build-240815
This release includes elements from Hermes SEG 231130 release which was not released as an update.
NEW FEATURES
Updated Hermes SEG logo.
Moved System Update from the Hermes SEG Pro Edition to the Hermes SEG Community Edition. A valid license is no longer a requirement to run System Update.
Moved System Settings --> Daily Update Check drop-down from the Hermes SEG Pro Edition to the Hermes SEG Community Edition. A valid license is no longer a requirement to enable Daily Update Check.
Moved Logout link from side menu to top-right nav bar.
Removed Gitlab link from the top-right nav bar.
Added Telegram Channel link from the top-right nav bar.
Added Matrix Channel link from the top-right nav bar.
Removed Email Archive link from the side menu. Email Archiving will be addressed in a future release.
Decommisioned Web Console System Update and replaced with CLI based System Update script. Details can be found at https://docs.deeztek.com/books/hermes-seg-administrator-guide/page/system-update
Decommisioned Web Console System Backup and System Restore and replaced with CLI based System Backup and System Restore scripts. Details can be found at https://docs.deeztek.com/books/hermes-seg-administrator-guide/page/system-backup-and-restore . Additionally, removed legacy Backup and Restore Jobs tables from the database and removed any existing scheduled backup jobs.
Decommisioned Web Console Email Archive. Additionally, removed legacy Archive Jobs tables from the database and removed any existing scheduled archive jobs. Email Archiving will be addressed in a future release.
Decommisioned ExtremeShok/clamav-unofficial-sigs since the project is abandoned and replaced with Fangfrisch as per Github issue #47. Temporarily removed Content Checks --> Antivirus Signature Feeds in order to re-work code to accomodate Fangfrisch.
Removed System --> Antivirus Signature Bypass and combined with System --> Antivirus Settings (Hermes SEG Pro Edition Only).
Added Python 3.11.
THE FOLLOWING PAGES HAVE BEEN UPGRADED TO VERSION 2.0
Admin Console --> Content Checks --> Antispam Settings.
FIXES
Upgraded Lucee to 5.3.5+96 as per Github issue #65.
Streamlined and fixed issue with username/password prompt logic in ubuntu_hermes_install.sh script not recognizing spaces or special characters.
build-231130
NEW FEATURES
Update Hermes SEG logo.
FIXES
Upgrade Lucee to 5.3.5+96 (#65).
build-221211
HIGHLIGHTS
This the first update on the version 20.04 train since Ubuntu 18.04 is no longer supported. After updating, Hermes SEG will reflect the new 20.04 version internally as well as any system pages.
NEW FEATURES
-
Upgrade Authelia to 4.37.2 (https://github.com/deeztek/Hermes-Secure-Email-Gateway/issues/41).
-
Add Duo Security MFA (https://github.com/deeztek/Hermes-Secure-Email-Gateway/issues/42).
-
Add Ability to Remove User 2FA Devices (https://github.com/deeztek/Hermes-Secure-Email-Gateway/issues/43).
-
Add Storage Encryption Key field in Authelia (https://github.com/deeztek/Hermes-Secure-Email-Gateway/issues/44).
-
Force 32 character JWT Secret, Storage Encryption Key and Session Secret (https://github.com/deeztek/Hermes-Secure-Email-Gateway/issues/45)
-
Upgraded license activation and system update mechanisms to be more robust and secure. Added update history as well as the ability to download the System Update log from the UI after update installation has either succeeded or failed.
-
Added telemetry (Opt-Out by default) under Admin Console --> System --> System Settings to collect anonymized data in order to improve Hermes SEG and products and services. For details on the data collected and our policy please see (https://docs.deeztek.com/books/hermes-seg-administrator-guide/page/system-settings).
- Removed System Backup and System Restore functionality from the Admin Console in anticipation for new and improved CLI based System Backup and System Restore. Stay tuned...
THE FOLLOWING PAGES HAVE BEEN UPGRADED TO VERSION 2.0
- Admin Console --> System --> System Update
FIXES
-
System Status Filesystem Usage script error (https://github.com/deeztek/Hermes-Secure-Email-Gateway/issues/30).
-
Adding DKIM Trusted Hosts does not reflect in DMARC (https://github.com/deeztek/Hermes-Secure-Email-Gateway/issues/32).
-
Saving console settings fails when server, client and mail keywords are not (https://github.com/deeztek/Hermes-Secure-Email-Gateway/issues/33).
-
Spamassassin Automatic Updates (https://github.com/deeztek/Hermes-Secure-Email-Gateway/issues/39).
- All outbound e-mail are PDF encrypted (https://github.com/deeztek/Hermes-Secure-Email-Gateway/issues/40).
-
Unknown column 'queue_type' in 'field list' on Build-220410 (https://github.com/deeztek/Hermes-Secure-Email-Gateway/issues/29).
- Make username/password prompts mandatory during Hermes SEG Initial install (https://github.com/deeztek/Hermes-Secure-Email-Gateway/issues/36).
-
Fixed issue where if Daily Update Check was enabled, system would send e-mail notifications that DEV update was available (Hermes SEG Pro Only).
-
Fixed login failure when system could not verify login session if the Host Name under Admin Console --> System --> Console Settings is not resolvable by Hermes. Added function to add the Console Host parameter in /etc/hosts as 127.0.0.1 when Network Settings or Console Settings are applied.
-
Fixed issue with /hermes-api path which was causing some network and console settings not getting applied.
- Added netplan.io installation just in case it's missing from systems that were upgraded from Ubuntu 18.04 to 20.04
build-220410
HIGHLIGHTS
This release incorporates some of the most popular requests:
- The ability to add domains without the requirement of having existing recipients before the system will relay e-mail.
- The availability of SPF, DKIM and DMARC in the Community edition of Hermes SEG.
- Automatic update notifications for the Pro Edition of Hermes SEG.
- Our new Web GUI 2.0 is now the default upon login and we have added some nifty graphical resource monitors for CPU, Memory and Disk Utilization.
- All Web GUI 2.0 menu links have been fixed and you should be able to navigate between the new Web GUI and the Old Web GUI seamlessly. Our Web GUI 2.0 is still a work in progress so some links will still point you to the Old Web GUI.
Our Getting Started Guide has been simplified and updated to reflect the new changes.
NEW FEATURES
- Upgraded Admin Console --> System --> Domains to version 2.0. Added the option to add domains without requiring Internal or Virtual Recipients in order to relay e-mail. By selecting "ANY" in the Recipient Delivery, Hermes SEG will relay e-mail to the destination server without checking the existence of the e-mail address in Internal or Virtual Recipients table. This method relies on the destination server to reject the e-mail for non-existent e-mail address. Additionally, added the option to silently discard e-mail for a domain by selecing "NONE" in the Delivery Method and added the option to specify Authentication to the destination server.
- Added client SMTPS support in Postfix in addition to existing server SMTPS support. If you enable opportunistic or mandatory encryption in System --> SMTP TLS Settings it will also be set on the SMTP client.
- Upgraded Admin Console --> System --> Mail Queue to version 2.0. Added options to search messages, flush the mail queue and unhold message(s). Added functionality to display messages that are ON-HOLD or ACTIVE queues.
- Upgraded OpenDMARC from version 1.3.2 to 1.4.2.
- Moved Admin Console --> Content Checks --> DMARC Settings from the Pro Edition to the Community Edition.
- Upgraded Admin Console --> Content Checks --> DMARC Settings to version 2.0. Added option to Hold Quarantine Policy messages in order to alleviate issue with messages stuck in Mail Queue with ON-HOLD status after failing DMARC validation and having a DMARC policy of qurantine. The default Hold Qurantine Policy Messages setting is set to NO. Additionally, added option to add DMARC whitelisted domains in an effort to bypass domains that fail DMARC validation in a locally generated Authentication-Results header.
- Moved Admin Console --> Content Checks --> DKIM Settings from the Pro Edition to the Community Edition.
- Upgraded Admin Console --> System --> System Settings to version 2.0. Removed requirement to add Database credentials. Added options to specify system TimeZone and Daily Update Checks with e-mail notification (Pro Edition Only).
- Upgraded Admin Console --> System --> System Status to version 2.0. Added Graphical System Resources section to monitor CPU, Root and Data Filesystem utilization.
- Moved Admin Console --> Content Checks --> SPF Configuration from the Pro Edition to the Community Edition.
- Moved Admin Console --> Content Checks --> SPF Bypass from the Pro Edition to the Community Edition.
- Refreshed the Postfix RBL List
THE FOLLOWING PAGES HAVE BEEN UPGRADED TO VERSION 2.0
- Admin Console --> System --> Relay Domains RENAMED TO Admin Console --> System --> Domains
- Admin Console --> System --> Mail Queue Management RENAMED TO Admin Console --> System --> Mail Queue
- Admin Console --> Content Checks --> DMARC Configuration RENAMED TO Admin Console --> Content Checks --> DMARC Settings
- Admin Console --> Content Checks --> DKIM Configuration RENAMED TO Admin Console --> Content Checks --> DKIM Settings
- Admin Console --> Content Checks --> DKIM Sender Bypass MOVED TO Admin Console --> Content Checks --> DKIM Settings
- Admin Console --> Content Checks --> DKIM Trusted Hosts MOVED TO Admin Console --> Content Checks --> DKIM Settings
- Admin Console --> Content Checks --> DKIM Sign MOVED TO Admin Console --> Gateway --> Domains --> Edit DKIM
- Admin Console --> Content Checks --> SPF Configuration RENAMED TO Admin Console --> Content Checks --> Domains --> SPF Settings
- Admin Console --> Content Checks --> SPF Bypass MOVED TO Admin Console --> Content Checks --> Domains --> SPF Settings
- Admin Console --> System --> System Settings
- Admin Console --> System --> System Status
- Admin Console --> System --> System Logs
FIXES
- Ensured /var/lib/clamav-unofficial-sigs/db-us/ directory exists and owned by clamav user in order for the UrlHaus feed to work correctly.
- Fixed links in version 2.0 Web GUI to point to Old Web GUI when page was not upgraded to version 2.0 instead of having a broken link, made 2.0 Web GUI the default upon login and removed any references and link to Old Web GUI.
- Added additional checking for the url.mid field on the preloader_view_message.cfm to avoid app crashes if field is missing.
build-220203
NEW FEATURES:
- Upgraded look of Hermes SEG Daily Quarantine Report and Hermes SEG Quarantine Report with new logo. Also updated the functionality of the Hermes SEG Quarantine Report to only report quarantined e-mail found in the past 2, 4 or 8 hours instead of the previous functionality that reported all quarantined e-mail for the current day on 2, 4 or 8 hour intervals. Updated wording in Admin --> Internal Recipients and Users --> Report Settings with new wording in the Quarantine Report Frequency field to reflect the new functionality.
- Upgraded Admin --> Virtual Recipients and added ability to redirect multiple virtual recipients to internal or external recipients as well as the ability to redirect entire domains to internal or external recipients.
THE FOLLOWING PAGES HAVE BEEN UPGRADED TO VERSION 2.0:
- Admin Console --> Virtual Recipients
FIXES:
- Fixed issue when adding external recipients encryption S/MIME mandatory defaulting to postmaster e-mail address due to external recipients encryption using the same session.email variable as in the Application.cfc.
- Fixed issue with Admin Console --> Message History --> Message Actions --> Release Message(s) to Recipient and User Console --> Message History --> Message Actions --> Release Message(s) to Mailbox was not releasing message(s).
- Increased Hermes SEG Service timeout from the default 90 seconds to 360 seconds to avoid timeouts during system boot for systems with commandbox.
build-211207
NEW FEATURES:
- Moved System --> Console Settings from the Pro version to the Community version. Streamlined system URLs (Secure Portal Address, User Portal Address) to use the system IP or Host Name set in System --> Console Settings.
- Moved System --> System Certificates from the Pro version to the Community version. Import Certificate and Generate CSR is available on the Community version, Request Acme Certificate is available on the Pro version only.
- Moved Gateway --> SMTP TLS Settings from the Pro version to the Community version.
- Moved Content Checks --> Custom Antispam Filter Tests from the Pro version to the Community version.
- Upgraded User Console interface at /users/ to version 2.0. Changed authentication code and made it less resilient to attacks. Increased hash iteration from 5000 to 10000 iterations leveraging SHA-512 algorithm. As a result, this update resets all User Console passwords and forces users to enter new paswords next time they login to the User Console. Added haveibeenpwned.com password checking feature. Removed password complexity requirements, set password lenghts to between 8 and 64 characters as per NIST 800-63 password guidelines. Improved Forgot Password functionality.
THE FOLLOWING PAGES HAVE BEEN UPGRADED TO VERSION 2.0:
- Admin Console --> Gateway --> SMTP TLS Settings RENAMED/MOVED TO Admin Console --> Gateway --> SMTP TLS Settings (Pro Only)
- Admin Console --> Gateway --> SMTP TLS Policy RENAMED/MOVED TO Admin Console --> Gateway --> SMTP TLS Settings (Pro Only)
- User Console --> Report Settings
- User Console --> Sender Filters
- User Console --> Change Password
- User Console --> Message History
FIXES:
- Added function to not allow the deletion of the system-self-signed Certificate in System --> System Certificates.
- Removed duplicate (smtpd_tls_CAfile) in /etc/postfix/main.cf. Did not seem to cause issues but it's cleaner now.
- Added error handling in /inc/restart_authelia.com and /inc/restart_nginx.cfm.
- Fixed /etc/logrotate.d/authelia permission issue.
- Fixed various queries in view_message.cfm, view_message_history.cfm, view_smtp_tls_settings.cfm, view_system_certificates.cfm to make them less vulnerable to SQL injection attacks.
- Fixed issue with in /opt/hermes/conf_files/50-user.HERMES where amavis was ignoring per user SVF policies because it was looking in the wrong SQL table and it was falling back to the Default policy.
- Fixed issue when adding external recipients encryption defaulting to postmaster e-mail address due to external recipients encryption using the same session.email variable as in the Application.cfc.
- Fixed issue with System --> Network Settings javascript not showing static settings when network mode was set to Static
- Fixed issue with Train Spam, Train Ham and Forget Messages routines in both the Admin and the Users Consoles not syncing the Bayes Database.
build-211019
NEW FEATURES:
- Added Nginx HTTP Server in lieu of Apache.
- Added Lets Encrypt (Acme) Certificates support for HTTP and SMTP TLS (future).
- Added Wildcard CSR generation capability.
- Added Authelia Authentication Server for authentication into Admin Console.
- Added 2FA (Two Factor Authentication) for Admin Console.
- Added ability to add multiple System User accounts in addition to the default "admin" user. Will be expanded in the future to include permissions.
- Added Basic API for internal system functions. Will be expanded in the future for more functionality.
- Added support for checking System User passwords against haveibeenpwned.com.
- Re-worked Admin Console Firewall to work through Nginx. It now includes the ability to allow IPs to Hermes and/or Ciphermail Admin consoles.
Enabled Uncomplicated Firewall (UFW) with the following allowed incoming ports by default:
- 22/tcp (SSH)
- 25/tcp (SMTP)
- 9080/tcp (Hermes Old Web GUI HTTPS)
- 80/tcp (Hermes New Web GUI HTTP)
- 443/tcp (Hermes New Web GUI HTTPS)
- 3306/tcp (MySQL)
THE FOLLOWING PAGES HAVE BEEN ADDED:
- System --> System Certificates (Pro Only)
- System --> Admin Authentication
THE FOLLOWING PAGES HAVE BEEN UPGRADED TO VERSION 2.0:
- System --> Network Settings
- System --> Admin Console Firewall (Pro Only)
- System --> AD Integration (Pro Only)
- System --> Console SSL Settings RENAMED/MOVED TO System --> Console Settings (Pro Only)
- System --> Change Password --> RENAMED/MOVED TO System --> System Users
- Gateway --> Certificate Signing Request RENAMED/MOVED TO System --> System Certificates (Pro Only)
- Gateway --> Internal Recipients
- Content Checks --> Message History & Archive RENAMED/MOVED TO Content Checks --> Message History
- Encryption --> Internal Recipients Encryption RENAMED/MOVED TO Gateway --> Internal Recipients
FIXES:
- Improved error handling in System --> System Backup for permission related errors in SMB Share
- Added functions to disable firewall and reset all MySQL username/passwords in System --> System Settings when running System Restore
- Fixed bugs in system_restore.sh script