. Also, support for RFC 2034 (SMTP Service Extension for Returning Enhanced Error Codes) has been added. The ESMTP capability ENHANCEDSTATUSCODES will be advertised to other servers during the SMTP transaction. [13264] Support for RFC 3464 (An Extensible Message Format for Delivery Status Notifications) and RFC 6522 (The Multipart/Report Media Type for the Reporting of Mail System Administrative Messages) has been added. This completely overhauls MDaemon's DSN reporting. All of the old code and behavior related to this has been removed and replaced. With these changes, MDaemon's DSN system now fully complies with industry standards and will properly interoperate with automation tools and other MTAs. The format of the DSN has radically changed and now rigidly complies with the specifications. This means that delivery warning messages and delivery failure messages now fall under the control of these RFCs and are no longer accessible to administrators for customization. They can be localized but not customized. The "Subject" data for these messages can still be changed but this is not recommended. The data contained in these DSNs is now in MIME multipart/report format and no longer includes the original message as an attachment. Instead, only the headers of the original message are included in a text/rfc822-headers MIME section of the multipart/report message as the specifications recommend. Nearly all the optional components of these reports have been implemented including taking advantage of enhanced status codes if the receiving MTA supports them. DeliveryWarning.dat and DeliveryError.dat have been deprecated and removed. Ctrl+Q | DSN Options screen has been updated to remove the edit buttons and also the old option "Don't generate DSN for undeliverable list mail." This option is also deprecated and removed. MDaemon never generates DSNs for undeliverable list posts. Please review the RFCs if you want the full details on what the meaning of the various elements within these mails mean. MDaemon adds a Session-ID and a Queue-ID to each DSN. The Session-ID is a functionally unique value that identifies the actual mail session or transaction event that attempted delivery (this is not new; it has just never been used for anything until now). The Queue-ID is a functionally unique value that identifies the message file inside the queue (it's the file's name). "Functionally unique" means unique enough to identify the data it points to for all practical purposes but not guaranteed to never repeat over the long term. [13475] Support for RFC 3848 (SMTP and LMTP Transmission Type Registration) has been added. This governs the value of the "WITH" clause in Received headers. This means you'll see "ESMTP" for unauthenticated non-SSL sessions, "ESMTPA" for authenticated sessions, "ESMTPS" for SSL sessions, or "ESMTPSA" for authenticated & SSL sessions. Values of "MULTIPOP" and "DOMAINPOP" are MDaemon specific and will continue to be used even though they don't appear in the IANA registry. [13312] IMPROVED SENDER AUTHENTICATION [13292] Updated MDaemon's SPF implementation to the latest specification (RFC 7208): Section 4.6.4: Imposed a limit on the number of SPF terms that cause DNS queries. The following terms cause DNS queries: the "include", "a", "mx", "ptr", and "exists" mechanisms and the "redirect" modifier. The total allowed for such terms is now fixed at 10 and cannot be changed as per the specification. Also, each 'A' record lookup performed while processing an "mx" mechanism count toward the 10 term limit. When the 10 term limit is reached further SPF processing stops, any SPF results are dropped, and a permanent error is recorded as the result as per the specification. Section 4.6.4: "ptr" resource records count toward the 10 term limit as well however any extras over and above 10 are simply ignored and no permanent error is generated as per the specification. Section 4.6.4: Imposed a limit on the number of "void" lookups. These are defined in the specification as lookups that result in either (a) domain does not exist or (b) no answers exist. When this limit is reached SPF processing generates a permanent error as per the specification. You can configure the number of allowable void lookups via a new control in Ctrl+S | Sender Authentication | SPF Verification. It cannot be less than 2. Section 9.1: The ABNF was updated for the Received-SPF header so it required a few changes. Also, I added the "mechanism" key so you can see which mechanism matched. Note that the spec calls for using the string "default" when no mechanism matches so that may appear from time-to-time. Also, 9.2 provides guidance on the use of the Authentication-Results header (RFC 7001) so this resulted in a few updates to that header as well. As a result of the improvements made to Authentication-Results, MDaemon no longer creates the X-MDPtrLookup-Result, X-MDMailLookup-Result, or X-MDHeloLookup-Result headers. These headers will continue to be stripped from incoming messages but they are no longer created or used by MDaemon itself. [13313] Updated MDaemon's implementation of "Message Header Field for Indicating Message Authentication Status (RFC 7001)." This is the latest specification governing the Authentication-Results header. This caused several changes to the format of the Authentication-Results header and it looks much different now. PTR, HELO, and MAIL reverse lookups now use the ABNF from RFC 7001 (i.e.. iprev and policy.iprev for PTR, HELO, and MAIL with comment text as the differentiator). Also, corrected improper use of ptypes and their values in several places. Also, found and fixed some bugs in the inconsistent text put out in this header and in what happens if a DNS failure occurs during a lookup. [13314] Implemented "Authentication-Results Registration for Vouch By Reference Results (RFC 6212)." I (Arvel) am one of the authors of VBR but didn't notice that my friend Murray had created RFC 6212 to document VBR results in an industry standard way using his Authentication-Results header. That's what I get for falling into a corporate black hole for 3 years :) MDaemon will now follow this RFC and when multiple VBR hosts are used there will be multiple VBR sections in Authentication-Results. [13316] Implemented "Authentication-Results Registration for Differentiating among Cryptographic Results (RFC 6008)." This included documenting the results of each DKIM signature in an industry standard way. Previously, MDaemon did not document all signature results and what it did document was not in industry standard form. MDaemon will now follow this RFC and when multiple DKIM signatures are used there will be multiple DKIM sections in Authentication-Results. [13315] Added new option to Ctrl+S | Sender Authentication | VBR Certification which will force VBR checks even for incoming messages that lack the VBR-Info header. Normally this header is necessary but VBR works fine without it. When the header is missing MDaemon will query your trusted VBR certifiers using the "all" mail type. This option existed in the previous version but was not exposed in the UI. Also, in previous versions it was enabled by default but I changed that to be disabled by default to save on queries. You can enable it if you want. Also, in previous versions only the default certifier was used in this situation (which is Alt-N's service - vbr.emailcertification.org) but now MDaemon will query each of your trusted VBR certifiers. Note that spamhaus has adopted VBR now with their DWL list. See http://www.spamhauswhitelist.com/en/usage.html for information and usage. To use this list within MDaemon just add it to the list of trusted certifiers at Ctrl+S | Sender Authentication | VBR Certification after checking with Spamhaus for any compliance requirements they may have. [13139] Updated MDaemon's DKIM implementation to the latest specification (RFC 6376). Also, added separate storage of header and body canonicalized data for optional use with DMARC failure reporting. Also, the Authentication-Results header now includes the results of ADSP processing where relevant as per RFC 5617. Finally, RFC 6651 required updates to libdkim. Added a new option to Ctrl+S | Sender Authentication | DKIM Options which adds RFC 6651 "r=y" tag to outbound signatures. This enables DKIM failure reporting should outside verifiers choose to honor it. You must also configure a DKIM reporting TXT record in your domain's DNS and/or update your ADSP TXT record if you want to receive these reports. See RFC 6651 for syntax and instructions on how to do that. When set up correctly you may begin receiving AFRF failure reports from external sources when they encounter messages purporting to be from your domain which fail DKIM verification. Since it requires DNS setup this option is disabled by default. Also, I added another option to Ctrl+S | Sender Authentication | DKIM Options which toggles whether the RFC 6651 "rs=" tag is honored. This tag allows outside domain owners to customize the SMTP rejection string that your MDaemon will display when DKIM processing results in a rejection related to their domain. These strings cannot start with a space or number or include \r, \n, or \t. If they do, MDaemon ignores them. Otherwise, they're fine. This switch is enabled by default. You can disable it if you are uncomfortable with outsiders determining what your MDaemon says in a DKIM related SMTP rejection. Normally, this is just "550 5.7.0 Message rejected per DKIM policy". The "550 5.7.0" bit will be prepended to whatever custom string is used (if any). CHANGES AND NEW FEATURES [12535] MDaemon now supports TLS 1.1 and 1.2. Requires Windows 7 / Server 2008 R2 or newer. [13040] Ctrl+U | Passwords now has a new control which lets you configure the minimum password length when requiring strong passwords. The absolute minimum is 6 characters but higher values are strongly recommended. Changing this setting does not automatically trigger a required password change for those with passwords shorter than the new minimum however when those users next change their password this setting will be enforced. [13197] Message Recall improved slightly with a better indication of success in the Subject: text of result notification email. Also, you can specify the full header+value in the recall request now so "RECALL Message-ID: <message-id>" will work which makes it slightly easier to cut-and-paste. [12308] You can now enable logging of ActiveSync WBXML and XML data globally with new checkboxes at Alt+M | ActiveSync | Options, for specific domains at Alt+F2 | Options, and for individual devices used by individual users from within the Account Editor | ActiveSync Devices page. It is also possible to turn on logging for all devices for a particular user but I didn't expose this as there's no room anywhere and you can enable/disable the user's device(s) which does the same thing. Each of these controls has the standard Yes, No, or Inherit options. Inherit means do whatever the next level up says to do - so user's devices do whatever the domain's setting is which will default to whatever the global setting is. This logging is switched off by default but is useful for debugging purposes. [12762] You can now set the maximum number of ActiveSync devices allowed per user globally with a new control at Alt+M | ActiveSync | Options, for specific domains at Alt+F2 | Options, and for individual users from within the Account Editor | ActiveSync Devices page. Setting the global value to zero means no limit. Setting the domain value to zero means use the global setting. Setting the user-level value to zero means use the domain default. All values are set to zero by default. [12982] The ActiveSync white and black lists can trigger off of Device ID, Device Type, and User Agent strings but not Device OS. This was a UI mislabel only and has been corrected. [12981] The "Size" column header in the message queue pane within the main UI was changed to read "Size (Bytes)". [12454] Ctrl+Q | Holding Queue has been reorganized such that the bad queue summary email can be sent even if the holding queue is disabled. It was a mistake to make these options which are unrelated dependent on each other in the UI. [12374] Moved option to configure the daily quota report subject text from Ctrl+O | System to Ctrl+U | Quotas. Also this configuration was being ignored in some cases. That was fixed. [13108] Improved SMTP error message upon authentication failure when using MSA port. [9642] Updated UI to display fact that a Documents folder may also be created for domains/users when configured to do so. [8619] Added the following new account template macros which return lower case versions of the data they represent: $USERFIRSTNAMELC$, $USERLASTNAMELC$, $USERFIRSTINITIALLC$, and $USERLASTINITIALLC$. Also the installation default for the new account mailbox template was changed to use these new macros. This may or may not change your configuration depending upon whether you are still using installation defaults or not. To double check and use the macros you want see Ctrl+T | Template Manager | New Accounts and you will see the macros used to create a new account's value. [6172] The way window positions and layouts for the UI are saved has been changed. First, the config session and main UI no longer share or overwrite each other's window positions, item selections, or layouts. Second, if you are running on one of the newer versions of Windows which does not permit any service interaction then MDaemon will no longer bother keeping up with window positions or layouts at all (who cares?). This saves time reading and writing values to disk for something that nobody can ever even look at. [13121] All support for the original DomainKeys message authentication system has been removed. DomainKeys is obsolete and has been replaced by the acceptance and adoption of DKIM which MDaemon continues to support. Some UI dialogs related to DomainKeys and DKIM found within Ctrl+S | Sender Authentication have been reorganized as a result and options related to DomainKeys removed and the remaining options better consolidated. Some .DAT files may continue to refer to DomainKeys in their various comment text but this will not be the case for fresh new installs nor does it hurt to leave this comment text in place. The install process will remove DomainKeys.dll and update the MDaemon spam filter scores file. [13124] All support for HashCash has been removed. This technology never caught on. The install process will remove HashCash.dll and HCMint.dat and clean things up. [13125] All support for Sender-ID has been removed. This technology never caught on and is obsolete. [9728] MDaemon Remote Administration now has reports showing the top message senders by message count and total size. [9546] Users are now prompted to decide whether or not to upload a file to their documents list that has the same name as another file in their list in the WorldClient and LookOut themes. [9696] Added a checkbox next to the filename in the LookOut theme so that selection is easier for the user. [13110] The Settings views have been updated in the WorldClient theme to better match the simplicity of the theme. From the Settings view there is now a "Return to Inbox" button in order to leave the settings view. The filters list has been altered to display the information for what each filter does in a more user friendly manner. The process for creating and editing filters has been removed from the main page to a modal window. Each time a user moves a filter the server will update the order of the filters. New folder creation has also been removed from the main page to a modal window. The share folder dialog has been changed to only allow email addresses to be added and removed, but not edited. The access level is now editable only after the user has been added. All other views look different but continue to function in the same fashion. [9675] In the LookOut theme, only the type of folder that an item is being copied/moved from is displayed in the destination dialog. [9673] In the WorldClient and LookOut themes, users now have the ability to drag and drop a file from a documents folder to their local machine. However, only Chrome supports this functionality. Other browsers will either do nothing, or create a shortcut to the desktop. [9693] In the WorldClient and LookOut themes, when users compose an email and click the "attach" button users are now able to attach documents from a sortable and searchable list of all documents that user has access to through WorldClient. [12352] SPF processing will no longer abort due to IP6 mechanisms. [13192] In the WorldClient theme the folder pane now maintains the width set by the user in the previous session. [7222] In all themes there is now a button or link that saves the source of the selected message as an .eml file to the user's local machine [10607] EXPN and LIST commands (do people still use these?) now return results in alphabetical order. EXPN no longer attempts to send the real name or "n/a". [13199] Sub-addressing should work with aliases for the mailbox part now. [9854] Some MDaemon Remote Administration reports are hidden from view if the specified feature isn't being used [12291] The routing log now displays the actual complete header values for To: and From: (within reason) [10366] It is now possible to save searches for the message list in the LookOut and WorldClient themes by going to the Advanced Search. [5825] Added new control at Ctrl+O | Preferences | UI which allows you to configure the text editor you like rather than always having the UI use notepad.exe. However, notepad.exe is the default and will always be used if you don't specify something different. [13161] When the bad queue is processed messages to remote recipients will be moved back into the remote queue for delivery. Also, the routing log will now show LOCAL or BAD QUEUE when processing each type of message and bad queue will have its own color. Also, messages released from the bad queue will honor any newly created aliases to local users that might have been created since the message was placed in the bad queue. [12488] The checkbox to delete files from the bad queue as part of daily maintenance was removed from Ctrl+O | Preferences | Disk and has been replaced by an edit control that allows you to set the number of days old a file has to be before it gets deleted. So now rather than delete all files it deletes files older than X days. The default is 0 (zero) which means to never delete any files. If you previously had the old option enabled then the new option has been set to 1 day to preserve previous behavior. [13188] Raised length of forwarding address fields from 256 to 512 characters. [13273] Updated several places in MDaemon which create auto-generated emails to use a proper and consistent From: and Reply-To:. Also updated several internal references to sales@ and support@ addresses that were out of date. [5142] Added new setting to Ctrl+O | Preferences | Miscellaneous which will instruct MDaemon to skip the sending of forwarded messages to the smart host if there was an error delivering the forwarded mail to a specifically configured external host. When enabled, such messages will be placed in the retry queue. When disabled, such messages are sent to the bad queue. This switch is disabled by default to preserve previous behavior. [9407] Added a new setting to Ctrl+O | Preferences | Miscellaneous which will cause MDaemon to delete messages from senders who are in the recipient's personal black list (assuming the options to use black lists are enabled). Previously these messages went into the bad queue. Now you can enable this switch to just delete them. This option is disabled by default to preserve previous behavior. [13219] The Quota.msg file will now be updated if MultiPOP tries to pull a messages which would exceed the accounts quota limitations. [12862] MDaemon will try to detect and use the correct FQDN domain value far more often now than it used to. [7270] Due to frequent requests :) Added a new setting to Ctrl+O | Preferences | Miscellaneous which will cause MDaemon to remove duplicate recipients when a single message is submitted to multiple mailing lists. It only removes duplicate list members when a single message is delivered to multiple lists which contain that same member. For example, if lis...@domain.com and lis...@domain.com both have ar...@altn.com as a member then a single message delivered in the same SMTP session would result in one message (not two) being delivered to ar...@altn.com. The problem with this (and why YOU SHOULD NEVER USE IT or any similar de-duplication schemes) is that there is no way to know which copy from which list the individual member prefers to receive and you CANNOT safely assume that it makes no difference. Lists vary widely in their configuration and use by end users. Therefore, by enabling this option you are certain to break something for somebody. There is also no relationship what-so-ever between two different mailing lists except the fact that they happen to be (completely by happenstance) managed by the same MDaemon instance - but so what? That means nothing. This "feature" does not operate upon list messages with identical content that are delivered multiple individual times. This "feature" does not operate upon RCPT values that are not mailing lists. So, if a single message arrives in the same SMTP session for lis...@domain.com and lis...@domain.com and ar...@altn.com then ar...@altn.com would receive two copies if he's a member of list-a and/or list-b. [13290] The Account Editor and Template Manager have been updated as follows: a new tab called "White List" has been added and the white list related options have been moved from the Options tab and placed onto this new tab. This gives me more UI space to work with. Also, the options moved to the new White List tab are still subject to over-riding spam filter and autoresponder settings as the revised help text on the tab explains however they are no longer greyed out as a result of those settings. This lets you configure them without having to worry about the state of other options on other screens. [10816] Added right-click menu option to the bad queue which adds the deliver-to address to the spam honeypot. The address must be to a local domain and if it belongs to an existing account a warning popup will occur. [3432] Autoresponder scheduling has been improved with the addition of checkboxes for each day of the week. When you set an autoresponder start and end time you can now select one or more days of the week that the autoresponder will operate on. All existing autoresponders will operate on every day of the week to preserve existing behavior, however they can be changed as needed. [13294] Mobile theme - Mail Forwarding options have been added [13297] Alt+M | ActiveSync | Devices will now present data by domain and then sorted by email address within each domain. Also a "please wait" popup box was added so that you know the data is being processed and the server hasn't locked up. [12950] In the LookOut and WorldClient themes "Documents" has been added as a default view option. [12528] In WorldClient it is now possible to set shared permissions to a folder and all of its sub folders by checking the box "Apply to sub folders" in the FolderShare view. [12842] Added support for displaying custom buttons in the WorldClient UI. Edit \MDaemon\WorldClient\Domains.ini and set [Default:Settings] CustomButtonText1=the text to display on the button (up to 12 characters) and CustomButtonLink1=the URL to open when the button is clicked. Up to 5 buttons may be added. [13006] Mailing list messages sent to disabled local accounts are simply ignored rather than moved to bad queue. [9697] Added ability to restrict the size of individual files that can be uploaded to WorldClient's documents folders. Edit \MDaemon\WorldClient\Domains.ini and set [Default:Settings] MaxAttachmentSize=<value in KB>. The default is 0 which means there is no limit. [9695] Added ability to restrict the types of files that can be uploaded to WorldClient's documents folders. In \MDaemon\WorldClient\Domains.ini enter (for example) "BlockFileTypes=exe dll js", or "AllowFileTypes=jpg png doc docx xls xlsx". The priority is BlockFileTypes. In other words if an extension is in both lists, the content will be blocked. If a list is empty, there is no check. The extensions can be separated by spaces or commas. Leading "."s on the extensions are optional. [2095] Added size limit for attachments that can be uploaded to WorldClient's Compose view. Edit \MDaemon\WorldClient\Domains.ini and set MaxComposeAttachSize=<value in KB>. [2687] WorldClient displays the size of the attachments in the Compose window. The value is in KB. [13441] LookOut and WorldClient themes - Added ability to drag and drop attachments from a message to the desktop. Only supported by Chrome. [11345] WorldClient - Added ability to set a default Reply-To address in the Options | Compose view. Once set, the Compose view will default to show the advanced options in Lite, Mobile, and LookOut, and will display the Reply-To input in the WorldClient theme. [12886] WorldClient - Added option in Options | Personalize to print message attachments "Always", "Never", or "Decide on print" [4758] The trusted hosts and trusted IPs editor have been split apart and placed on two separate screens at Ctrl+S | Security Settings and the ability to add comment text to each entry has been added. First time installation of 14.50 will process the old Relay.dat file into TrustedHosts.dat and TrustedIPs.dat. Relay.dat file is deprecated and will be removed. This change and several others like it have been made to allow for longer IP addresses within the UI necessary to support IPv6 address forms in future. [9075] WorldClient's time zone option now defaults to the server's time zone rather than a blank value when no time zone has been set. [6004] WorldClient now includes the names of distribution groups in the Compose view's recipient field autocomplete choices. [6445] WorldClient's autoresponder editor now adjusts the start and end times to be in the user's time zone instead of the server's time zone. [12335] LookOut and WorldClient themes - added a calendar view which shows events in a list format [8204] WorldClient - added a default reminder option under Options | Calendar [12162] LookOut theme - Added ability to collapse and expand the favorite folder list [6724] WorldClient - Added drop down list of strong password requirements. Viewable by clicking on the icon next to the "Password" information, and shows up when a user's password change does not meet the requirements. [13528] WorldClient - Added autocomplete with distribution lists to the add attendee controls for event creation/editing in all themes but Mobile. [13520] Added ACL file cleanup routine to daily maintenance event. Also you can create ACLFIX.SEM in the \App\ folder to trigger just this cleanup routine. [13544] Account exports (Accounts.csv file) no longer includes passwords by default. If this is not to your liking you can set the following key in MDaemon.ini using Notepad, but this is not recommended: [Special] ExportPasswords=Yes. [13283] WorldClient - Added option to set a default event length for new calendar events [13594] The date/time stamp within logs now include a millisecond value (from 000 to 999) for added precision. [13604] The Authentication-Results and X-Authenticated-Sender headers that MDaemon sometimes inserts into messages will now use the actual email address passed to the SMTP server for authentication (which could be an alias to an actual account) rather than always exposing the actual email address. This protects against potential address harvesting. [12298] The message that WorldClient sends to the postmaster when dynamic screening bans an IP now mentions the username attempted. [13367] WorldClient supports sending secure/private encrypted messages via RPost. Enable this feature on the Compose options page. [13618] Mobile theme - Added ability to attach documents to messages in the compose view [13655] MDaemon's active sessions list now displays SSL/TLS use. [6022] WorldClient - Added contact pictures for Lite, LookOut, and WorldClient themes. [13533] WorldClient theme - Copy/Move dialog only displays folders of the correct type. [12435] The disk space values found at Ctrl+O | Preferences | Disk have been converted and migrated from KB to MB. New defaults are 100MB for the warning email and 10MB for the auto-shutdown. Your migrated values could be less than that which is fine and will preserve previous behavior. [5592] Over-quota message refusals will no longer happen after DATA when multiple RCPTs were provided. Instead, the message is delivered possibly placing an account into a slightly over quota state. However, any subsequent delivery attempts to the over quota account will be refused. This change was necessary in order to (a) maximize the use of an accounts quota value (b) avoid a problem wherein a single message delivered to multiple recipients is refused for all recipients if accepting the message would put even one of the recipients over quota. Also, the quota check has been moved up the processing chain so that it is the first thing which happens after DATA is completed rather than last in the list. [13780] Double clicking a list member in the List Editor will load the member's settings into the edit controls so you can change a specific entry without having to remove it. This process converts the "Remove" button into a "Replace" button which will save your edits. Clicking any other button on the screen switches back to "Replace" mode. [13775] "Post only/nomail" label was changed to "Toggle post only" on Mailing List editor button. [13790] Added a new option to Ctrl+S | Sender Authentication | SMTP Authentication which forces AUTH for all SMTP sessions. This is useful in certain configurations in which all incoming connections can be expected to conform. When enabled, MDaemon will respond to DATA with a 5xx error-code unless the session has been previously authenticated. This option honors the "requires authentication to match the message sender" checkbox. Connections from trusted IPs and local loopback are not subject to this option. This option is disabled by default. [13789] Added a new option to Ctrl+S | SSL & TLS | MDaemon which forces all incoming connections to use STARTTLS. This is useful in certain configurations in which all incoming connections can be expected to conform. When enabled, MDaemon will respond to MAIL with an error-code unless STARTTLS has succeeded. Connections from trusted IPs and local loopback are not subject to this option. This option is disabled by default. [13796] When MDaemon detects a semaphore file that it does not recognize it will state so in the system log. [13245] The ActiveSync server will not send reminders for events in a shared calendar folder to users who do not have write access to the folder. [13821] The SPF white list now also applies to the SMTP envelope email address. [13483] An ActiveSync log viewer application is now bundled with MDaemon. Run \MDaemon\ASLogViewer\ASLogView.exe. [14025] The Ctrl+Q | "Include original message when informing sender" option has been deprecated and removed. MDaemon's DSN system includes the headers of the original message but never the whole thing. [14026] The Ctrl+Q | "Inform the sender when message is placed in retry queue" option has been deprecated and removed. MDaemon always sends DSNs when required in order to comply with Internet standards. [14027] The "Place undeliverable DSN messages into the bad message queue" option was moved from the Ctrl+Q | Retry Queue tab to the Ctrl+Q | DSN Options tab. FIXES [12434] fix to missing listadmins.dat file preventing manual editing button from opening the file for edits [13185] fix to WorldClient theme Choose File button truncated in some languages [13152] fix to WorldClient theme Instant Messenger some strings not translated [13149] fix to WorldClient theme advanced search strings overlapping checkboxes in some languages [13187] fix to some settings in Remote Administration do not show the same default values that MDaemon does [13130] fix to WorldClient and LookOut themes lists do not scroll to the top after changing pages [13184] fix to quota.msg losing data due to not being thread-safe; also the Date: header gets updated now when this file changes [9616] fix to X-Spam-Flag header being removed errantly when the option to strip X- headers enabled [13206] fix to LookOut theme menu bar is truncated in some languages when right- clicking and selecting the Share Folder option [13319] fix to WorldClient theme when you right-click a message, the Add Contact feature does not add the contact [12988] fix to WorldClient theme unable to utilize preview pane on an iOS device [12755] fix to WorldClient Signature editor does not save changes in Source view [13452] fix to unable to forward/redirect to more than one address with User IMAP filters in Remote Administration [13459] fix to apply button not working in MD GUI's mailing list editor [13463] fix to spam filter exclude file not working right when specifying header/value combinations [12452] fix to C:\MDaemon directory is created when doing a fresh install to a different location [5016] fix to LookOut and WorldClient themes - New appointment button does not use selected date in Week view [10337] fix to WorldClient - When printing an email with a large attached image the image is truncated in the printout [13467] fix to Remote Administration's Domain Manager Host fields not matching up with MDaemon [13073] fix to browser prompts to install a plugin when receiving instant messages in the WorldClient theme by adding an option to disable the new message sound. [13499] fix to errant event log entries about holding queue when messages in bad queue [13650] fix to main screen splitter position not being saved across re-starts [12347] Messages are now checked for queue expiration at the start of message processing rather than at the end of a delivery attempt. This solves a bug in which at times some messages were left in retry queue too long. [12712] fix to RECALL feature not working with message directory hashing option enabled [9251] The check-box within the Domain Manager to skip message size checking for authenticated sessions has been replaced with an edit control where you can enter a separate max message size for authenticated sessions. This way authenticated senders an have one max message size set for them which is different from the one applied to non-authenticated senders. [13208] Ctrl+P | DNS-BL | Hosts now includes a test button which will test the "DNS-BL host" value by looking up 127.0.0.2. [13628] fix to WorldClient & LookOut themes - When printing a sent message, the BCC header is not included in the printout [12042] fix to LookOut theme - when creating a signature, it does not use the default font size that is currently selected [12943] fix to LookOut and WorldClient themes - when zooming out with two calendars shown side-by-side, the calendar pane on the right goes blank [13742] fix to quarantine queue visible in MDRA if SecurityPlus is not installed [12525] fix to LookOut and WorldClient themes - BlackBerry Wired Activation gets stuck on "Loading device(s)" when using IE 11 [13745] fix to Account Manager not keeping selected item in focus across an account edit operation [5631] fix to WorldClient - blank contacts can be created [8576] fix to LookOut theme - Message Preview - Unable to transition from inline message preview to hide message preview and vice versa [13754] fix to potential message loop when postmaster forwards mail [10486] fix to MDaemon sends duplicate copies of mailing list messages to recipients who are members of multiple groups that are members of the mailing list [4360] fix to shared folder ACLs are not updated when changing an account's email address [11566] fix to blank lines are added to the message body when composing plain text messages in WorldClient using IE 10 [13432] fix to Remote Administration not saving changes to WorldClient's Dynamic Screening properly [13186] fix to Remote Administration not displaying Daily Cleanup times correctly [13324] fix to ActiveSync outbound byte statistics not always being updated in MDaemon GUI [13526] fix to WorldClient may insert extra lines in exported calendar CSV files [13920] fix to quota sent-per-day not always working when aliases were used
MD145-release-note.txt.sig
Description: PGP signature