Zen Software LinkedIn Zen Software GooglePlus Zen Software Blog Zen Software YouTube

Try SecurityGateway

Download Free 30-Day-Trial Install the free fully functional 30-day trial version of SecurityGateway in just a few minutes on any Windows PC.

Download Free 30-Day-Trial

Got 5 minutes?

Why not take 5 minutes to watch a quick video overview of SecurityGateway

Any questions?

Call us on 0161 660 5738 or send us an email.


SecurityGateway starts around £125.00/year (ex. VAT).

Full price list

School or charity?

20% discount from RRP available for schools and charities!

Contact us for more info


Release notes

SecurityGateway 5.5.0 - May 8, 2018


[17479] IPV6 SUPPORT

Support for IPv6 has been added.  SecurityGateway will detect the level of IPv6 capability that your OS supports and dual-stack where possible; otherwise, SecurityGateway will monitor both networks independently.  If enabled, outbound SMTP connections will prefer IPv6 over IPv4 whenever possible.

A few options related to use of IPv6 can be found at Setup | System | IPv6.


  • [20332] Updated Cyren AV engine to AVSDK  This fixes some possible scanning error issues.
  • [20333] Updated ClamAV to version 0.99.4


  • [14919] fix to values less than seven characters in length cannot be added to the IP Whitelist and Blacklist, this prevents certain valid wildcard entries from being entered
  • [20308] fix to unable to load Content Filter Rule editor dialog in German language
  • [20282] Updated to version 3.12.2 of the FusionChart libraryy

SecurityGateway 5.0.1 - February 20, 2018


  • [11945] Added the ability to define which DNS servers to SecurityGateway should query.  By default the DNS servers defined in the operating system are queried.
  • [20189] Updated ClamAV to version 0.99.3
  • [20013] Renamed Alt-N Technologies to MDaemon Technologies
  • [19927] The suffix domain "rpost.biz" is now appened to the To and CC fields of email messages that are sent via RMail.  This is necessary for certain RMail reports to display properly.
  • [20167] Custom branding now also uses domain IP binding to determine if a domain specific branding images should be used


  • [19826] fix to logon via the XMLRPC API requires accepting terms of use
  • [19869] fix to when an "Office 365" domain mail server is configured, connections from any Office 365 mail server are considered to be from the domain mail server.  This can cause relay and anti-spam checks to be skipped for mail received from other Office 365 domains.  The logic has been improved to also verify that the message is from a local domain before considering an Office 365 mail server to be a domain mail server.
  • [19989] fix to Mailsploit address spoofing issues
  • [20053] fix to matching text is not logged when Content Filter rule matches text in a message header
  • [20165] fix to per domain branding images are not shown if HTTP request specifies a port number
  • [20197] fix to domain may be added to SSL white list when it was not attempting an SSL negotiation

SecurityGateway 5.0.0



A geographically based blocking system has been developed which allows you to block incoming SMTP and Remote Administration connections being attempted from unauthorized regions of the world. A new screen has been added at Security|Anti-Abuse|Location Screening to configure this.


  • [19501] In order to assist administrators with compliance to laws such as the General Data Protection Regulation in the EU we are adding the ability (Setup | User Options | Terms of User) for an administrator to add a terms of service statement which must be accepted by the users each time they login.  The user can accept the statement by checking a box.
  • [18094] Added hyperlinks to the message details view to find the matching list entry for whitelist and blacklist matches.
  • [19685] Improved support for Office 365.  If a domain mail server is configured to deliver mail to Office 365 (mail.protection.outlook.com), connections from an Office 365 mail connector will be treated as from a domain mail server.
  • [18420] Added a button, to the Message Log | Message Source view to download a message in EML format. This option is only available when the message's content is still available in the SecurityGateway database.
  • [19537] LetsEncrypt logging will now include additional details that will make it easier to troubleshoot. The log will include a URL to LetsEncrypt.com that will help explain why challenges fail.
  • [19284] When a message is released from the Administrative Quarantine the username of the administrator performing the action is now logged.


  • [19556] LetsEncrypt: fix to error handling when running certutil.exe
  • [18883] fix to SPF resolver does not resolve returned CNAME records when performing lookup for TXT policy record
  • [18904] fix to DMARC reports sent with wrong "mail from" address
  • [18934] fix to Unable to delete item from IP black/whist list using XMLRPC API
  • [19680] fix to the "RPost | Use specific relay host" option is not honored when the "Mail Delivery | Always send every outbound email to the server specified" option is enabled
  • [19712] fix to the LetsEncrypt script does not work if the option to redirect HTTP requests to HTTPS is enabled
  • [18935] fix to DMARC reports may specify wrong SMTP return path value until the service is restarted
  • (beta only) [19780] fix to "Data Leak Prevention" section appears twice on Security landing page

SecurityGateway 4.5.1 - May 9, 2017


[15657] SecurityGateway now integrates with the RMail™ service from RPost®

RMail™ is intuitive to use and there’s no requirement for your recipients to have any special software whatsoever. RMail™ empowers email usage for consumers and businesses of all sizes, across all industries and departments.

The RMail™ service is powered by RPost's Registered Email® technology, the global standard for email delivery proof. The RMail™ service extends your email platform, providing:

  • Track your important emails and know precisely when they’re delivered and opened.
  • Proof of Delivery, Time, and Exact Content.
  • Easily encrypt sensitive emails and attachments for security or legal compliance.
  • RMail™ makes it easy for all parties to e-sign and complete a transaction. delivered and opened.

Using a free RPost account, each user is limited to sending/receiving 10 encrypted messages per month. Additional messages can be purchased through RPost.  Click here for information on plans/pricing for increased message limits.

The RMail™ service may be enabled from the Security | RMail™ page or as an action of a message content filter rule.


  • [18524] Updated Firebird database components to version 2.1.7


  • [18602] fix to messages over 10KB in size with invalid MIME structure are not delivered
  • [18605] fix to potential crash in logic that converts HTML to text when searching message bodies
  • [18644] fix to SPF mechanisms after an "include" mechanism may not be evaluated correctly
  • [17294] fix to header is not added to quarantined messages when the "Allow mail server or client to filter quarantined messages" and "...add header" quarantine options are selected
  • [18516] fix to scheduled database maintenance may occur in the minute before the scheduled time
  • [18517] fix to automatic database backup does not run more than once in the same day even if the backup type or time has been changed
  • [18692] fix to unable to delete message from bad message queue

SecurityGateway 4.5.0 - April 4, 2017


[18161] The option "Honor CRAM-MD5 authentication method" found at Setup / Users | Mail Configuration | Email Protocol has changed to disabled by default for security and technical reasons. Using TLS is the preferred way to avoid transmission of passwords in the clear.


  • [17644] Added a set of built-in "Data Leak Prevention" rules.  These rules can be used to assist in detecting if sensitive information is being sent outside of the organization.
  • [18447] Added the ability to compare the message body or subject in a content filter rule condition
  • [18473] Added a "MAIL and RCPT" item in the "Rule Condition Editor" for Message Content Filter and Data Leak Prevention rules.  Comparators for this item are Inbound, Outbound, and Internal along with a negative option for each.
    • Inbound - Message is to a local user and is not from a local user of the same domain
    • Outbound - Message is from a local user and is not to a local user of the same domain
    • Internal - Message is to and from a local user of the same domain
  • [1894] Added "contains word" and "does not contain word" comparators for message content filter and data leak prevention rule conditions.  These are similar to the "contains" and "does not contain" comparators but will only match if there is a word boundary anchor proceeding and following the string.  This avoids the need to manually create a regular expression in the format of \b(word1|word2|word3)\b.
  • [18491] Added the ability to edit a "Currently defined string" for a content filter or data leak prevention rule condition by double clicking it.
  • [17875] Integration with Let's Encrypt via PowerShell script

    Let's Encrypt is a certificate authority that provides free certificates for Transport Layer Security (TLS) encryption via an automated process designed to eliminate the current complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites. 

    A PowerShell script that supports LetsEncrypt is now installed to the SecurityGateway\LetsEncrypt directory.  A dependency of the script, the ACMESharp module, requires PowerShell 3.0. This means this script will not work on Windows 2003.

    The SecurityGateway HTTP service must be listening on port 80 or the HTTP challenge cannot be completed and the script will not work. You will need to correctly set the execution policy for PowerShell before it will allow you to run this script. Running the script will set everything up for LetsEncrypt, including putting the necessary files in the SecurityGateway HTTP (templates) directory to complete the http-01 challenge. It uses the FQDN configured in SecurityGateway for the default domain as the domain for the certificate, retrieves the certificate, imports it into Windows, and configures SecurityGateway to use the certificate using SecurityGateway's XMLRPC API.

    The script creates a log file in the SecurityGateway\Logs\ directory called LetsEncrypt.log. This log file is removed and recreated each time the script runs. The log includes the starting date/time of the script but it does not include a date/time stamp for each action. Notification emails can be sent when an error occurs.

    If you have an FQDN setup for your default domain that does not point to the SecurityGateway server, this script will not work. If you want to setup alternate host names in the certificate you can do so. You need to pass the alternate host names on the command line.

    Example usage: .\SGLetsEncrypt.ps1 -UserName admin@domain.com -Password Password1 -AlternateHostNames mail.domain.com,imap.domain.com,wc.domain.com -EmailErrorsTo admin@domain.com

    You do not need to include the FQDN for the default domain in this list. For example, our default domain, altn.com, is configured with an FQDN of mail1.altn.com. We use an alternate host name of mail.altn.com. When I run the script, I only pass mail.altn.com as an alternate host name. If you pass alternate host names, an HTTP challenge will need to be completed for each them. If the challenges are not all completed the process will not complete correctly.

    If you do not need to pass in alternate host names then do not include the –AlternateHostNames parameter in the command line. If you do not want to have email notifications sent when an error occurs do not include the –EmailErrorsTo parameter in the command line.
  • [17670] Updated Cyren Anti-Virus engine to version 5.4.28-r1
  • [18271] Updated to version 8.00.0125 of the Cyren Outbreak Protection SDK
  • [17657] Changed the write mode for the Firebird database from asynchronous to synchronous as this should resolve some instances of database corruption.  However, this change does come with a performance cost. This will not be an issue for most installations.  A new screen has been added at Setup | Database | Configuration to specify the database write mode.  Asynchronous write mode is only recommended when the performance of synchronous write mode is not sufficient. It is critical that the system be protected by a reliable UPS and that database backups are maintained.
  • [15753] Replaced built in crash memory dump generation code with code that creates registry entries for Windows Error Reporting.  This functionality requires Windows Server 2008/Windows Vista or later.  A memory dump file should be created in the "CrashDumps" folder if the securitygateway.exe process crashes.  The location of this folder may be changed from Setup/Users | System | Directories.
  • [16730] Added "Result" column to the Queued for Delivery view
  • [17746] Implemented Sieve extension "proximity" tag for "allof" test.  This allows for scripts where multiple search terms must exist within a proximity of a specified number of characters of each other.
  • [17792] Added GetSetting and PutSetting methods to the XML-RPC API
  • [10223] Added option to Setup | Mail Configuration | Email Protocol to "Hide software version identification in responses and 'Received:' headers".  This option is disabled by default.
  • [17866] SecurityGateway may report the version of the OS version that it is running on when it requests an updated license file from Alt-N. This information is helpful as we make decisions about which OSes to support. To not report such information, disable the "Include optional usage and environment data in license request" option on the Setup | Registration page in the web interface.
  • [13464] Added options to Security|Anti-Spam|Backscatter Protection to specify IP addresses and domain names of sites that are exempt from Backscatter Protection return-path signing
  • [17924] Updated SpamAssassin engine (SGSpamD.exe) to include Encode module for charset conversion and normalization
  • [11776] Added a per-domain option for the maximum acceptable SMTP message size
  • [18485] SecurityGateway starts warning about impending license deactivation 7 days in advance (up from 5 days).
  • [18362] Improved logging in DMARC processing when SPF lookup was not performed due to a NULL SMTP return path


  • [17452] fix to it is possible to add a content filter condition when an empty criteria string
  • [16163] fix to updating a Message Content Filter Rule may result in the truncation of the last character of the condition string
  • [17753] fix to usage key returned by activation server is not saved when "Click here to request an updated license file" link is manually clicked
  • [17765] fix to the "Exclude the files listed below" virus scanning options only apply to the "Quarantine messages that cannot be scanned" option and need to be indented
  • [17860] fix to "Account Hijack Detection" is not activated if sender authenticates as a user account alias address
  • [17934] fix to DMARC failure reports (RUF) are not DKIM signed
  • [16922] fix to Bayesian learning process fails when SecurityGateway is installed under the Program Files (x86) directory and support for NTFS short file names is not enabled on the volume.  This is the default configuration for new volumes created by Windows Server 2012.
  • [18023] fix to Sieve "envelope" test "domain" tag does not match as expected
  • [18155] fix to the DNS parser adds an additional space character between the lines of multi-line TXT DNS records. This may result in erroneous SPF and DMARC policy failures when a single policy element spans multiple lines.
  • [18167] fix to the message count contained in the administrative quarantine report may be incorrect for domain administrators
  • [18054] fix to unable to disable DKIM signing for a domain
  • [18189] fix to browser may autofill other password fields with saved logon password
  • [18251] fix to SPF test may errantly return pass result if SPF policy contains the "include" directive
  • [18298] fix to regular expression for detecting blank subjects not working
  • [17035] fix to unable to edit a condition in a Message Content Filter rule while that rule is disabled
  • [18417] fix to the Whitelist/Blacklist list view may display characters in an entry's comments encoded as HTML entities
  • [18361] fix to incorrect DMARC / DKIM / SPF lookups occurring for some domains
  • [18573] fix to a corrupted .zip file may cause securitygateway.exe process to consume all system memory and crash
  • [18021] fix to under specific conditions, a message may be accepted but not delivered to the domain email server.  In the outbound log, the session for the message will contain SIZE=0 and delivery will fail.

  SecurityGateway 4.0.1 - July 26, 2016


  • [15504] SPF will now only honor the global IP whitelist.  This prevents an issue where SPF lookups are not performed if the sender's address is on a whitelist.


  • [17352] fix to users are re-verified against the user verification source for each message received.  The "flag users for re-verification after X hours" is not honored.
  • [17339] fix to the Configuration and Defaults settings on the User Options page are not be saved when specifying them per domain
  • [17359] fix to when creating or editing an SMTP user verification source the password is not hidden
  • [17282] fix to when the operating system's codepage for non-Unicode application is set to a multi-byte codepage (i.e. Japanese or Chinese) , and the logged in user's language is Japanese or Chinese, report graphs may not be displayed.  The SecurityGateway system service may also terminate when the above is true and a report is requested.
  • [17243] fix to subject of automated messages may contain additional whitespace around product name
  • [17272] fix to German language Disclaimer List page does not load and displays pop-up error
  • [17299] fix to unable to save "When SPF processing returns a PASS result add points to message score" option
  • [17410] fix to database configuration backup fails if any Remote POP Accounts are defined

 SecurityGateway 4.0.0 - June 14, 2016


[15999] Web Interface Updated to use a Mobile First Responsive Design

The web interface has been updated to use a mobile first responsive design.  Browser support is limited to IE10+, the latest Chrome, the latest Firefox, and the latest Safari on Mac and iOS.  Android stock browsers have been known to have issues with scrolling, but Chrome on Android devices works well.

This design is based entirely on the size of the window being used.  Whether the user is on a phone, tablet, or PC, the appearance is the same for the same window size.  The most important change here is the menu.  From 1024 pixels width on down the menu is hidden on the left side of the browser.  There are two methods that can be used to display the menu.  If a touch device is in use, swiping to the right will show the secondary menu.  Whether or not a touch device is in use, there is also a "menu" button in the top left corner that will display the secondary menu.  Tapping or clicking the menu title with the left arrow next to it at the top of the menu will display the primary menu.  The help, about, and sign out menu in the top right corner changes based on the width of the screen as well.  From 768 pixels up shows the words Help, About, and Sign Out, from 481 pixels to 767 pixels only displays the icons, and 480 pixels or less displays a "gear" icon which when clicked or tapped will display a drop down menu with the Help, About, Sign Out options.  List views with more than one column have column on/off buttons.

[11232] DMARC

Support for DMARC (Domain-based Message Authentication, Reporting, and Conformance) has been added. DMARC defines a scalable mechanism by which a mail sending organization can express, using the Domain Name System, domain level policies and preferences for message validation, disposition, and reporting, and a mail receiving organization can use those policies and preferences to improve mail handling. The DMARC specification and full details about what it does and how it works can be found here: http://www.dmarc.org/.

DMARC allows domain owners to express their wishes concerning the handling of messages purporting to be from their domain(s) but which were not sent by them.  Possible message handling policy options are "none" in which case SecurityGateway takes no action, "reject" in which case SecurityGateway refuses to accept the message during the SMTP session itself, and "quarantine" in which case SecurityGateway places the following header into each message for easy filtering into your user's Junk E-mail folder:  "X-SGDMARC-Fail-policy: quarantine".  This header is only added when the result of the DMARC check is "fail" and the resulting DMARC policy is something other than "none."  It is possible to configure SecurityGateway to accept messages even though DMARC requests that they be rejected.  In fact, this is the default operational mode.  In these cases SecurityGateway will place an "X-SGDMARC-Fail-policy: reject" header into the message in case you want to filter more seriously on that.

DMARC supersedes ADSP and the message disposition features of SPF.  However, you can still use all of them together with DMARC.   ADSP and SPF message rejection now takes place after DMARC processing if DMARC verification is enabled.

DMARC depends in part upon the use of a "Public Suffix List." A "Public Suffix" is one under which Internet users can directly register names. Some examples of public suffixes are .com, .co.uk and pvt.k12.ma.us. A "Public Suffix List" is a list of all known public suffixes. SecurityGateway uses the one maintained for the community by the Mozilla Foundation that is found here: https://publicsuffix.org/. A copy of this list is installed into your \App\ folder as effective_tld_names.dat. There is currently no comprehensive or single authoritative source for such a list which is an issue the Internet community should address. Over time this file will grow obsolete and must be replaced by downloading it afresh from https://publicsuffix.org/list/effective_tld_names.dat and saving it to your \App\ folder. SecurityGateway will periodically and automatically download and install this file as part of the daily maintenance event approximately once every two weeks.  Various controls to govern this can be found on the new DMARC configuration screens.  The DMARC log and the new DMARC window within the Security tab inside the main UI will contain the results of the update and all other DMARC processing operations.  You can set a different file download URL if needed but the data downloaded must conform to the format specified by Mozilla for their file. You can read about this at the URL mentioned above.  SecurityGateway strictly follows the parsing algorithm specified by Mozilla. Create a (possibly empty) file called "PUBLICSUFFIX.SEM" and place it in SecurityGateway's \App\ folder if you replace or edit the effective_tld_names.dat file yourself and need SecurityGateway to reload it without a reboot.

To use DMARC as a mail sender you must publish a DMARC TXT record within your domain's DNS setup.  Information on how this record is defined and structured can be found at http://www.dmarc.org. When you publish a DMARC record to your DNS you may begin receiving DMARC reports from many different sources via email. These reports are provided as a compressed XML file whose format is governed by the DMARC specification. Consuming these reports is outside the scope of SecurityGateway's DMARC implementation. However, the data within these reports can provide important insight into a domain's mail flow, improper domain use, DKIM signing integrity, and SPF message path accuracy/completeness. The addresses to which these reports are sent is configured by you when you create your DMARC record.

When setting up a DMARC record for one or more of your domains take care with use of p=reject.  Take particular care if your domain provides email accounts for general use by human users.  If such users have signed up for any mailing lists, make use of a mail forwarding service, or expect to use common things like "share this article with a friend" you should know now that a DMARC p=reject policy could make those things entirely impossible and if so you'll hear about it.  DMARC p=reject is perfectly appropriate and useful but only when it is applied to domains that control how their email accounts are used (for example, transactional mail, automated (i.e. non-human) accounts, or to enforce corporate policies against use of the account outside organizational boundaries).

In order to support DMARC aggregate reporting SecurityGateway will store data which it will need later in order to generate aggregate reports according to the DMARC specification. SecurityGateway ignores the DMARC "ri="; tag and only produces DMARC aggregate reports that cover from 00:00:00 UTC to 23:59:59 UTC for a given day. At midnight UTC (which is not necessarily midnight local time) SecurityGateway consumes this stored data to generate the reports. SecurityGateway needs to be running at this time or the stored data could grow and grow and never be consumed. Therefore, if you do not run your SecurityGateway 24/7 you should not enable DMARC aggregate reporting.  DMARC aggregate reporting is disabled by default.

In order to support DMARC failure reporting RFC 5965 "An Extensible Format for Email Feedback Reports", RFC 6591 "Authentication Failure Reporting Using the Abuse Reporting Format", RFC 6652 "Sender Policy Framework (SPF) Authentication Failure Reporting Using the Abuse Reporting Format", RFC 6651 "Extensions to DomainKeys Identified Mail (DKIM) for Failure Reporting", and RFC 6692 "Source Ports in Abuse Reporting Format (ARF) Reports" have been fully implemented.  Failure reports are created in real-time as the incidents which trigger them occur.  SecurityGateway implements DMARC AFRF type failure reports and not IODEF type reports.  Therefore, only values of "afrf" in the DMARC "rf=" tag are honored.  See the DMARC specification for complete details.  Multiple failure reports can be generated from a single message depending upon the number of recipients in the DMARC record's "ruf=" tag and upon the value of the "fo=" tag times the number of independent authentication failures which were encountered by the message during processing.  When the DMARC "fo=" tag requests reporting of SPF related failures SecurityGateway sends SPF failure reports according to RFC 6522.  Therefore, that specification's extensions must be present in the domain's SPF record.  SPF failure reports are not sent independent of DMARC processing or in the absence of RFC 6522 extensions.  When the DMARC "fo=" tag requests reporting of DKIM related failures SecurityGateway sends DKIM and ADSP failure reports according to RFC 6651.  Therefore, that specification's extensions must be present in the DKIM-Signature header field and the domain must publish a valid DKIM reporting TXT record in DNS and/or valid ADSP extensions in the ADSP TXT record.  DKIM and ADSP failure reports are not sent independent of DMARC processing or in the absence of RFC 6651 extensions.  See the various specifications referenced herein for complete details.  DMARC failure reporting is disabled by default.

Important Note:  A DMARC record can specify that reports should be sent to an intermediary operating on behalf of the domain owner. This is done when the domain owner contracts with an entity to monitor mail streams for abuse and performance issues. Receipt by third parties of such data may or may not be permitted by your privacy policy, terms of use, or other similar governing document.  You should review and understand if your own internal policies constrain the use and transmission of DMARC reporting and if so you should disable DMARC reporting as appropriate.

DMARC requires use of STARTTLS whenever it is offered by report receivers however there's no way to predict or police this.  However, you should enable STARTTLS if you haven't already (see Setup | System | Encryption).

The Authentication-Results header has been extended to include DMARC processing results. Note that Authentication-Results includes some data in comments for debugging purposes including the DMARC policy requested by the domain owner which is not necessarily the action taken on the message. For example, when the result of a DMARC check is "pass" it does not matter what the DMARC policy states as policy is only applied to DMARC checks which "fail". Similarly, when the result of a DMARC check is "fail" and the policy is "reject" the message may be accepted anyway for local policy reasons. Use of this header for filtering should take all this into account.  Alternatively, filter for "X-SGDMARC-Fail-policy: quarantine" or "X-SGDMARC-Fail-policy: reject" to filter these messages into spam folders or whatever you want to do.  SecurityGateway strips out the "X-SGDMARC-Fail-policy:" header from every incoming message.

Messages must conform to DMARC section 15.1 with respect to the RFC 5322 From header or they are not processed which basically means that the absence of a single (one and only one) properly formed (according to RFC specifications) RFC5322 From field renders the message invalid generally and therefore invalid for DMARC processing.

Several new screens have been added at Security | Anti-Spoofing where you can set various options related to DMARC use. 

DMARC requires SPF and/or DKIM verification to be enabled as it is based upon the verified identities that those two mechanisms provide.  You can't make productive use of DMARC for inbound mail without one or both of those technologies enabled. The UI will try to enforce this. 

[3961] Bind Domain to an IP address

 For servers that have multiple IP addresses assigned, each domain may be bound to a specific IP address.  Mail from the domain will be sent from this IP address.

A SMTP Hostname may also be specified for the domain. This value is the Fully Qualified Domain Name (FQDN) that will be used in the SMTP HELO/EHLO instruction when sending mail for the domain. For incoming connections, this value will be used unless multiple domains are bound to the IP address, in which case the FQDN used will be the one that is associated with the domain that is first in alphabetical order.


  • [16701] Updated ClamAV engine to version 0.99.2
  • [16263] Updated to version 8.00.0122 of the Cyren Outbreak Protection SDK
  • [16594] All support for the original DomainKeys message authentication system has been removed.  DomainKeys is obsolete and has been replaced by the acceptance and adoption of DKIM which SecurityGateway continues to support.  Some web interface dialogs related to DomainKeys and DKIM found within Security | Anti-Spoofing have been reorganized as a result and options related to DomainKeys removed and the remaining options better consolidated.  The install process will remove DomainKeys.dll.
  • [16983] All support for Sender-ID has been removed.  This technology never caught on and is obsolete.
  • [16338] All references to "company.mail" have been changed to "company.test" to comply with RFC 6761
  • [15573] Updated the look of the quarantine report emails to match the new SG GUI update
  • [15568] Added check boxes to lists that allow the selecting of multiple list items
  • [16424] Added an option to decide when to display the charts on the Main and My Account landing pages to Main -> My Account -> Settings and to Setup / Users -> Account -> User Options. The 4 choices are "Automatic" (default), "Always", "Manual", and "Never".
  • [16365] Added X-Frame-Options: SAMEORIGIN header to HTTP responses
  • [16425] Added X-XSS-Protection: 1 header to HTTP responses
  • [16275] The Free Disk Space Monitoring page has been changed to display values in MB instead of KB.  The default "low disk space value" (the value below which SecurityGateway believes the disk is running low and starts complaining about it) was changed from 10MB to 1000MB.  Likewise, the "auto-shutoff value" (the value below which SecurityGateway will disable mail services due to critically low disk space) was changed from 1MB to 100MB.  Please check and change the values at Setup|System|Disk Space if they present a problem for you.
  • [137] Added description for system service, when viewed from the services manager
  • [16582] The "... unless message is TO a local account" exclusion for the "Only domain mail servers can send local mail" Relay Control option is now disabled by default
  • [1692] Added the ability to filter the message log by sender IP using CIDR notation, simply enter the CIDR pattern as the IP address in the filter dialog
  • [15606] Removed the "Blacklist" link from the quarantine report email by default.  Added a "Confirm as Spam" link that will learn the message as spam if Bayesian learning is disabled and delete the messages from the user's quarantine.  The "Blacklist" link can be restored via an option in Setup | Mail Configuration | Quarantine Options.


  • [15697] fix to Host, Addresses Blacklist and Address Whitelist dialogs are cut off at bottom when using Firefox
  • [16125] fix to outbound SMTP session hangs if server returns that it supports AUTH but lists no AUTH methods
  • [16248] fix to message that contains embedded NULL characters is corrupted
  • [16305] fix to message collected from remote POP accounts may be discarded if case does not match
  • [16364] fix to if quarantine_report.xsl is found custom_admin_quarantine_report.xsl is also assumed to exist
  • [16041] fix to cannot change a local admin to an external admin
  • [16042] fix to cannot edit an external administrator
  • [15605] fix to DKIM will not sign messages if the sender's domain name specified in the SMTP session contains upper case letters
  • [15732] fix to Message Log "Subject Starts With" search condition returns no results when using "NOT"
  • [16279] fix to Security->Anti-Spam->Greylisting unable to click "Exclude messages from domain mail servers"
  • [16910] fix to Unable to "Delete All" quarantined messages when using a filter with a date range set
  • [16986] fix to subject tag based upon the message's score is not added if the message is also quarantined due to its score
  • [17047] fix to no result feedback message is displayed after using the Spam/Not Spam toolbar buttons from the Quarantined (Admin) view.
  • [17048] fix to the sending of Administrative Quarantine reports are not logged to system log
  • [17115] fix to mouse cursor is not changed to a pointer when hovering over enabled paging bar icons that can be clicked
  • [17121] fix to no VBR certifiers are trusted when multiple values are specified for "Host name(s) of certification services that I trust"
  • [11789] SPF verifier ignoring CIDR pattern for A and MX policies
  • [17041] fix to Outbreak Protection queries may fail with "Unable to comply with the request because you are not licensed for the antispam or VOD service" after registration key is updated until SecurityGateway service is restarted

SecurityGateway 3.0.3 - November 17, 2015


  • [8481] Compressed archive files (.zip and .rar) are now scanned for restricted attachments.  Archive files are recursively scanned up to a depth of 16 levels.
  • [13435] Added "STARTTLS Whitelist" and "STARTTLS Required List" options to Setup | Encryption.  STARTTLS will never be used when sending to IP addresses, hosts, or domains on the STARTTLS whitelist.  STARTTLS will never be advertised to connecting hosts/IPs on the STARTTLS whitelist.  SMTP connections to hosts/IPs on the STARTTLS Required list MUST use STARTTLS. If STARTTLS is not available or fails, the message will not be sent.
  • [13657] Added option to Setup | Encryption which allows you to temporarily white list hosts which encounter an SSL error during an SMTP session.  The white list is reset every hour.
  • [13803] SecurityGateway now supports TLS 1.1 and 1.2. Requires Windows 7 / Server 2008 R2 or newer.
  • [13974] Added an option for a global administrator to export all whitelists and blacklists to a CSV file.  This includes the global, domain, and user lists.
  • [14400] Update Outbreak Protection SDK to version 8.0.110
  • [15124] SecurityGateway trial keys are now sent via email and must be entered into the installer to continue. The trial period is 30 days.
  • [12688] Updated charting component to eliminate dependency of Adobe Flash
  • [13869] Added an option to Setup / Users | User Options | Configuration to "Send an alert to global administrators when a new user is created"
  • [15534] Added a "Delete All" button to Bad Messages queue view.  Clicking the "Delete" dropdown menu will allow the user to delete the selected messages or to delete all messages.
  • [15171] Updated SpamAssassin to version 3.4.1
  • [15432] Added option to My Account | My Settings and Setup | Mail Configuration | Quarantine Configuration to control how the quarantine report email is sorted.  By default the quarantine report will continue to be sorted by date received, however it can now be sorted by sender or subject.
  • [15553] Updated Cyren Antivirus to version 5.4.6-r1
  • [14326] Updated to latest version of libdkim library


  • [616] fix to SQL error "Execute(execute procedure update_user(?,?,?,?,?,?,?,?)) ... update conflicts with concurrent update" logged to system log
  • [13970] fix to "Maximum Bayesian Database Tokens" field in web interface should allow 6 digits
  • [13994] fix to the height of the tab pane on the new/edit remote POP account dialog may be too small
  • [13996] fix to System log may contain database error "Deadlock... Context: Statement::Execute(delete from failedauth where ip=?)"
  • [13997] fix to the "verify from" Sieve condition may fail in custom Sieve scripts even if the message is from a local user
  • [13998] fix to searching message log by sender or subject may return no records, "invalid token" database exception logged to System log file
  • [14011] fix to installer still contains old domain cap logic. This may prevent installation in specific scenarios.
  • [14059] fix to Transient Delivery Failure messages are no longer being generated on delivery problems
  • [14333] fix to message log entries for which "no mail was sent" are not removed by the nightly maintenance process
  • [15383] fix to domain aliases are not included in configuration only backup
  • [15789] fix to after enabling the "... unless message is from a whitelisted IP address or host" option for SMTP Authentication, the option is not checked when returning to the page
  • [15846] fix to bandwidth Throttling speed logged to SMTP session transcript is incorrect
  • [15884] fix to recipient parsed from mail collected via a POP account is rejected if the Recipient's address is for a cross domain alias
  • [16014] fix to new virus definitions may not be used until the Cryen AV engine is reloaded

SecurityGateway 3.0.2 - September 9, 2014


  • [10328] Added an option to exempt specific file names from the "Quarantine messages that cannot be scanned" feature.  This allows SecurityGateway to receive password protected files with a known file name.
  • [13477] Support for RFC 3848 (SMTP and LMTP Transmission Type Registration) has been added. This governs the value of the "WITH" clause in Received headers. This means you'll see "ESMTP" for unauthenticated non-SSL sessions, "ESMTPA" for authenticated sessions, "ESMTPS" for SSL sessions, or "ESMTPSA" for authenticated & SSL sessions.
  • [13564] Added "unless message is from a whitelisted IP address or host" exemption option for SMTP Authentication


  • [13457] fix to reports contain no result for custom date range where start and end dates are the same
  • [13486] fix to message transcript data orphaned in database if the data retention option to not log incomplete messages to the database is enabled
  • [13487] fix to can only use number pad negative sign for "Add to message score" action
  • [13500] fix to a rejected message, for which the message data was received and retained, that is selected for redelivery is not delivered becomes stuck in the delivery queue
  • [13509] fix to in the system log file, the time required to complete database maintenance is incorrect if the process take an extremely long time
  • [13559] fix to Cyren AV engine reports messages with quoted printable encoding that does not strictly follow the standard as corrupt.  This causes the message to be placed into the "Administrative Quarantine" if the option to "Quarantine messages that cannot be scanned" is enabled.
  • [13406] fix to empty SMTP AUTH password may cause process to terminate
  • [13382] fix to warning string in license file causes dashboard view to not load
  • [13321] fix to time logged for database maintenance process to delete old messages is incorrect
  • [13422] fix to domain administrator cannot release an item from the Administrative Quarantine
  • [13425] fix to failed CRAM-MD5 AUTH attempt followed by successful AUTH LOGIN for same user still counts towards failed auth dynamic screening threshold
  • [13672] fix to incorrect port logged for connections received on dedicated SSL port

SecurityGateway 3.0.1 -  June 17, 2014


  • [13227] fix to certain viruses may not be detected by the CyrenAV engine when the "Attempt to clean infected messages" option is enabled
  • [13240] fix to unable to login when French language is selected
  • [13246] fix to database exception during nightly maintenance causes process to crash.  The exception is now handled and logged to the system log file.
  • [13255] fix to the translated text for the "Russian" language selection on the logon page language menu is "English" and not "Russian"
  • [13278] fix to unable to use domain's SMTP AUTH password to authenticate
  • [13276] fix to unable to perform a new installation using the Japanese language installer because the Next button is not enabled after completing the Customer Information dialog
  • [13295] fix to login page may "jump" while loading the logo image
  • [13296] fix to when delivering mail additional MX records are not attempted if the TCP connection is successful, but the connection terminates without an SMTP protocol error occurring. Examples of this include an SMTP session that times out or is closed by the other side.

SecurityGateway 3.0.0 - May 27, 2014


  • [12243] Outbreak Protection and CYREN AntiVirus are now included in SecurityGateway!
    • The ProtectionPlus add-on is no longer needed to add an additional layer of antivirus and spam protection to SecurityGateway and has been discontinued. When upgrading to v.3.0 the installer will inform the user that it must automatically uninstall ProtectionPlus before proceeding. Please note that if upgrading from within the web interface, there is no opportunity for a prompt and that ProtectionPlus will be automatically uninstalled.
    • Kaspersky AV integration, which was previously provided via the ProtectionPlus add-on, has been replaced with CYREN AntiVirus built in to SecurityGateway.
  • [12957] Active Software License Renewal coverage is required for Cyren Outbreak Protection, Cyren AntiVirus, ClamAV updates, SpamAssassin updates, and Bayesian Learning.
  • [12958] The trial period has been changed. A hassle free 14 day trial period is now offered without the need to provide any contact information. Simply install the product and a trial license will be automatically downloaded. The trial period may be extended to 30 days by providing valid contact information.


  • [1444] Dynamic screening for failed SMTP authentication attempts now works across sessions over time. Previously, the failed authentication attempts had to occur within a single session. The failed authentication count for an IP is reset at midnight, or when it is blocked and added to the dynamic screening list.
  • [1485] Added "User Verification Source Options" page with options that allow response caching and user re-verification to be configured.
  • [3597] Added "Released" as a reason when filtering the message log
  • [3618] Added the ability to exclude whitelisted senders, authenticated sessions, and domain mail servers from attachment filtering
  • [11386] Restart clamd.exe immediately if "unable to allocate memory" or "cannot create thread" error occurs
  • [11702] SecurityGateway.exe is now Large Address Aware, allowing it to use up to 4 GB of RAM on a 64-bit OS.
  • [11703] Added "Spam" and "Not Spam" buttons for Bayesian Learning to the quarantine views
  • [12367] Updated Firebird database engine to version 2.1.5
  • [12368] Updated ClamAV to version 0.98
  • [12456] Updated Chilkat library to 9.4.1
  • [12542] Improved whitelisting or blacklisting a sender directly from the message log or quarantine
    • Added "Whitelist" and "Blacklist" button to the domain and global views
    • Domain administrators may add the sender to the recipient domain's list
    • Global administrators may add the sender to the global list
    • Allow the sender's domain to be added, as a wildcard entry
  • [12817] Updated product logos
  • [12936] Added support for using the hostname returned by PTR lookup as a condition in SIEVE scripts
  • [13031] Added option to automatically redirect HTTP requests for the web interface to HTTPS


  • [9051] fix to the Bayesian learning process fails if the Bayesian DB path in SpamAssassin's local.cf file contains a parenthesis. The impacts most installations on a 64bit OS as the default install location is "Program Files (x86)"
  • [10118] fix to when delivering remote mail, other MX records are not tried when the TCP connection is successful but a SMTP protocol timeout occurs
  • [10126] fix to unable to disable "Close SMTP session after banning IP" setting under Dynamic Screening
  • [10961] fix to Account Hijack detection does not kill current session when account is disabled
  • [11049] fix to Notepad does not detect logs as UTF-8 encoded
  • [11146] fix to unable to disable "... include original message when informing the sender" option under "Mail Delivery"
  • [11219] fix to SSL negotiation error 0x80090308 when sending to certain SMTP servers
  • [11240] fix to Bayesian auto-learning does not occur if message is rejected
  • [11300] fix to when searching the message log, a search string that contains a single quote results in an SQL error and no results are returned
  • [11308] fix to dashboard displays negative days remaining in trial after trial license has expired
  • [11428] fix to "Save" button may not be enabled on "Quarantine Options" page
  • [11442] fix to Administrative Quarantine Report interval still displayed as "Daily" after being changed to another value
  • [11639] fix to installer unable to validate license when system does not have a MAC address
  • [12013] fix to redelivering a message needs to change the MessageID, or Exchange will believe it is a duplicate and not deliver it
  • [12188] fix to unable to change just license name or company while leaving registration key the same
  • [12256] fix to disabled user can still authenticate if the user is enabled on the user verification source
  • [12312] fix to cannot access login page when installed on Windows Server 2012 R2
  • [12353] fix to unable to verify SPF record that contains "ip6" mechanism
  • [12378] fix to if a sender's name contains non-ASCII characters separated by a comma, it may be rejected by the RFC compliance test
  • [12387] fix to possible installer crash seen on Windows Server 2012 64bit
  • [12397] fix to script error after adding DNSBL response that contains an ampersand character
  • [12411] fix to message with a subject containing UTF8 line break (0xE2 0x80 0xA8) character will prevent the mesage log from being displayed
  • [12439] fix to "Configuration Only" backup may fail with "violation of FOREIGN KEY constraint 'FK_DOMAINUSERS_USER' on table 'DOMAINUSERS'"
  • [12469] fix to potential database deadlock "update conflicts with concurrent update" when updating dynamic screening record for an IP address
  • [13023] fix to if the license file contains a warning, it is logged to the system log every minute
  • [13028] fix to no entry logged to system log for update check that runs as part of the midnight maintenance process
  • [13064] fix to installer may download license file to wrong location
  • [13086] fix to the global IP address and Host blacklists are not checked until the RCPT event. This allows a blacklisted IP or Host to attempt to authenticate using the AUTH command.
  • [13135] fix to unable to verify license file if serial number in the database is in lower case

SecurityGateway 2.1.2 - April 30, 2013


  • [11116] fix to license usage requests may not be performed as scheduled. This results in the administrator receiving an email that they have 5 or less days to activate the software. A license usage request is performed before the license file expires.

SecurityGateway 2.1.1 - April 9, 2013


  • [9436] fix to message log search returns same results for "Result IS Quarantined" and "Result NOT Quarantined"
  • [10772] fix to registration page does not display display the days remaining in ProtectionPlus subscription
  • [10960] fix to unable to verify user passwords via ActiveDirectory user verification source
  • [10970] fix to license expiration warning email is sent to administrators for expiring trial keys. This message is sent in addition to the "Trial Expiration" warning message.
  • [10952] fix to the ProtectionPlus update checker is still using the old process. It should check the <LatestVersion> information from the license file.
  • [10959] fix to web based upgrade checker does not check if software upgrade protection coverage is valid for the new version.  A version may be installed for which the current license is not valid.

SecurityGateway 2.1.0 - March 26, 2013


  • ProtectionPlus for SecurityGateway version 2.0.1 or later is required. Please visit please visit http://www.altn.com/Products/ProtectionPlus/ to upgrade your installation of ProtectionPlus for SecurityGateway.
  • [10069] Product registration system has been updated to utilize a digitally signed XML based license file. This approach allows for greater flexibility, and will enable ALT-N to offer new innovative purchasing and renewal options. The installation process will automatically download the license file. Product activation has been replaced by a scheduled mechanism that will update the license file on a periodic basis. The system is able to accommodate temporary connectivity outages, however communication with the licensing service is required for continued use of the product.
  • [9368] SecurityGateway no longer supports Windows XP older than Service Pack 2 or Windows Server 2003 older than Service Pack 1.



The "Account Hijack Detection" feature limits the rate at which accounts can send mail and adds an option to disable local accounts which try to send more than XX messages in XX minutes.  When an account is disabled an email is sent to the global administrator which contains a link to re-enable the account.  Note that the account could quickly get disabled again if the message sending continues.  Accounts disabled by this process can still accept incoming mail but they cannot log in to web administration and they cannot send mail.  The intent is to try and recognize and stop a hijacked account so that the administrator can review the situation and take action. This feature only applies to authenticated sessions, authentication must be required when sending mail as a local user.  In addition, global administrator accounts are exempt.


A quarantine report for the "Administrative Quarantine" is now sent to domain and global administrators.


  • [10016] Improvements to IP Shielding
    • Added option to check message's "From" header against the IP Shield database
    • Added option to exclude authenticated senders
    • Added option to exclude domain mail servers
    • Added support for $LOCALDOMAIN$ macro
  • [5822] Options to better handle RSET commands
    • Added an option to Setup|Email Protocol to set a max number of RSET commands allowed in an SMTP session (default is 20)
    • Added an option to Security|Dynamic Screen for banning an IP that issues more than x RSET commands
  • Improvements to RFC Compliance test
    • [9939] When a message is rejected because it is not "RFC Compliant" a reason string is now logged and returned in the SMTP response
    • [9940] Added an option to "Setup | Email Protocol" page to control if the "RFC Compliance" test requires the message to contain a "Date" header.  Some legitimate messages are known to not contain a "Date" header, an example is the test message sent by Outlook when configuring a mail account. This option is disabled by default.
    • [10597] The RFC Compliance test is now enabled by default for new installations.
    • [10598] If the message's "from" header contains multiple email addresses, a sender header with a single email address must be present.
  • [9941] Added options to the Setup | Mail Delivery page to control...
    • If the sender should be notified if their message cannot be delivered
    • If the original message should be attached when informing the sender
  • [9951] Updated Firebird database to version 2.1.5
  • [10609] Updated ClamAV engine to version 0.97.6


  • [9912] fix to the web interface is not fully compatiable with MSIE 10
  • [10090] fix to certain database timeouts may crash process
  • [10365] fix to while the correct value is sent to the client, macros such as $RBLREASON$ are not expanded in the message log
  • [10332] fix to possiable crash while validating users via Active Directory

SecurityGateway 2.0.8 - December 5, 2012


  • [9134] Updated Chilkat library to 9.3.2
  • [9267] Updated ClamAV engine to version 0.97.5


  • [8876] fix to process may run out of stack space and crash due to recursive SPF processing loop
  • [9255] fix to statistics report is sent to disabled administrator accounts
  • [9257] fix to HELO/EHLO and MAIL DNS lookup may close the connection even though the refuse mail option is disabled
  • [9258] fix to SMTP session terminated by dynamic screening due to failed AUTH attempts causes the transcript/log of a future session to start with entries that are related to the older terminated session
  • [9266] fix to no description provided with SMTP error code when message is rejected because it exceeds the maximum message size
  • [9283] fix to loop when remote server returns an error in response to "QUIT" command

SecurityGateway 2.0.7 - January 17, 2012


  • [8441] Updated ClamAV engine to version 0.97.3
  • [8558] The 200KB size limit on messages scanned by Outbreak Protection has been removed
  • [5120] Generated user passwords now have a random length and contain numbers and symbols
  • [7787] Multiple SMTP connections are now supported when delivering mail to a local domain mail server. This reduces the amount of time that items remain queued in SecurityGateway before they are delivered to the domain mail server.
  • [8690] Updated product EULA and added new EULA dialog to the installer


  • [7340] fix to during mail collection from a remote POP3 account, a message with several thousand addresses in the TO: header may cause the process to crash
  • [7322] fix to POP3 mail collection recipient parsing engine may not find valid local recipient
  • [7597] fix to Call Back Verification does not strip BATV tag when using the VRFY command
  • [7857] fix to Spanish language version crashes when a message that contains a virus is received
  • [8148] fix to specific attachment may crash engine during attachment text extraction
  • [8496] fix to message with malformed RFC822 headers may be logged incorrectly and prevent the message list from being searched
  • [5425] fix to when delivering mail if an MX host has multiple IP addresses (A DNS records) a connection is only attempted to the first IP address
  • [5215] fix to when an Active Directory user verification source is used, and an email alias has been configured as an administrator, the administrator status is lost when the primary account receives a message. This occurs because the alias is merged with the newly created user, however the administrator status is not merged.

SecurityGateway 2.0.6 - May 17, 2011


  • [5114] Updated PCRE regular expression library to version 8.12
  • [7248] Updated Firebird database engine to version 2.1.4


  • [7243] fix to SGAV_ClamAVPlugin.dll is not installed for new installations. This prevents ClamAV from loading, and prevents messages from being accepted unless AV is disabled.
  • [7271] fix to disclaimer feature may corrupt message body content

SecurityGateway 2.0.5 - April 26, 2011


  • Updated ClamAV engine to version 0.97
  • Updated SGSpamD to SpamAssassin version 3.3.1
  • Updated Chilkat libraries to version 9.1.2
  • [4635] Added link on disclaimer page to set the order in which disclaimers are applied


  • [4663] fix to if more than five crash memory dumps are captured, the newest crash dump file is overwriten
  • [4866] fix to Remote POP Account SSL error "Not enough memory is available to complete this request (-2146893056)"
  • [5898] fix to removing the HTTP and HTTPS port values prevents access to web interface
  • [6113] fix to ClamAV plugin may get stuck on recv() call and does not time out
  • [6175] fix to SecurityGateway.exe process terminates after changing port value
  • [6421] fix to password request feature may provide the password of another account, this requires that the mailbox name exists as an alias in another domain
  • [6517] fix to mail collection from a Remote POP Account is not considering user aliases for a different domain when determining if the message is addressed to a local account
  • [6774] fix to in specific instances, attachments may be erroneously removed from the message during processing
  • [6866] fix to lines in message body over 5000 characters in length are truncated
  • [7046] fix to when routing outbound mail through SecurityGateway, messages from "noreply" addresses are rejected. Messages from "noreply" will now be accepted if sent by a domain mail server.

SecurityGateway 2.0.4 - August 17, 2010


  • [5736] fix to SPF resolver does not resolve returned CNAME records when performing A record test
  • [5493] fix to when a custom date range is specified for a report, only 24 hours of data is returned
  • [4885] fix to SMTP AUTH LOGIN is allowed over non SSL connection when "Allow Plain Text Passwords" option is disabled
  • [4801] fix to files in attachments directory may not be removed after database maintenance removes the related message from the database
  • [1515] fix to verify user feature does not delete users that were converted to aliases of another mailbox (Active Directory or Minger)

SecurityGateway 2.0.3 - May 25, 2010


  • The installation process now performs a one-time collection of basic customer information.


  • [4339] Added user option to disable Flash graphs on the "Dashboard" and "My Account" pages


  • [4216] fix to if AD user account name/mailbox contains non-ASCII, user cannot log into web interface
  • [4527] fix to URIBL is not excluded when the "Do not perform anti-spam tests..." option is enabled for the recipient
  • [4778] fix to disabled users count towards license limit
  • [4930] fix to SGSpamD.exe needs to be restarted after SA-Update.exe updates the rule-set
  • [4943] fix to unable to release message from the administrative quarantine, if the SMTP sender value is NULL
  • [5290] fix to lower preference user verification sources are not queried when highest preference source returns a negative result

SecurityGateway 2.0.2 - November 17, 2009


  • [4427] fix to domain administrator scheduled statistics report contains statistics for all domains
  • [4467] fix to incorrect disclaimer may be applied when there are multiple RCPTs in the SMTP session
  • [4511] fix to report drill down results for a specific email address may return messages for multiple addresses. The SQL query is returning all records that "contain" the address, it needs to return all records that "match" the address.
  • [4527] fix to URIBL is not excluded when the "Do not perform anti-spam tests..." option is enabled for the recipient
  • [4531] fix to message log "Subject Starts With" search condition returns no results if the subject starts with a capital letter
  • [4574] fix to custom_quarantine_report.xsl template file is not used
  • [4623] fix to sorting message list by subject is case sensitive
  • [4632] fix to SPF "ptr" mechanism is not correctly processed. In order to pass a valid PTR hostname must exactly match the domain. The SPF spec states that the hostname only needs to end with the domain.
  • [4661] fix to scheduled database backup may not run as scheduled
  • [4683] fix to messages collected via POP3 may be mistakenly routed to "bad" queue
  • [4703] Installer: The external administrator email address field does not scroll to allow additional characters

SecurityGateway 2.0.1 - August 25, 2009


  • [4436] To reduce the size of the database, the admin may choose to not log certain types of messages to the database. These items will not appear in the message log and will not be included in report statistics. However, all messages will be logged to the appropriate log file (e.g. Inbound.log).


  • [4355] fix to dashboard for domain administrators, the "Total Bandwidth Used by Email", "Good vs. Junk Messages", and "Junk Email Breakdown" graphs show global statistics
  • [4451] fix to greater than and less than characters in session transcript need to be escaped for NDR messages

SecurityGateway 2.0.0 - August 4, 2009


  • [179] Scheduled Statistics Report:

    On a nightly or weekly basis, a statistics report can be sent to all global administrators, all domain administrators, or a manually defined list of email addresses. This report allows the filtering effectiveness and health of the server to be quickly ascertained. For domain administrators, the report will only contain statistics for the domain(s) which the administrator has administrative rights.

  • [201] Disclaimers (Headers / Footers):

    Added the ability to add simple headers and footers to messages. One use of this is to add a "--- Message scanned by SecurityGateway for Exchange/SMTP ---" footer to all messages. This feature will be expanded in future versions.

  • [1757] Extract text from attachments:

    Content filter rules and custom Sieve scripts can perform actions based upon the content of an attachment. The Sieve body test "text" tag automatically extracts text from several popular attachment formats.

    The iFilter interface is used to extract plain text from Microsoft Office and PDF documents. In order to search PDF documents, Adobe Acrobat Reader must be installed on the SecurityGateway server. Office 2007 documents require the 2007 Office System Converter: Microsoft Filter Pack to be installed.

  • [3892] Dashboard for domain administrators. Only statistics for the domain(s) managed are displayed.

  • [4082] Collect mail from a POP3 mailbox:

    This feature allows mail for a domain to be collected from a POP3 mailbox. It is modeled after MDaemon's DomainPOP functionality. For each POP3 mailbox you configure, mail will be collected and parsed among valid recipients at the domain you specify.

  • [4060] Domain aliases:

    Aliases may be defined for a domain. All of the domain's users are assumed to be valid for each domain alias. This is useful if a domain has registered multiple domain names, e.g. altn.com, altn.us, altn.biz, etc.

  • [4072] Define multiple search strings for a single content filter condition:

    The content filter is a graphical interface for building Sieve scripts. Multiple search strings may now be defined for a single condition. The user may specify if the condition must match any or all or the defined strings. This is useful for searching a message header or body against a list of keywords.

  • [4254] Added the following statistics (charts) to the "My Account" page for local users. Only statistics for the user's account are displayed.
    • Good vs. Junk Messages
    • Junk Email Breakdown
    • Inbound vs. Outbound Messages
    • Top Spam Sources
  • [4063] Improved heuristic rule update process:

    The heuristic rule update process now has the ability to pull updates from updates.spamassassin.org in addition to updates from Alt-N. The SGSpamD Configuration UI has a new checkbox which controls this capability. This will make sure your SpamAssassin rule-sets are always kept current. This functionality is enabled by default.


  • [1237] Added option to redeliver message(s) from the message log. This option requires that the content of the message has not been deleted from the database.
  • [1711] Added a per user language option. System generated messages sent to the user will be translated to this language. A default value may be applied on a server and individual domain basis.
  • [3204] Added the ability for SGDBTool.exe to create a global administrator. This is useful in cases where the global administrator account created during installation is not accessible.
  • [3205] Added the ability for SGDBTool.exe to promote a user to a global administrator.
  • [4062] Updated SpamAssassin (SGSpamD) to version 3.2.5.
  • [4066] Updated ClamAV engine to version 0.95.1.
  • [4128] Updated CommTouch Outbreak Protection engine to version 5.08.0002.
  • [4131] Changed default log rotation for new installations to "Create a new set of log files each day".
  • [4140] Add to message score content filter action
  • [4167] A transient delivery failure notification is sent to the sender, if a message cannot be delivered after one hour.
  • [4193] Verify users for a single domain. The "Verify Users" toolbar button on the User Verification Source list honors the domain chosen from the drop down list.
  • [4194] Created additional indexes for "lists" table. This will improve the performance of white/black list lookups.
  • [4221] Greylisting is now supported for Sieve scripts that run during the DATA event. While it is preferred to greylist at RCPT, before the message is transferred, conditional greylisting in response to the DATA command can be a useful tool. This may be an attractive alternative to quarantining mid scoring messages. With the flexibility of SIEVE, large messages can be excluded.
  • [4241] NDRs are no longer sent to "noreply" addresses.
  • [4256] Scale of "Total Bandwidth Used by Email" report is now automatically formatted. For example 140000KB is now displayed as 140MB.
  • [4257] Added "Total" summary line for numerical reports
  • [4323] Changed defaults for "Relay Control | SMTP MAIL address must exist..." to exclude domain mail servers and authenticated sessions by default. This only applies to new installations.
  • [4326] Changed installer to make installing registered or trial version more clear. An email address and country are now required for trial installations.
  • [4337] A different path/drive may be specified for the database file. This must be a path on the same computer, UNC paths are not supported. To configure the path, create a string value "DBPath" under the HKEY_LOCAL_MACHINE\SOFTWARE\Alt-N Technologies\SecurityGateway registry key. The path does not need to contain the name of the database file, i.e. E:\SG_Database


  • [1732] fix to if SecurityGateway is installed to a different location, unable to load web interface after restoring configuration
  • [3936] fix to when using Italian installation file, registration key is lost when upgrading
  • [3937] fix to when using Italian installation file, uninstall shortcut created in same folder as installation file
  • [3971] fix to new version available email may not be sent to global administrators
  • [4029] fix to extra line breaks after saving Sieve script in MSIE
  • [4044] fix to log entries truncated at 1024 characters
  • [4046] fix to in specific circumstances duplicate domains may be created
  • [4091] fix to refreshing log file returns view to first page
  • [4092] fix to list view sort order is reset after going back, and then to next page
  • [4130] fix to file may be orphaned in temp directory if socket times out when attempting to deliver a message
  • [4132] fix to log archive .zip file may be created which contains zero files
  • [4134] fix to OutbreakProtection is not enabled when expired ProtectionPlus is updated
  • [4147] fix to if a user's nightly quarantine report is generated after 1:00AM, the user will not receive a quarantine report the next night
  • [4171] fix to when viewing a message with an attachment, from the message log, the size of the attachment is not displayed
  • [4172] fix to when viewing the source of a message from the message log, tab characters are not displayed correctly
  • [4184] fix to multi-line message headers are not properly unfolded when viewing message from the message log
  • [4185] fix to a user can white/black list their address
  • [4218] fix to malformed DNS response may cause service to terminate
  • [4219] fix to domain administrator cannot perform any action when viewing messages queued for delivery (access denied)
  • [4222] fix to message submitted via SMTP to the spam Bayesian learning address routes to non-spam folder
  • [4223] fix to message headers may be corrupted for messages submitted via SMTP to the Bayesian learning address
  • [4243] fix to no error is logged to the session log if a message addressed to a Bayesian learning address is rejected because the session is not authenticated or from a domain mail server
  • [4328] fix to dynamic SMTP Authentication does not pass full email address to user verification source
  • [4330] fix to when using German installation file, uninstall shortcut link points to wrong location

Try SecurityGateway

Download SecurityGateway 30-Day-Trial Why not install the free fully functional 30-day trial version of SecurityGateway and give it a try!

Download Now - Free 30-Day-Trial
Existing SecurityGateway user?