CryptoFilter · The S/MIME Gateway

v3.14 2022-02-16

  • New: Support for RFC 5802 - SCRAM-SHA-1
  • New: Support for RFC 7677 - SCRAM-SHA-256 / SCRAM-SHA-512
  • Chg: OpenSSL updated to v3.0.1
  • Chg: TLS RC4-MD5 and RC4-SHA is no longer supported
  • Chg: Windows 2000 is no longer supported

v3.13 2021-02-09

  • Fix: SMIME policy must not apply for non-SMIME messages
  • Fix: SMIME policy for non-removable signature
  • Fix: SMIME decrypt with a certificate in ALT directory
  • Fix: Reject DNS answer that is too long
  • Fix: EAI permits unencoded UTF-8 in message subject
  • Fix: DANE-TA and PKIX-TA
  • Fix: MTA-STS cache result
  • Chg: OpenSSL updated to v1.1.1i

v3.12 2020-02-03

  • New: Restart on certificate pem file change
  • New: Support for Server Name Indication (SNI)
  • Fix: Extended characters when running as a console application
  • Fix: FQDN when bound to a specific IPv6 address
  • Fix: NTLM authentication with LM hash
  • Chg: DNS check uses Cloudflare rather than OpenDSN
  • Chg: Screen optimized for Linux WINE
  • Chg: Terminate with ESCAPE and SPACE when running as a console application
  • Chg: Faster startup with a lot of messages in MSG-IN or MSG-OUT
  • Chg: OpenSSL updated to v1.1.1d
  • Chg: DNS query with NXDOMAIN and CNAME against Windows DNS server

v3.11 2019-02-03

  • New: Support for DomainKeys Identified Mail Signatures (DKIM)
  • New: Support for RFC 8446 TLS 1.3
  • New: Detect and use IPv6 DNS server
  • New: Support for RFC 6530 Email Address Internationalization (EAI)
  • New: NTLMv2 Authentication
  • New: Support for RFC 8461 SMTP MTA Strict Transport Security (MTA-STS) (OutboundSMTPTLSMTASTS=True)
  • Chg: Send DNS ORCPT only when different from the SMTP address
  • Chg: Converting a forwarded non-delivery report to a plain message
  • Chg: DSN in RFC format more compatible with Outlook Inbox
  • Chg: Prefer SMTP Authentication by strength (NTLMv2/NTLM2/NTLM/LM/CRAM-MD5/PLAIN)
  • Chg: OpenSSL updated to v1.1.1a
  • Fix: Missing char in ISO-8859-7 table

v3.10 2018-02-17

  • New: Support for SMIME RFC 5652 Cryptographic Message Syntax (CMS) (CMS vs PKCS7)
  • New: Support for RFC 8162 SMIMEA using DANE (InboundSMIMEVerifySMIMEA=True,OutboundSMIMEVerifySMIMEA=True)
  • New: SMIME download certificate using SMIMEA with domain wildcard
  • New: Support for Unicode characters larger than UCS2 (0xFFFF)
  • New: CSV file as UTF-8 (StatisticFileUseANSI=False)
  • Fix: Optional startup delay failed in rare cases
  • Fix: Outbound SMIME policy with e-mail mismatch
  • Fix: SMIME format in statistic file
  • Chg: TLS as server enforce highest possible cipher (needed to get an A at
  • Chg: OpenSSL updated to v1.1.0g

v3.09 2017-02-27

  • New: Limit inbound concurrent connection from a single host (InboundSMTPConcurrentConnections=100)
  • New: AES256 encryption and compression when sending a message to another CryptoFilter/XWall (InboundESMTPXBDATAAESA=True,OutboundESMTPXBDATAAESA=True)
  • New: Adaptation for Windows 2016 and Windows 10
  • New: Support for RFC 2231 long filename
  • New: Inbound and Outbound exclude from history (,
  • New: Support for private Enhanced Status Codes in Exchange 2013 and Office 365
  • Chg: DiskFullAlert unit from bytes to megabyte to prevent overflow (check value at View->Advanced Configuration->Advanced)
  • Chg: CPS are converted to Kibit/s or Mibit/s
  • Chg: Queue messages when Exchange returns a temporary Error
  • Chg: Messages for the DSN From: E-Mail address are no longer accepted when relaying is disabled
  • Chg: Windows NT 4.0 is no longer supported
  • Chg: Exe signed with SHA256, signature only valid on Windows 2008 R2 and above
  • Chg: SSLv2 and SSLv3 is no longer supported
  • Chg: RC4-MD5 and RC4-SHA is no longer supported for inbound connections
  • Chg: SMIME RFC 5751 (micalg=sha1 to micalg=sha-256)
  • Chg: Support for application/pdf Media Type (RCC 3778)
  • Chg: Support for Office 2007 File Format MIME Types
  • Chg: OpenSSL updated to v1.1.0e
  • Del: RAS, ETRN and SOCKS
  • Fix: Len of password for SMTP authentication with Amazon SES
  • Fix: SMIME with an e-mail address that starts with a reserved filename
  • Fix: MBAdmin disable inbound authentication when old settings are still in place
  • Fix: MBAdmin wrote INI in wrong directory after a common dialog changed the current directory
  • Fix: INI entry with a semicolon in a quoted string
  • Fix: DNS MX query missed EDNS0 option
  • Fix: MIME coding for filename with an Umlaut and an ASCII body text
  • Fix: DKIM signing for non-delivery-message
  • Fix: SMIME quote e-mail with a leading space

v3.08 2016-01-22

  • New: TLS Mutual authentication with intermediate certificate (IncaMail of Swiss Post)
  • New: SMIME: extended error reporting; caching the verification result for five minutes; signing is faster by 43%, encrypting by 35%
  • New: Support for RFC 7505 - Null MX for Domains That Accept No Mail
  • New: Reject TLS on weak signature algorithm (Options->TLS/SSL->Policy)
  • New: TLS connection information of temp key for ECDHE and DHE
  • New: Show OpenSSL version at startup when diagnostic logging is enabled
  • New: Prevent TLS POODLE attack by disabling SSLv3 (TLSServCipherList=@NOSSLV3)
  • New: Optimized reading of large certificate chains
  • New: Enhanced TLS security from and to Exchange (InboundExchTLSSecurity=True,OutboundExchTLSSecurity=True)
  • Chg: Enhanced Status Codes updated to match RFC 7372
  • Chg: SMIME file operations under heavy load and virus scanner
  • Chg: SMIME RFC 5751 (x-pkcs7 to pkcs7)
  • Chg: DMARC (RFC 7489) requires that DKIM uses RFC5322.From as SDID
  • Chg: Disk Full Alert to 3 GB
  • Chg: DKIM signing algorithm from rsa-sha1 to rsa-sha256 to comply with RFC 6376
  • Chg: OpenSSL updated to v1.0.2e
  • Fix: Close outbound connection when TLS policy changes
  • Fix: SMIME added the sign certificate twice to smime.p7s
  • Fix: TLS outbound policy and weak protocol
  • Fix: SMIME file error/undefined behavior in the Microsoft C run-time library (CRT)

v3.07 2015-02-04

  • New: Force quick restart after configuration change (Signal->Restart)
  • New: Ignore IP address when resolving MX records, because the DNS of GMail returns a bad IP address (OutboundSMTPConnectIgnoreIP=
  • New: DNS support for large UDP packets
  • New: Support for GB18030 (Chinese) codepage
  • New: S/MIME policy for messages that are not signed or encrypted
  • New: Support for Server Name Indication (SNI)
  • New: Enforce TLS using key word in subject (Options->TLS/SSL->TLS Outbound policy)
  • New: TLS Mutual authentication (Options->TLS/SSL->TLS Outbound policy)
  • New: Adaptation for Windows 10
  • New: Reject TLS on weak protocol (Options->TLS/SSL->Policy)
  • New: S/MIME encryption permits a void certificate
  • New: Support for UTF-16LE and UTF-16BE codepage
  • Chg: Error text when a message expired without being sent
  • Chg: Search for included INI file in the program directory
  • Chg: zLib updated to v1.2.8
  • Chg: Missing S/MIME sign or encryption triggers policy
  • Chg: OpenSSL updated to v1.0.1j
  • Fix: DSN error for an IPv6 host when IPv6 is disabled
  • Fix: Ignore local IP address on Linux
  • Fix: OpenSSL CVE-2014-0160 (
  • Fix: Received header line with a literal IPv6
  • Fix: Workaround for TLS Auto-Negotiate with Cisco IronPort C370 (IronPort sends wrong ciphers)
  • Fix: Invalid MX using
  • Fix: Missing "Closing connection" after a temporary error

v3.06 2014-02-22

  • New: TLS with Perfect Forward Secrecy (PFS) using ECDH und DHE (proposed by C't magazine for computer technology)
  • New: TLS inbound and outbound type and policy (Options->TLS/SSL)
  • Chg: Disable QuickEdit-Mode when running as a console application
  • Chg: Ignore IPv6 MX record when IPv6 is not enabled
  • Chg: S/MIME cipher changed from DES3 with 168 bit to AES with 256 bit
  • Chg: Enhanced TLS peer certificate verification removed (OutboundSMTPTLSVerify=True)
  • Chg: Support for DANE TLSA certificate verification removed (OutboundSMTPTLSVerifyDANE=True)
  • Chg: Yield CPU when decoding large HTML messages
  • Chg: OpenSSL updated to v1.0.1f
  • Fix: Query for local IP addresses on Windows 2012 R2

v3.05 2013-01-15

  • New: S/MIME sign and encryption of pre-signed and/or pre-encrypted messages
  • New: Reassemble of S/MIME signed, detach signed and encrypted messages
  • New: Support for DANE TLSA certificate verification (OutboundSMTPTLSVerifyDANE=True)
  • New: Support for DomainKeys Identified Mail Signatures (DKIM)
  • New: DKIM verification using Author Domain Signing Practices (ADSP)
  • New: Added additional DKIM error messages
  • New: Terminate connection after a client tried two messages without any valid sender or recipient address
  • Chg: Accept an E-Mail address with a user part longer than 64 bytes
  • Chg: Removed support for Domain-Based E-Mail Authentication Using Public Keys Advertised in the DNS (DomainKeys)
  • Fix: S/MIME remove signature for outgoing messages
  • Fix: Disable TLS/SSL cipher DES-CBC-SHA
  • Fix: TLS with more than one intermediate certificate shows wrong status

v3.04 2021-08-06

  • New: Compiled with ASLR (address space randomization) and NX (no execution)
  • New: Support status query using Nagios
  • New: Verify a certificate using the CommonName and the subjectAltName
  • New: Global exclusion for TLS required sender (InboundExclTLSRequired=True)
  • New: Enhanced TLS peer certificate verification (OutboundSMTPTLSVerify=True)
  • New: Support for Online Certificate Status Protocol (OCSP)
  • New: The Format column in the statistic file indicates a IPv6 connection
  • Chg: Outbound TLS connection use TLSv1, omit SSLv2, and reconnect with SSLv3 when TLSv1 fails
  • Chg: IPv6 DNS query using ALL and fall back to A/AAAA for server that don't support it
  • Fix: Binding to a IPv6 address erroneously enabled inbound IPv6
  • Fix: Message-id was not unique when created within one tick
  • Fix: S/MIME certificates with an e-mail only in subjectAltName
  • Fix: Unnecessary restart when timezone changes
  • Fix: FQDN on a machine with more than one IP address
  • Fix: S/MIME encryption with missing cert file failed with wrong error

v3.03 2011-06-22

  • New: IPv6 support (InboundSMTPIPv6=True OutboundSMTPIPv6=True OutboundExchIPv6=True)
  • New: Received header line shows TLS cipher information (TLSv1/SSLv3:AES256-SHA:256)
  • New: Show IP address of the sending MTA (VerboseDomainMX=True)
  • New: At startup XWall queries the public name server from Google and for the MX records of the inbound domain (CheckDNSQueryMXPublicNS=True)
  • New: TLS information shows the algorithm and bits of the public certificate
  • Chg: Graceful shutdown with CTRL_CLOSE_EVENT in Windows 7/2008
  • Chg: Quoted Printable encodes a dot at the beginning of a line,
    because Exchange 2003 sometimes has a problem it
  • Chg: OpenSSL updated to v1.0.0a
  • Fix: DNS query for Exchange, smart host and static route used wrong name server
  • Fix: S/MIME CRL with Comodo certificate
  • Fix: invalid A records are no longer showing an IP address of
  • Fix: MX query with a CNAME using a Bind name server
  • Fix: DSN for persistent temporary failure had a status field of 5.x.x rather than 4.x.x.
  • Fix: Folded header line that start with a white space
  • Fix: Parsing a very long Content-Type: header line

v3.02 2010-08-17

  • New: S/MIME verbose output for certificate rule (VerboseSMIMECert=True)
  • Chg: Updated e-mail address parser for RFC 3696, RFC 5321 and RFC 5322
  • Fix: S/MIME removing of non-detached signature with different header lines
  • Fix: S/MIME sign validates private key and prints an error into the logfile
  • Fix: S/MIME ignores lonesome smime.p7m attachment

v3.01 2010-01-20

  • New: View->Statistic
  • New: Disable TLS/SSL weak cipher (TLSServOmitWeakCipher=True, TLSClientOmitWeakCipher=True)
  • New: Support for RFC 2319 - Ukrainian Character Set KOI8-U
  • Chg: If TLS is enforced and the recipients server returns a temporary error, the message is rescheduled rather then sending a non-delivery report (happens with Bank of America)
  • Chg: Default codepage from UTF-7 to UTF-8 because some free mailer don't support UTF-7
  • Chg: Outbound messages scheduler performs better when there are a lot of messages in the queue
  • Chg: Timeout for DATA set to the values of RFC 5321
  • Chg: Using Microsoft VCC rather then Watcom for 32bit application
  • Chg: In 64bit XWall, MBAdmin is a native 64bit application
  • Fix: SSLv2 security flaw (SSLv2 is still in place or else SSLv3/SSLv2 clients can't auto-negotiate)
  • Fix: Faster shutdown when a lot of SSL connections are open
  • Fix: parenthesis in Received: header line

v3.00 2009-05-31

  • Released
©1991-2022 DataEnter GmbH
Wagramerstrasse 93/5/10 A-1220 Vienna, Austria
2022-02-16 / Phone
2022-02-16 / Tablet
Changed: 2022-02-16
Copyright ©1991-2022 DataEnter GmbH
Wagramerstrasse 93/5/10 A-1220 Vienna, Austria
Fax: +43 (1) 4120051