product information bulletin - clearswift · postfix mta support sendmail was originally developed...

Product Information Bulletin Clearswift SECURE Email Gateway 4.7

November 2017

Clearswift SECURE Email Gateway V4.7

of 14

Copyright

Published by Clearswift Ltd.

© 1995–2017 Clearswift Ltd.

All rights reserved.

The materials contained herein are the sole property of Clearswift Ltd unless otherwise

stated. The property of Clearswift may not be reproduced or disseminated or transmitted in

any form or by any means electronic, mechanical, photocopying, recording, or otherwise

stored in any retrievable system or otherwise used in any manner whatsoever, in part or in

whole, without the express permission of Clearswift Ltd.

Information in this document may contain references to fictional persons, companies,

products and events for illustrative purposes. Any similarities to real persons, companies,

products and events are coincidental and Clearswift shall not be liable for any loss suffered

as a result of such similarities.

The Clearswift Logo and Clearswift product names are trademarks of Clearswift Ltd. All other

trademarks are the property of their respective owners. Clearswift Ltd. (registered number

3367495) is registered in Britain with registered offices at 1310 Waterside, Arlington

Business Park, Theale, Reading, Berkshire RG7 4SA, England. Users should ensure that they

comply with all national legislation regarding the export, import, and use of cryptography.

Clearswift reserves the right to change any part of this document at any time.


of 14

Contents

Overview ...................................................................................................................... 4

New Features ............................................................................................................... 4

Postfix MTA support ................................................................................................... 4

TLS enhancements .................................................................................................... 5

STIG hardening ......................................................................................................... 6

Bypass bad-data error conditions ................................................................................ 7

Sanitize and Redact JPEG image properties .................................................................. 8

GDPR EU Regional (PII) Policies .................................................................................. 9

Message tracking ...................................................................................................... 10

Encryption Enhancements ......................................................................................... 11

Property Name scanning enhancements ..................................................................... 11

Enhancement requests ................................................................................................. 12

Bug fixes ..................................................................................................................... 13

Availability ................................................................................................................... 13

Interoperability ............................................................................................................ 13

End of life ................................................................................................................... 13

Platform support .......................................................................................................... 14

Packaging.................................................................................................................... 14


of 14

Overview This new release delivers a number of customer enhancement requests, as well as additional security features for the Clearswift SECURE Email Gateway. The new features are briefly summarized below, and examined in more detail on the following pages:

Postfix TLS enhancements STIG hardening Bypass bad-data error conditions Sanitize and Redact JPEG image properties GDPR regional PII tokens Message Tracking Retention period Property Name scanning enhancements

New Features

Postfix MTA support

Sendmail was originally developed in 1982 and, while it has been a common MTA, in recent years its popularity has declined compared to newer MTAs such as Postfix and Exim, which offer better performance and greater security.

Top Mail Server Market Share

One of the major drawbacks of Sendmail was its monolithic structure. Postfix is more modular with defined APIs permitting easier integration with content inspection technologies in the Gateway. If a security vulnerability is identified, patching Postfix becomes much easier

Key points:

Postfix offers defined interfaces to permit message interception to be simpler

Postfix offers more features with good performance

Considered a secure MTA for use in Military deployments


of 14

with these defined APIs, enabling customers’ systems to be made resilient in a much shorter timeframe. The APIs and the number of available Postfix extensions will allow Clearswift to introduce new and innovative features for many more years.

TLS enhancements

By changing the MTA from Sendmail to Postfix, we provide a number of new features mainly for use in TLS and Address Rewriting. Most people will be using TLS. This has changed in this release so that you can now:

Define a default TLS version for outbound connections then override the default version setting on a per-connection basis, which could be for one or more domains

Define a default TLS cipher for outbound connections then override the default cipher setting on a per-connection basis, which could be for one or more domains

Validate certificates by their Subject Alternate Name certificate details for outbound connections

Granular Outbound connection TLS properties

As part of the integration of Postfix, the Gateway interface has undergone cosmetic changes to make the deployment of TLS easier for customers.

Key points:

Opportunistic and Mandatory modes

More flexible configurations for outbound connections

Support for Subject Alternate Names


of 14

STIG hardening

Ensuring system security is fully maintained against industry best practice is paramount. The Gateways now include conformance to a number of security recommendations created by the Defense Information Systems Agency (DISA), who have crafted the Security Technical Implementation Guides (STIGs). The STIGs contain technical guidance to "lock down" information systems/software that might otherwise be vulnerable to a malicious computer attack. In 4.7 there are 55 recommendations that have been applied, and each Gateway release will contain progressively more. These security recommendations are automatically applied on installation and upgrade, and customers can view the STIGs report by logging into the console and accessing the report here:

• /opt/csrh/stig/reports/cs-remediation-report.html The report is in HTML so it is advisable to get the file off the Gateway using FTP/SFTP or a similar process.

Key points:

Defined by DISA

Guidelines for more secure deployments of standard COTS products (operating systems, web servers & databases)

Automatically applied

55 recommendations implemented in 4.7


of 14

Example – STIG report In most cases the Sysadmin will not notice any changes, but some of the more obvious ones are:

NTP enabled by default on install and upgrade Increased auditing of user actions in Console and terminal windows New console (not SSH) message prior to login New logon message after login prior to the Console loading

Bypass bad-data error conditions

As part of message processing, the Clearswift Deep Content Inspection (DCI) engine will inspect the structure of the message and any attachments. If the DCI finds errors in the message structure caused by the mail-client that created the message or in the structure of an attachment, the Gateway will legitimately block the message as the “errors” could in fact be some type of new exploit that may affect the mail client (e.g. Outlook) or the tool used to open the attachment (e.g. Word). There will be some customers who are trying to send out data that might have been created using a 3rd party PDF tool. Unfortunately, this application creates files with a structure that is technically incorrect and would be blocked by the Gateway, but can still be opened by most PDF clients. Therefore, customers can use the new “Detect Malformed Data” content rule to determine which file formats to block and which to ignore; in the example above, they would configure the policy to exclude PDF files from being held.

Key points:

Allows customers to enable override file processing failures

Bad-data rule split into “processing failure” and “bad-data”


of 14

Example – Exclude PDF files from Message Processing Failures

Sanitize and Redact JPEG image properties

Previously, the Redaction and Document Sanitization features were limited to Text, Documents, Message bodies, and Web Pages. This version allows customers with the appropriate license to inspect image meta data and optionally redact items or remove properties. This is particularly important to organizations where:

the exact location the picture was taken is sensitive

the time that the picture was taken is sensitive, or the device used to take the picture is sensitive

Key points:

Allows redaction of image properties

Allows sanitization (removal) of image properties

Included as part of Data Redaction / Document Sanitization Licenses


of 14

Example – Image meta data showing GPS location where picture was taken The Redaction features can redact specific text from the properties, or some or all of the image meta data may be removed.

Example – Image properties following redaction of the text “iPhone”

GDPR EU Regional (PII) Policies

With heavy penalties for Data Loss under the regulations of GDPR, coming into force in May 2018, customers need to ensure that Personal Identifiable Information (PII) data is controlled.

Key points:

Consistent set of PII tokens to cover Passport, Social Security / Driving License and National Identity (where applicable)

Covering 28 countries


of 14

PII Tokens added in 4.7 Clearswift products have been extended to support a much wider range of entries, allowing a greater chance to protect employee and customer data from being lost.

Message tracking

Customers can now extend their “Tracking and Report” retention settings to hold up to 2 years’ worth of data. This will increase the amount of disk space used by the system, and reports over extended periods of time may have an effect on system performance. When a message was tracked in previous versions, Message Tracking would only show whether TLS was used for outbound connections. It has now been extended to show when a connection is received, if it came over TLS.

Aus

tria

Bel

guim

Bul

gari

a

Cro

atia

Cyp

rus

Cze

ch R

epub

lic

Den

mar

k

Esto

nia

Finl

and

Fran

ce

Ger

man

y

Gre

ece

Hun

gary

Irel

and

Ital

y

Latv

ia

Lith

uani

a

Luxe

mbo

urg

Mal

ta

Net

herl

ands

Pola

nd

Port

ugal

Ro

man

ia

Slo

vaki

a

Slo

veni

a

Spai

n

Swed

en

UK

Passport

Social Security

Driving License

Identity Card

4.6

4.7

Key points:

Can be extended to support storing 2 years’ worth of data

Shows inbound TLS traffic

“Show Log” output different as Postfix log file is different from Sendmail


of 14

Encryption Enhancements

The SECURE Email Gateway now uses Cryptographic Message Syntax (CMS) by default for S/MIME message processing to provide better compatibility with other cryptographic solutions and advancing compliance requirements. The default for the S/MIME signature algorithm has been changed from SHA1 to SHA256. The new setting is more secure and affects signature processing as well as certificate generation. However, if you have used the Gateway UI to create a CA for S/MIME you may need to re-create it following this change in order to ensure a consistent use of the new algorithm throughout the whole certificate chain.

Property Name scanning enhancements

Key points:

Uses cryptographic message syntax for better compatibility with other solutions

Default S/MIME signature algorithm now SHA256

Key points:

Allows customers to search through document/image properties without having to know the exact name

Can search all properties except a named property for text


of 14

In situations where you know that text could exist in a property, but are unsure which property it may be stored, you can simply add a “!” character in the property name used by the Analyze Properties content rule. For example, to scan all properties to check for the term “Secret” you can use a single “!” character.

If you want to scan for content in properties, but not the “Author” property, the “!” character can be used to negate that property value.

Enhancement requests

The following customer reported enhancement requests have been implemented in this release.

ER# Summary

MAIL-6572 Extension of Retention Time within the Tracking and Report

Settings

MAIL-5307 Message Tracking not showing TLS for inbound message

MAIL-7891 Allow peering using NIC not reserved for Web UI use


of 14

MAIL-7194 Support the of wildcard in Connection profile for Certificate

Subject Validation

MAIL-11104 Add regional keyboard layouts for Greek, Turkey, Norway and

Japan

MAIL-6542 Reclassify Action

MAIL-6737 Support for mmap files

MAIL-7561 TLS Handshake failed email not send in clear text

MAIL-1532 Support address rewriting with partially-wild carded users

Bug fixes

A number of client-reported bugs have been fixed in this release. Please see the release

notes for more information.

Availability

Phase Date

General Availability November 2017

Interoperability

It is possible1 to peer a Version 4.7 Gateway with an existing Version 3.x Gateway, although it will not be possible to share policy due to the different levels of functionality in the later products. It will be possible to import a 3.8 configuration into a V4.6 system thus saving deploying a V4.0 (or 4.1 to 4.3) and then upgrading that to V4.7.

End of life

This release will signal the start of the SEG 4.5 end of life program. Version 4.5’s EOL program will last 12 months (as defined in the Support Services handbook) and will reach end of life on 7th November 2018.

1 In order to peer a V4.4 or later with SEG 3.8 does require some modification of the TLS ciphers used for Peer communications


of 14

Platform support

Clients with low memory and low disk space systems might find their hardware is no longer suitable and will need to refresh their hardware / virtual systems especially if they intend setup 2 years’ worth of Message Tracking. Clearswift recommends that systems have a minimum of 4 GB RAM, multi-core processors that support 64bit instructions and over 250 Gb+ of disk space for low volume production environments. For customers with a greater workload the recommended minimum would be 6-8 GB RAM, single or dual multi-core processors and 250Gb+ of redundant disk storage.

Packaging

This release will NOT be available as a patch for all systems running 3.x to automatically download. Clients using 4.0 to 4.6 will be able to upgrade their system through the Admin Server Console. Clients who want to migrate from 3.x must install a new system and migrate their existing configuration to the new system. They will typically deploy the solution in a test mode initially and then deploy a production system. Clients will be able to import a V3.8.* policy file to replicate their policy or a V3.8.* full system backup if they want to import reporting data, quarantine messages, logs, and policy. To make the installation process easier, clients will be able to request professional services from Clearswift to assist in the deployment of this new version.