Releases

build-221211

HIGHLIGHTS

This the first update on the version 20.04 train since Ubuntu 18.04 is no longer supported. After updating, Hermes SEG will reflect the new 20.04 version internally as well as any system pages.

NEW FEATURES

THE FOLLOWING PAGES HAVE BEEN UPGRADED TO VERSION 2.0

  • Admin Console --> System --> System Update

FIXES

  1. Unknown column 'queue_type' in 'field list' on Build-220410 (https://github.com/deeztek/Hermes-Secure-Email-Gateway/issues/29).

  2. Make username/password prompts mandatory during Hermes SEG Initial install (https://github.com/deeztek/Hermes-Secure-Email-Gateway/issues/36).

  • Fixed issue where if Daily Update Check was enabled, system would send e-mail notifications that DEV update was available (Hermes SEG Pro Only).

  • Fixed login failure when system could not verify login session if the Host Name under Admin Console --> System --> Console Settings is not resolvable by Hermes. Added function to add the Console Host parameter in /etc/hosts as 127.0.0.1 when Network Settings or Console Settings are applied.

  • Fixed issue with /hermes-api path which was causing some network and console settings not getting applied.

  • Added netplan.io installation just in case it's missing from systems that were upgraded from Ubuntu 18.04 to 20.04

build-220410

HIGHLIGHTS

This release incorporates some of the most popular requests:

  • The ability to add domains without the requirement of having existing recipients before the system will relay e-mail.
  • The availability of SPF, DKIM and DMARC in the Community edition of Hermes SEG.
  • Automatic update notifications for the Pro Edition of Hermes SEG.
  • Our new Web GUI 2.0 is now the default upon login and we have added some nifty graphical resource monitors for CPU, Memory and Disk Utilization.
  • All Web GUI 2.0 menu links have been fixed and you should be able to navigate between the new Web GUI and the Old Web GUI seamlessly. Our Web GUI 2.0 is still a work in progress so some links will still point you to the Old Web GUI.

Our Getting Started Guide has been simplified and updated to reflect the new changes.

NEW FEATURES

  • Upgraded Admin Console --> System --> Domains to version 2.0. Added the option to add domains without requiring Internal or Virtual Recipients in order to relay e-mail. By selecting "ANY" in the Recipient Delivery, Hermes SEG will relay e-mail to the destination server without checking the existence of the e-mail address in Internal or Virtual Recipients table. This method relies on the destination server to reject the e-mail for non-existent e-mail address. Additionally, added the option to silently discard e-mail for a domain by selecing "NONE" in the Delivery Method and added the option to specify Authentication to the destination server.
  • Added client SMTPS support in Postfix in addition to existing server SMTPS support. If you enable opportunistic or mandatory encryption in System --> SMTP TLS Settings it will also be set on the SMTP client.
  • Upgraded Admin Console --> System --> Mail Queue to version 2.0. Added options to search messages, flush the mail queue and unhold message(s). Added functionality to display messages that are ON-HOLD or ACTIVE queues.
  • Upgraded OpenDMARC from version 1.3.2 to 1.4.2.
  • Moved Admin Console --> Content Checks --> DMARC Settings from the Pro Edition to the Community Edition.
  • Upgraded Admin Console --> Content Checks --> DMARC Settings to version 2.0. Added option to Hold Quarantine Policy messages in order to alleviate issue with messages stuck in Mail Queue with ON-HOLD status after failing DMARC validation and having a DMARC policy of qurantine. The default Hold Qurantine Policy Messages setting is set to NO. Additionally, added option to add DMARC whitelisted domains in an effort to bypass domains that fail DMARC validation in a locally generated Authentication-Results header.
  • Moved Admin Console --> Content Checks --> DKIM Settings from the Pro Edition to the Community Edition.
  • Upgraded Admin Console --> System --> System Settings to version 2.0. Removed requirement to add Database credentials. Added options to specify system TimeZone and Daily Update Checks with e-mail notification (Pro Edition Only).
  • Upgraded Admin Console --> System --> System Status to version 2.0. Added Graphical System Resources section to monitor CPU, Root and Data Filesystem utilization.
  • Moved Admin Console --> Content Checks --> SPF Configuration from the Pro Edition to the Community Edition.
  • Moved Admin Console --> Content Checks --> SPF Bypass from the Pro Edition to the Community Edition.
  • Refreshed the Postfix RBL List

THE FOLLOWING PAGES HAVE BEEN UPGRADED TO VERSION 2.0

  • Admin Console --> System --> Relay Domains RENAMED TO Admin Console --> System --> Domains
  • Admin Console --> System --> Mail Queue Management RENAMED TO Admin Console --> System --> Mail Queue
  • Admin Console --> Content Checks --> DMARC Configuration RENAMED TO Admin Console --> Content Checks --> DMARC Settings
  • Admin Console --> Content Checks --> DKIM Configuration RENAMED TO Admin Console --> Content Checks --> DKIM Settings
  • Admin Console --> Content Checks --> DKIM Sender Bypass MOVED TO Admin Console --> Content Checks --> DKIM Settings
  • Admin Console --> Content Checks --> DKIM Trusted Hosts MOVED TO Admin Console --> Content Checks --> DKIM Settings
  • Admin Console --> Content Checks --> DKIM Sign MOVED TO Admin Console --> Gateway --> Domains --> Edit DKIM
  • Admin Console --> Content Checks --> SPF Configuration RENAMED TO Admin Console --> Content Checks --> Domains --> SPF Settings
  • Admin Console --> Content Checks --> SPF Bypass MOVED TO Admin Console --> Content Checks --> Domains --> SPF Settings
  • Admin Console --> System --> System Settings
  • Admin Console --> System --> System Status
  • Admin Console --> System --> System Logs

FIXES

  • Ensured /var/lib/clamav-unofficial-sigs/db-us/ directory exists and owned by clamav user in order for the UrlHaus feed to work correctly.
  • Fixed links in version 2.0 Web GUI to point to Old Web GUI when page was not upgraded to version 2.0 instead of having a broken link, made 2.0 Web GUI the default upon login and removed any references and link to Old Web GUI.
  • Added additional checking for the url.mid field on the preloader_view_message.cfm to avoid app crashes if field is missing.

build-220203

NEW FEATURES:

  • Upgraded look of Hermes SEG Daily Quarantine Report and Hermes SEG Quarantine Report with new logo. Also updated the functionality of the Hermes SEG Quarantine Report to only report quarantined e-mail found in the past 2, 4 or 8 hours instead of the previous functionality that reported all quarantined e-mail for the current day on 2, 4 or 8 hour intervals. Updated wording in Admin --> Internal Recipients and Users --> Report Settings with new wording in the Quarantine Report Frequency field to reflect the new functionality.
  • Upgraded Admin --> Virtual Recipients and added ability to redirect multiple virtual recipients to internal or external recipients as well as the ability to redirect entire domains to internal or external recipients.

THE FOLLOWING PAGES HAVE BEEN UPGRADED TO VERSION 2.0:

  • Admin Console --> Virtual Recipients

FIXES:

  • Fixed issue when adding external recipients encryption S/MIME mandatory defaulting to postmaster e-mail address due to external recipients encryption using the same session.email variable as in the Application.cfc.
  • Fixed issue with Admin Console --> Message History --> Message Actions --> Release Message(s) to Recipient and User Console --> Message History --> Message Actions --> Release Message(s) to Mailbox was not releasing message(s).
  • Increased Hermes SEG Service timeout from the default 90 seconds to 360 seconds to avoid timeouts during system boot for systems with commandbox.

build-211207

NEW FEATURES:

  • Moved System --> Console Settings from the Pro version to the Community version. Streamlined system URLs (Secure Portal Address, User Portal Address) to use the system IP or Host Name set in System --> Console Settings.
  • Moved System --> System Certificates from the Pro version to the Community version. Import Certificate and Generate CSR is available on the Community version, Request Acme Certificate is available on the Pro version only.
  • Moved Gateway --> SMTP TLS Settings from the Pro version to the Community version.
  • Moved Content Checks --> Custom Antispam Filter Tests from the Pro version to the Community version.
  • Upgraded User Console interface at /users/ to version 2.0. Changed authentication code and made it less resilient to attacks. Increased hash iteration from 5000 to 10000 iterations leveraging SHA-512 algorithm. As a result, this update resets all User Console passwords and forces users to enter new paswords next time they login to the User Console. Added haveibeenpwned.com password checking feature. Removed password complexity requirements, set password lenghts to between 8 and 64 characters as per NIST 800-63 password guidelines. Improved Forgot Password functionality.

THE FOLLOWING PAGES HAVE BEEN UPGRADED TO VERSION 2.0:

  • Admin Console --> Gateway --> SMTP TLS Settings RENAMED/MOVED TO Admin Console --> Gateway --> SMTP TLS Settings (Pro Only)
  • Admin Console --> Gateway --> SMTP TLS Policy RENAMED/MOVED TO Admin Console --> Gateway --> SMTP TLS Settings (Pro Only)
  • User Console --> Report Settings
  • User Console --> Sender Filters
  • User Console --> Change Password
  • User Console --> Message History

FIXES:

  • Added function to not allow the deletion of the system-self-signed Certificate in System --> System Certificates.
  • Removed duplicate (smtpd_tls_CAfile) in /etc/postfix/main.cf. Did not seem to cause issues but it's cleaner now.
  • Added error handling in /inc/restart_authelia.com and /inc/restart_nginx.cfm.
  • Fixed /etc/logrotate.d/authelia permission issue.
  • Fixed various queries in view_message.cfm, view_message_history.cfm, view_smtp_tls_settings.cfm, view_system_certificates.cfm to make them less vulnerable to SQL injection attacks.
  • Fixed issue with in /opt/hermes/conf_files/50-user.HERMES where amavis was ignoring per user SVF policies because it was looking in the wrong SQL table and it was falling back to the Default policy.
  • Fixed issue when adding external recipients encryption defaulting to postmaster e-mail address due to external recipients encryption using the same session.email variable as in the Application.cfc.
  • Fixed issue with System --> Network Settings javascript not showing static settings when network mode was set to Static
  • Fixed issue with Train Spam, Train Ham and Forget Messages routines in both the Admin and the Users Consoles not syncing the Bayes Database.

build-211019

NEW FEATURES:

  • Added Nginx HTTP Server in lieu of Apache.
  • Added Lets Encrypt (Acme) Certificates support for HTTP and SMTP TLS (future).
  • Added Wildcard CSR generation capability.
  • Added Authelia Authentication Server for authentication into Admin Console.
  • Added 2FA (Two Factor Authentication) for Admin Console.
  • Added ability to add multiple System User accounts in addition to the default "admin" user. Will be expanded in the future to include permissions.
  • Added Basic API for internal system functions. Will be expanded in the future for more functionality.
  • Added support for checking System User passwords against haveibeenpwned.com.
  • Re-worked Admin Console Firewall to work through Nginx. It now includes the ability to allow IPs to Hermes and/or Ciphermail Admin consoles.

Enabled Uncomplicated Firewall (UFW) with the following allowed incoming ports by default:

  • 22/tcp (SSH)
  • 25/tcp (SMTP)
  • 9080/tcp (Hermes Old Web GUI HTTPS)
  • 80/tcp (Hermes New Web GUI HTTP)
  • 443/tcp (Hermes New Web GUI HTTPS)
  • 3306/tcp (MySQL)

THE FOLLOWING PAGES HAVE BEEN ADDED:

  • System --> System Certificates (Pro Only)
  • System --> Admin Authentication

THE FOLLOWING PAGES HAVE BEEN UPGRADED TO VERSION 2.0:

  • System --> Network Settings
  • System --> Admin Console Firewall (Pro Only)
  • System --> AD Integration (Pro Only)
  • System --> Console SSL Settings RENAMED/MOVED TO System --> Console Settings (Pro Only)
  • System --> Change Password --> RENAMED/MOVED TO System --> System Users
  • Gateway --> Certificate Signing Request RENAMED/MOVED TO System --> System Certificates (Pro Only)
  • Gateway --> Internal Recipients
  • Content Checks --> Message History & Archive RENAMED/MOVED TO Content Checks --> Message History
  • Encryption --> Internal Recipients Encryption RENAMED/MOVED TO Gateway --> Internal Recipients

FIXES:

  • Improved error handling in System --> System Backup for permission related errors in SMB Share
  • Added functions to disable firewall and reset all MySQL username/passwords in System --> System Settings when running System Restore
  • Fixed bugs in system_restore.sh script