In order to allow immediate SSH access to a new appliance, MailCleaner VA images ship with a generic set of SSH host keys. These keys are the same for every installation. This creates a potential for a man-in-the-middle attack to be able to read SSH session information in plain text if it could intercept the connections using this known set of host keys. Given that the MailCleaner firewall only allows SSH connections from your local IP network by default, this threat should be limited to compromised or malicious devices within the same LAN as your MailCleaner machine(s).

In order to improve security, we have published an update which all MailCleaner machines should install over the next 24 hours. This update will disactivate the generic keys and generate a set of unique keys for your host. The impact of this is that you may be prompted, upon your next login, with a warning that the host keys of the MailCleaner machine have changed. This is to be expected and you can follow the instructions in that prompt to remove the old key from your clients' .known_hosts files, then approve the new key on your next connection.

For future installations, these keys will be rotated during the installation process.

A new version of Exim has been published to address a severe attachment filtering bypass vulnerability.

As always, your machine should receive the update automatically during the update cycle (either 22:30 on newer machines or 02:30 on older ones). The Update was merged at 19:02 UTC on July 12th. You can check that your machine(s) have received the latest version with:

/opt/exim4/bin/exim --version

which should mention '4.98' on the first line of the output. If you don't have this version, it is likely that there is an issue blocking updates which should be available in the output of '/root/Updater4MC/updater4mc.sh' or from '/var/mailcleaner/log/mailcleaner/updater4mc.log.0'.

This update comes bundled with an update to version 10.44 of the PRCE2 library.

Due to some recent changes to Office 365, we have received several reports of mail being relayed outbound through MailCleaner being rejected by that service. This is in addition to several other large mail hosts imposing more strict requirements to verify email legitimacy and security in recent years. These policies apply to all sources of outbound mail, not just MailCleaner, but there are some default configurations which mean that MailCleaner machines are quite likely to be impacted unless specific actions are taken.

If you currently use MailCleaner as an outgoing relay (AKA "SmartHost"), or if you have plans to do so, please read our guide to ensure that you are setting it up correctly.

Once set up, please see our other new guide discussing the best practices to ensure that mail being relayed through MailCleaner stands the best chance possible of being delivered to host with even the most strict requirements.

Please open a support ticket if you need any help, or if you continue to face delivery problems. Some problems will be out of our control to resolve, but we can do our best to advise you or point you in the right direction for more help.

Note: This update is superceded by the update to 4.98. The Updater4MC script will only apply the necessary database changes, but it will not actually install 4.97.1. Details are included here for posterity.

A new version of Exim has been published to address a moderate spoofing vulnerability.

As always, your machine should receive the update automatically during the update cycle (either 22:30 on newer machines or 02:30 on older ones). The Update was merged at 20:05 UTC on February 13th. You can check that your machine(s) have received the latest version with:

/opt/exim4/bin/exim --version

which should mention '4.97.1' on the first line of the output. If you don't have this version, it is likely that there is an issue blocking updates which should be available in the output of '/root/Updater4MC/updater4mc.sh' or from '/var/mailcleaner/log/mailcleaner/updater4mc.log.0'.

One important note is that as of version 4.97, exim now uses longer Exim IDs. Extensive testing of accommodations for these longer IDs was done over the last several weeks, but it is possible that something was missed. If you see any problem with indexing or managing of quarantined items, please open a ticket or alert us with a GitHub issue immediately.

Note: This update is superceded by the update to 4.97.1. The Updater4MC script to install 4.96.2, specifically, has been removed. Details are included here for posterity.

As mentioned in a previous update, a series of vulnerabilities in Exim 4.96 were made public. We have now published 4.96.2 to our repositories, along with patches to libspf2 to address the remaining vulnerabilities.

As always, your machine should receive the update automatically during the update cycle (either 22:30 on newer machines or 02:30 on older ones). The Update was merged at 22:25 UTC on October 23rd. You can check that your machine(s) have received the latest version with:

/opt/exim4/bin/exim --version

which could mention '4.96.2' on the first line of the output. If you don't have this version, it is likely that there is an issue blocking updates which should be available in the output of '/root/Updater4MC/updater4mc.sh' or from '/var/mailcleaner/log/mailcleaner/updater4mc.log.0'.

A change has recently been made to the version numbering that you will see in the Administrator web interface, within the SMTP banner, and within SNMP queries. This is an enhancement to provide more meaningful information about the update status of the machine. Historically, the 'Version' and 'Patch level' have been redundant, with the later being a somewhat more precise version of the former (eg. '2023-10' vs. '2023101201'). Now, the 'Version' will adopt the more precise format and the 'Patch level' will follow the format: <Updater4MC level>-<MC Git commit> (eg. as of this update, it should be '83-1d7f248').

Internally, only the 'Version' has been changed. However, for what is most intuitive to users, the labels for these values have been swapped in the web interface. This means the values mentioned above are actually swapped when querying the SNMP interface, and the newly formatted value is visible in the SMTP banner.

This change should have very limited impact for most users, except those who might have an SNMP agent tracking their system's update status. The advantage to this change is that the publicly visible version now provides meaningful information. It is sometimes the case that specific updates will fail, or custom changes within the MailCleaner Git tree ('/usr/mailcleaner/') will conflict and block updates. This more meaningful number will allow for features to be more easily added to alert administrators to failed or available updates. It will also allow MailCleaner staff to monitor Enterprise Edition machines and provide proactive support.

If you have disabled automatic updates, you may wish to hide your version from the public SMTP banner. This is now possible by creating the file '/var/mailcleaner/spool/mailcleaner/hide_smtp_version' then restarting the Incoming MTA. This file must be created on each node of a cluster.

Note: Since part of the mechanism for this change is applied within the Updater4MC update script, it will actually take a second update for the new version to be applied. This means that most users will see the new format on 2023-10-14. In the meantime, a less meaningful version with the Updater4MC Git commit instead of the actual successfully installed update level may be shown (eg. 8715121.1d7f248).

Note: This update is superceded by the update to 4.96.2. The Updater4MC script to install 4.96.1, specifically, has been removed. Details are included here for posterity.

Recently, a series of vulnerabilities in Exim 4.96 were made public. The most critical of these CVEs were patched quickly and MailCleaner followed up by compiling a patched version of our custom Exim package. Your machine should have received the update automatically during the update cycle (either 22:30 on newer machines or 02:30 on older ones) following 01:45 UTC on October 2nd.

A follow up version is expected in the near future to resolve the remaining, less critical, issues. We will compile and release this version as soon as it is made available by the Exim team. In the meantime, you can check that your machine(s) have received the latest version with:

/opt/exim4/bin/exim --version

which could mention '4.96.1' on the first line of the output. If you don't have this version, please feel free to open a ticket immediately. You can also find details on why the update is being blocked by manually running updates again '/root/Updater4MC/updater4mc.sh' or by checking the previous update log from '/var/mailcleaner/log/mailcleaner/updater4mc.log.0'. Any problem with this update will also block the upcoming update as well, but with a successful update, you should expect the next update to work well also.

Note: This update is superceded by the update to 4.96.1. The Updater4MC script to install 4.96, specifically, has been removed. Details are included here for posterity.

Recently, a new release of MailCleaner's MTA, Exim, was published and pushed to all MailCleaner machines using the regular Updater4MC script. There are a couple of points to note about this upgrade.

This resolved several vulnerablities, including problems in LibSPF2 and Exim itself.

This intruduces support for ARC.

The upgrade was not entirely smooth. There was an issue related to some mail from Microsoft clients. You can read more about this issue, how it was remedied and additional options to deal with this problem here. As long as you are up-to-date, this issue no longer exists.

Your machine may not have installed the upgrade. There should be a watchdog called 'detect_exim_current' which should tell you if your machine has failed to update. If this is the case, you can check your latest update attempt from '/var/mailcleaner/log/mailcleaner/updater4mc.log.0' or run '/root/Updater4MC/updater4mc.sh' to see the output. This should mention a modified file or other issue which is preventing the upgrade. See the previous InfoBox notice from 2021-05-17 for more information since the update procedure is the same.

As of the next nightly update after this post, all Mailcleaner machines will update ClamAV to 0.103.5. This will:

• Enable updating with latest signatures using `freshclam`
• Upgrades libprce2 library to enhance security
• Changes to run permissions and options to optimize performance and security globally

Block .xlsb files

Note: This update is superceded by the update to 4.96. The Updater4MC script to install 4.94, specifically, has been removed. Details are included here for posterity.

Warning: There have recently been disclosures made for several critical vulnerabilities with the Exim MTA which is used in MailCleaner. In addition to patching these vulnerabilities, there have been additional changes to the intervening versions of Exim which have required some changes to the configuration templates used in MailCleaner to prevent other mail delivery issues. After carefully testing these changes we have now made a new version of the package available. This should be automatically installed during the first nightly update after this notice.

However, to ensure a safe upgrade without any of the delivery issues mentioned, the automatic upgrade will refuse to proceed if either 1) the new template files are not yet present or 2) if you have made modifications to the template files which will fail to be automatically replicated to the new templates. The upgrade will retry nightly until the new version is installed. To verify that the upgrade was successful, you can check the current version (looking for 4.94), by running:
    

/opt/exim4/bin/exim --version | head -n 1

If you are not already on this version, please only attempt the upgrade using the official installation script since manually installing the package may result in incompatible configuration templates being used:
    

/root/Updater4MC/updater4mc.sh

Monitor for the progress immediately following "Executing update: /root/Updater4MC/updates/62_mc_exim_4.94.update" and follow up by checking the version again to be sure. If the upgrade is abandoned, the relevant error will be printed. This will be either that your Git tree is behind, meaning that you don't have the new templates, or that you need to ensure that the changes from your old templates have been ported correctly. In the latter case, you can run the update script manually - after you have replicated your customizations - to force the upgrade:
    

/root/Updater4MC/updates/62_mc_exim_4.94.update --force

We will be monitoring Enterprise customers over the following days and weeks to ensure full uptake of this update.

You can now use the SPF od a domain to whtielist / blacklist corresponding IPs.
Please check this Knowledge Base to know more about it

To give you more control on the filtering rules, you can now adapt the scores per rule per domain (and even per user if needed)
Find more in this Knowledge Base

Whitelists will be applied before blacklists from now on.
This will allow end users to whitelist john.doe@example.org while the domain example.org is blacklisted.

A wave of mails with almost no text in the body, a PDF attachment coming from freemails has been reported.

To stop this, we added 2.0 points to mails coming from freemails with a .doc or .pdf attached. (rule : T_FREEMAIL_DOC_PDF)

We also added more rules about PDF attachments.
For this specific wave, the main rule is PDF_TEXT_RATIO
This rule is also worth 2.0 points.

For now those mails should have their score raised by 4.0 splitted in 2 rules to try to prevent false positives.

As always, you can create/modify rules (based on that one for the ratio).
If so, please let me know, this can be useful for other customers of ours and we would then backport your modification in the main MailCleaner s tree.

As we dont face those spams on our own cloud, we are willing to adapt those rules according to your feedbacks, so dont hesitate to open a ticket if this led you to false positives or if you think we should increase/modify our scores. (The rule PDF_TEXT_RATIO is based on a ratio so if it is not triggered it may be due to a ratio above the one we picked, you are very welcome to report this as well)

Note : This will automatically update on your servers at 22:30 you can have this live before by running

/root/Updater4MC/updater4mc.sh

on all your hosts.

We straighten some of our anti spoofing measures as we currently want to focus in blocking more phishing mails. We decided to block the use of capital letters in the domain names of the sender s of a mail As this increases the security of all end users, we decided to enable it by default.

You can find everything you need to know about this new feature in this Knowledge Base

As announced in our last Newsletter, fail2ban is now integrated in MailCleaner.

For now, it is disabled by default.
You can find everythin you need to know about this new feature in this Knowledge Base

You can now log mails subjects and/or attachments names for the Tracing Tool with the new options

Configuration-> SMTP-> Include mails subjects in the logs

Configuration-> SMTP-> Include attachement names in the logs

More informations here

You can now whitelist or blacklist IPs or subnets per Domains via Configuration->Domains->Advanced Features. These white/black lists will be effective either at SMTP or SpamC stage.

Wav files have been found susceptible to contain viruses or crypto miners recently, therefore those filenames are now blocked by default. You can change this in

Configuration->Content Protection->Attachment name

More informations here

ClamAV and ClamSpam were updated to the latest stable version : 0.101.4.

We upgraded to the latest exim available.

Here is the related CVE CVE-2019-16928

We currently see (since a few days) a wave of spams containing infected documents with macros. We strongly encourage to use our Anti-Macro feature. This is currently not accessible from the web interface This can be enabled by simply creating this file on each of your nodes and restarting clamav with /usr/mailcleaner/etc/init.d/clamd restart or via Monitoring > Status in admin interface:

 touch /var/mailcleaner/spool/mailcleaner/mc-experimental-macros 

When the wave is over, if you want to disable this feature, you ll need to run

 rm /var/mailcleaner/spool/mailcleaner/mc-experimental-macros 

on all nodes and restart the services as described above.

Warning: Enabling this feature will cause all documents embedding macros to be dropped (including Office documents with macros) ! No recovery possible (SMTP stage) !

We upgraded to the latest exim available.

Dear customers, we wanted to inform you that MailCleaner is NOT vulnerable to the new CVE-2019-13917. Although we are using version 4.92 of the Exim package, this vulnerability can only be exploited under certain conditions that are not possible by default in MailCleaner.

However, as a precaution, we will in the coming days update the package.

Here is the related CVE CVE-2019-13917

Due to the latest CVE revealed for Exim, we automatically upgraded your Exim package to the version 4.92. Your Exim version is no longer vulnerable to the CVE CVE-2019-10149

When a user open mail traces in his quarantine, the SpamC score isn't correctly displayed because of a bad persistence.

This feature will be available at Configuration->SMTP->Don't check these hosts for SPF or DMARC

When you request a filter adjustment from the MailCleaner email reports, the last line is over-written. Fixed it.

Warning: if you're using a custom template for the summary, please update it by copying the unlogged.css of the default template to your custom template.

Fixing a little bug which create confusion. By default, the System Sender address is displayed in lower case even on the web interface even if the value in database are case sensitive.

Fixing a bug which didn't restart MailCleaner services every time when related data are updated.

Update of the TLD list used by MailCleaner services.

Bug fix for avoiding errors when the stage4 is rebooting for sending the summaries.
See the Knowledge Base.

Bug fix for avoiding errors when the stage4 is rebooting for sending the summaries.

You now can whitelist domains for the feature : Password protected archives. Please read the Password protected archives : Manage a whitelist knowledge base about this.

Fix a security issue: a remote code execution on the tracing section.

We have just updated the bayesians of NiceBayes and SpamAssassin.

To report a virus that did not get detected by MailCleaner, report the email to virus@mailcleaner.net, as described in the Wrong analysis reporting knowledge base

Added multiple filtering rules in SpamAssassin to prevent spam and phishing waves

Fixed a XSS breach that allowed for code injection in the login page

Added three watchdog which will warns us when more than 85% of inodes are used, more than 85% of disk is used and if there are too much mails in mail queues.

Added a timeout protection for the infobox and changed the source content.

Added a LockFile system.

Enable IPv6 in Exim only when an ethX interface support it.

An upgrade from our ISP forces the connection to most of our servers to be down for about 20 minutes. The external servers should take the hand for that time and this operation should not impact your machines. In case you observe messages piling up in the queues, this will be due to an overload of those machines, which will resolve within an hour.
Sorry for the inconvenience.

We have just updated the bayesians of NiceBayes and SpamAssassin.

Sometimes, the user interface is translated but not the corresponding summary and vice-versa. Thus, we use english as the default summary language.

The root server list for bind is now updated on a daily base.

Add support for new languages through Weblate https://www.mailcleaner.org/translations/.
[2018-08-20 11h43] Bug fix

Add Kaspersky support by default (for a better integration).

We just fixed some watchdog modules and added a new one for monitoring better your MailCleaner's services.

It is now possible to have both a whitelist and a newsletter address for the same sender and recipient.

A lot of our customers would have prefered Newsletter feature to work both on envelop and body senders. We changed this point to meet your expectations.
In addition to that, now, when you accept a newsletter, both sender and from addresses are added to the newsletter whitelist.

Management of the accepted newsletters at the user, domain and global level.

Disabling automatically IPv6 when not configured on the machine.

Improving pattern matching when parsing the whitelist, blacklist, newsletters lists and warnlists.

Added user/allow_newsletters to the REST API.

We removed some internal SSH keys for security reasons.

Improving the first startup of a VA, upgrading it at first start when internet access is available.

We just fixed a bug concerning the newsletter SOAP interface. We also fixed a bug for the field Don't check these hosts when inserting IPv6.

We recently fixed a bug with the REST interface in the User/Add function.

Due to a recent bug discovered we fixed the Updater4MC concerning the update of the patch level. We also removed some internal SSH keys for security reasons.

We recently fixed a bug concerning the newsletter. In some specific cases, accepting a newsletter was causing an unhandled exception. We also removed some internal SSH keys for security reasons.

We decided to publish this InfoBox in which we will communicate about important informations. Thank you for consulting this section regularly.