MailMarshal SEG 7.2 Release Notes

(Previously known as MailMarshal SMTP)

Last Revision: August 15, 2013

These notes are additional to the MailMarshal User Guide and supersede information supplied in that Guide.

The information in this document is current as of the date of publication. To check for any later information, please see Trustwave Knowledge Base article Q15595.

Table of Contents

New Features
System Requirements
Upgrade Instructions
Release History

New Features

For more information about additional minor features and bug fixes, see the release history.

Features New in 7.2

Features New in 7.1

Features New in 7.0

Note: Version 7.0 was released only for use by MailMarshal SPE customers. The features listed below are available to MailMarshal SEG customers from version 7.1.

Features New in 6.9

Features New in 6.8

Features New in 6.7

System Requirements

The following system requirements are the minimum levels required for a typical installation of the MailMarshal SEG Array Manager and selected database.

Table 1: System Requirements
Category Requirements
Processor Pentium 4
Disk Space 10GB (NTFS), and additional space to support email archiving
Memory 1GB (plus an additional 1GB if SQL Express is installed locally)
Supported Operating System
  • Windows Server 2008 (SP2 or above) , Server 2008 R2, Server 2012 (Standard or Enterprise versions)
  • Microsoft Small Business Server (SBS) 2008 or 2011 For Web Components on SBS, see Trustwave Knowledge Base article Q12671).
  • Windows 7, Windows 8 (Installation of server components on these workstation operating systems is not recommended)
  • MailMarshal SEG Client components (Configurator and Console) can also be installed on Windows Vista SP2.
Network Access
  • TCP/IP protocol
  • Domain structure
  • External DNS name resolution - DNS MX record to allow MailMarshal SEG Server to receive inbound email
  • Microsoft .NET Framework 3.5 SP1
  • Database server: SQL Server 2012, SQL Server 2008 R2, SQL Server 2008 (SP1), SQL Server 2005 (SP3)
  • Database server (free versions): SQL 2012 Express, SQL 2008 R2 Express, SQL 2008 Express (SP1), SQL 2005 Express (SP3)

    (Service packs listed are the minimum required for compatibility with all supported operating systems)

Port Access
  • Port 53 - for DNS external email server name resolution
  • Port 80 (HTTP) and Port 443 (HTTPS) - for SpamCensor updates
  • Port 1433 - for connection to SQL Server database and Reports console computers
  • Port 19001 - between Array Manager and Processing Nodes
Note: Additional ports are required by the Nodes for email and updates.


Upgrade Instructions

MailMarshal SEG 7.2 supports a direct upgrade from MailMarshal SMTP 6.7 and later versions.  This is a change from earlier MailMarshal SMTP releases. To upgrade from a version prior to 6.7, first upgrade to version 6.7.

Please review the MailMarshal User Guide before upgrading.

For general information about upgrading issues see the remainder of this section.

Full details about upgrading from specific versions can be found in the following Trustwave Knowledge Base articles:

To upgrade from a version prior to 5.5 (not recommended), first upgrade to version 5.5, then see the above articles.

Changes in Database Structure and Prerequisites

MailMarshal no longer supports SQL 2000 or MSDE 2000.

You can access a supported SQL Express version from the Prerequisites tab of the MailMarshal installation package. The "With SQL Express" version of the package also allows you to install SQL Express during the main MailMarshal installation.

Upgrading a Single Server

To upgrade a single MailMarshal server from version 6.7 or above, install the new version over your existing version. You do not need to uninstall your existing version. The database will be upgraded in place, if necessary.

Upgrading an Array of Servers

After upgrading the Array Manager you can upgrade the processing servers through the Configurator, with no need to log on to the processing servers. For more information, see the Upgrading section in the User Guide.

Notes on Upgrading

Note: The information in this document is current as of the date of publication. To check for any later information, please see Trustwave Knowledge Base article Q15595.


MailMarshal can be installed in a variety of scenarios. For full information on uninstalling MailMarshal from a production environment, see the MailMarshal SEG User Guide.

To uninstall a trial installation on a single computer:

  1. Close all instances of the MailMarshal Configurator, MailMarshal Console, and MailMarshal Reports.
  2. Use Add/Remove Programs from the Windows Control Panel to remove MailMarshal SEG.
  3. Use Add/Remove Programs from the Windows Control Panel to remove additional components you may have installed, such as Web components or Reports.
  4. If you have installed any components (such as the Configurator, Console, Web components, or Reports) on other computers, uninstall them.
  5. If you have installed SQL Express specifically to support MailMarshal and no other applications are using it, uninstall SQL Express.

Release History

The following additional items have been changed or updated in the specific build versions of MailMarshal SEG or MailMarshal SMTP listed.

Note: The information in this document is current as of the date of publication. To check for any later information, please see Trustwave Knowledge Base article Q15595.

7.2.0 (August 15, 2013)

MM-1342 The Regular Expression engine (Boost) has been updated to version 1.4.2 in all areas of the product. Matching behavior is unchanged.
MM-2265 SpamCensor, SpamBotCensor, and Spam Category scores are available as variables for substitution.
MM-2350 Extraction of IP addresses from header lines could incorrectly include other strings in dotted format. This could result in false triggers on DNS Blacklists and country lookups. Fixed.
MM-2984 The SQM "latest blocked email" list (homepage) now includes the TO address.
MM-3547 The MMLViewer application now includes separate tabs for Connection, Content, and Delivery logs.
MM-3562 Unknown or blank Content Transfer Encoding strings are now handled more gracefully. For more details and available settings see Trustwave Knowledge Base article Q10166.
MM-3576 CSR and Private Key signing in the TLS wizard now uses stronger algorithms. Older deprecated algorithms are no longer available.
MM-3579 MailMarshal now passes tests for immunity to plaintext command injection in STARTTLS (CERT VU#555316) . Earlier releases were also immune through functionality not tested by commercial tests.
MM-3596 When unpacking fails, the detected type of file is logged in the Engine log.
MM-3599 Web components installation now enables IIS Static Content to ensure files such as stylesheets will be served.
MM-3735 Configuration can now be backed up automatically. By default configuration is backed up daily and backups are retained for a week.
MM-3738 Log messages relating to DBLog files (database logging from nodes) now include the file name for ease in debugging.
MM-3871 Small images are exempt from Image Analyzer processing. The default minimum size processed is 75x75 pixels. For details of how to adjust this value, see Trustwave Knowledge Base article Q14960.
MM-3881 When a message is received via TLS, the protocol version is recorded in the message envelope to enable further processing based on this value.
MM-3892 New Connection and Content Rule conditions are available to match the TLS protocol version used when receiving a message.
MM-3914 Sent History log files are compressed to save disk space. This change applies only to new files (upgrading does not compress existing files).
MM-4014 Running services from the command line with -debug did not log the verbose information seen in the command window to the text logs (for some services). Fixed.
MM-4036 Email viewed in the Console could be unpacked differently than during email processing, because custom file types were not applied in the Console unpacking. Fixed.
MM-4058 In some earlier versions the POP3 service would be started automatically at system restart even if not required, and could prevent configuration reload. Fixed.
MM-4071 Category script evaluation includes additional exception handling and logging.
MM-4083 Performing Manual Update of SpamCensor and other files did not set the correct reload or restart requests. Fixed.
MM-4084 In DOCX and PPTX files, edited or deleted text was not extracted correctly and was not correctly detected by TextCensor or Category Script regular expression matching. Fixed.
MM-4112 TLS Client Certificate checking for Common Name and Subject Alternative Name did not correctly handle wildcard certificates. Fixed.
MM-4136 The Credit Card category script and the associated default rule have been updated. See the upgrade notes above.
MM-4141 The MMLookup utility now accepts a parameter to clear the MailMarshal DNS cache (?clearcache)
MM-4187 For MailMarshal SPE installations, items with a null SMTP MAIL FROM are correctly processed.
MM-4193 Visual C runtime requirements have been consolidated or moved to newer versions.
MM-4200 Text was not correctly extracted from non-English Office 2003 documents. Fixed.
MM-4209 SPF checking could return an unexplained error after failing on a malformed record. Fixed: Items after an "all" terminator are discarded (a warning is logged). Additional details are logged.
MM-4213 Text was not correctly extracted from some complex Word documents containing Unicode text blocks of more than 1023 bytes. Fixed.
MM-4232 TextCensor can optionally log details of matched expressions to the Engine (Content Analysis) text log. See Trustwave Knowledge Base article Q15173.
MM-4234 The TextCensor matching engine can be updated automatically through the SpamCensor update function.
MM-4236 The Image Analyzer module has been updated to version 5.1.
MM-4237 Maintenance entitlement information is now retrieved through a web service and displayed in the Configurator and Console.
MM-4283 The SQM website could become unresponsive when handling messages with malformed "from" addresses. Fixed.
MM-4291 In version 7.1, domain-specific overrides for the {Administrator} and {ServerAddress} variables were not honored. Fixed.
MM-4296 The version of MSKaspersky.dll installed with MailMarshal was not the latest released version. Fixed.
MM-4304 Comparison of file names during configuration import was failing due to case sensitivity. Fixed.
MM-4308 In some 7.1 releases, Blended Threats provisioning was not storing retrieved credentials. Fixed.
MM-4311 Some duplicate expressions have been removed from TextCensor scripts.
MM-4313 Installation or upgrade now installs .NET Framework 3.5 SP1 as necessary.
MM-4314 The MailMarshal Support tool is now included in product installation.
MM-4323 Automatic message release could fail in some cases due to a corrupted release code caused by certain webmail clients and browsers. Fixed.
MM-4341 The version of MSKaspersky.dll included with the product is updated to 1.0.2.
MM-4347 SQM sessions with forms authentication did not expire after the configured period. Fixed.
MM-4351 A new option on the External Command Rule Action allows you to request repacking of a message (so that any changes made by the command will be included in the delivered message).
MM-4353 In version 7.1, calculation of the oldest message date could cause the array manager to stop. Fixed.
MM-4354 When upgrading to version 7.1, the prior version database log files with Blended Threats properties were not correctly processed (property id 3 does not exist). Fixed.
MM-4358 An obsolete column used by the old BTM functions was removed from the SQL database.
MM-4363 Blended Threats provisioning did not work correctly through certain proxies. Fixed.
MM-4364 Unpacking of PDF documents now times out after 4 minutes by default. The timeout can be adjusted using a Registry setting. See Knowledge Base article Q15160.
MM-4365 Security for the storage of passwords in SQM is enhanced.
MM-4366 A SQM page was vulnerable to arbitrary redirection. Fixed.
MM-4367 SQM did not clear session identifiers on logout. Fixed.
MM-4368 Blended Threats license provisioning is now checked immediately when a new license key is entered.
MM-4374 The Sync Tool creates a dump file if it encounters an unhandled exception.
MM-4375 The Sync Tool did not gracefully handle non-MML files in the quarantine folders. Fixed.
MM-4376 Server ID numbers are shown for each server in the lists in Configurator and Console.
MM-4377 Options for the command line ESET NOD32 virus scanner now match the syntax for NOD32 version 4. Note that if you have an earlier version of NOD32 you must upgrade NOD32 (strongly recommended) or manually reconfigure the settings.
MM-4383 Installation of SQM did not properly detect and use a pre-existing installation of .NET 4.5. Fixed.
MM-4394 Entry and validation of Blocked Hosts now supports network ranges in CIDR notation.
MM-4397 Certificate Signing Requests created by the TLS certificate wizard contained the local hostname or FQDN in the SAN field if no other SAN entries were specified. Fixed.
MM-4414 Database partitioning issues could cause the Array manager to be unable to start. Fixed. Note that this issue affects only SQL Server Enterprise installations.
MM-4423 Retrieval of CRLs used by the TLS functions now times out more quickly. Timeouts can be configured with Registry entries; see Knowledge Base article Q15590.
MM-4449 iCalendar message parts (MIME type text/calendar) were not correctly recognized and unpacked. Fixed.
MM-4452 TLS CRL retrieval attempted to retrieve CRLs from unsupported locations. Fixed: only HTTP and HTTPS locations are checked.
MM-4458 Logging of valid PTR checks has been enhanced.
MM-4462 When a configuration was imported from an installation with a different directory location, SpamCensor updates could retain entries for two sets of files. Fixed.
MM-4465 Sender IP address match ranges entered in previous versions could have invalid netmask entries. On upgrade these ranges will not be imported. IP ranges are now entered in CIDR notation.
MM-4485 Web Components installation did not correctly detect the presence of ASP.NET 4.5. Fixed.
MM-4501 If a TLS client certificates was expired or not yet valid, attempting to retrieve the CRL could cause the Receiver to fail. Fixed.
MM-4502 The date of expiration of the product maintenance contract is now displayed in the Console and Configurator.
MM-4518 The Social Security Number category script and the associated default rule have been updated. See the upgrade notes above. (December 5, 2012)

MM-4277 In earlier 7.1 releases, BTM Provisioning caused an automatic commit of configuration every 24 hours. Fixed: configuration is only committed when required. (November 20, 2012)

MM-2988 The Sophos for Marshal (MSSophos.dll) version included with MailMarshal has been updated to This version improves the behavior when updating the Sophos Engine under load.
MM-4252 Utilities that retrieve content using HTTPS did not properly release memory. Fixed.
MM-4255 The SecureTrust and Secure Global CA certificates are now installed to the Windows certificate store by the MailMarshal installation. These root certificates are used by Trustwave-issued SSL certificates and are not part of the default certificate set in some Windows releases.
MM-4259 The Blended Threats provisioning process did not correctly encode high order characters before submitting via HTTP. HTTP error 400 could be returned in some cases. Fixed.
MM-4265 The Blended Threats provisioning process did not succeed on servers with XSD validation enabled (the default setting for Windows 2003). Fixed. (September 17, 2012)

MM-1256 In earlier versions, restarting the Array Manager Service or the Array Manager server forced a restart of services and full refresh of configuration on all nodes. This behavior no longer applies. You can force a restart and refresh by clicking Force Configuration Reload on the Configurator Tools menu.
MM-1449 The minimum period for retention in Archive and Sent History folders is now 1 day. The default is now 7 days.
MM-2792 For MailMarshal SPE installations, the SSMURL setting (base URL of SQM) can be set for each customer.
MM-2899 SPF thresholds can be altered, if necessary, by setting Registry values. For details, see Trustwave Knowledge Base article Q14723.
MM-3139 A new Content Analysis Rule Condition is available to check whether or not a message was received over a SMTP Authenticated connection.
MM-3466 Some Excel 2007 (XLSX) files could take an hour or more to unpack due to inefficient XML parsing. Fixed.
MM-3583 In version 6.9 and above, sender logs were not available in the Console for "temporarily undeliverable" messages. Fixed.
MM-3760 In rare cases, a TEXT file could have been incorrectly identified as COM due to a buffer size issue. Fixed.
MM-3796 In versions 6.7 and above, SpamProfiler user group exclusions were not correctly applied at the receiver if the group was not used in another rule, and the User Group selected could be deleted even though it was used in policy. Fixed.
MM-3845 Client TLS certificates are supported for Inbound TLS.
MM-3901 The optional notification emails for automatic updates (SpamCensor updates) are now generated for failed updates as well as successful updates.
MM-3924 TLS negotiation could fail when using a chained certificate due to a problem with OpenSSL. Fixed by the change to OpenSSL1.0.0.
MM-3927 The stored procedure used to purge statistics data in version 6.9 was inefficient. Fixed. Note that on upgrade, irrelevant old records are purged and a SQL table is re-indexed.
MM-3929 In some earlier versions the SQM "maximum blocked mail displayed" setting was not correctly applied. Fixed.
MM-3950 In rare cases, a multi-part MIME message would not be properly unpacked due to a weakly formatted boundary line. Fixed.
MM-3952 Older archived messages might not be shown in the Console if the retention time setting was extended. Fixed.
MM-3955 In the TLS Certificate Wizard, the Key Length field could be edited to include inappropriate characters. Fixed.
MM-3956 Upgrading removes rule conditions and files used by the previous version of the Blended Threats Module.
MM-3960 In the TLS Certificate Wizard, when importing a signed certificate, the password text was not obscured. Fixed.
MM-3961 In version 7.0, service text logs showed false "invalid file" errors for deadletter folders. Fixed.
MM-3962 In version 7.0, some entries in the Controller text log did not display the names of dead letter folders. Fixed.
MM-3963 Logs now include information about the MailMarshal version at the beginning of processing for each service for each message.
MM-3967 In some earlier versions, the rule print output displayed some HTML tags in the text. Fixed.
MM-3977 The Engine rewrites URLs in messages bodies as required for the new BTM rule action, including obfuscated URLs.
MM-4005 In some cases where an attachment was an Office 2003 document containing an embedded Office 2007/2010 document, the message was deadlettered due to an unpacking problem. Fixed.
MM-4013 In version 6.9.5 and above, processing logs were not appended to the "report as spam/not spam" information. Fixed.
MM-4015 Global exclusions to BTM rewriting are remotely updated through the automatic update service (SpamCensor updates).
MM-4018 TextCensor scanning was applied to the top level of Office 2007 documents, resulting in false positives. Fixed: for these documents, TextCensor now applies only to extracted text.
MM-4024 For MailMarshal SPE installations, the array delivery override setting was not being applied. Fixed.
MM-4033 The product End User License Agreement has been updated.
MM-4037 The MailMarshal installer recognizes and supports SQL Server 2012 and SQL Express 2012.
MM-4039 The MailMarshal product works with SQL Server 2012 and SQL Express 2012.
MM-4051 The EMF unpacker caused a fault in the Engine service when unpacking items with zero size. Fixed.
MM-4052 The OpenSSL library that MailMarshal uses has been updated to version 1.0.0i.
MM-4107 The selected TLS Certificate Validation options are more clearly presented in the rule summary.
MM-4111 TLS Certificate Validation can be configured to access any required Windows certificate stores. Frequently used stores are used by default.
MM-4113 TLS Certificate Validation can save certificate information to disk for debugging.
MM-4137 The version of Libtet (PDF unpacking) that is included in the installation has been updated to 4.1.0.
MM-4140 For MailMarshal SPE installations, a Local Domain could not be re-used if moved to another array, re-created, or disabled and enabled. Fixed.
MM-4158 In some cases content extracted from Office documents was incorrectly identified as EMF instead of WMF, resulting in a dead lettered message. Fixed. (June 8, 2012) (SPE Only)

MM-4091 For MailMarshal SPE installations, messages between customers hosted on the same array were not always handled correctly. Fixed.
MM-4092 For MailMarshal SPE installations, an incorrect SMTP verb was sent to non-SPE servers, causing messages to be rejected. Fixed. (March 13, 2012) (SPE Only)

MM-3969 During installation of MailMarshal or Web Components, prerequisite detection failed if a newer version of Visual C++ 2010 runtimes were already installed. Fixed.
MM-3972 On upgrade to 7.0.0, an incorrect error displayed when no WMI dependent services needed to be stopped. Fixed.
MM-3978 In version 7.0.0, lines in the Receiver log file were double-spaced. Fixed.
MM-3980 In version 6.9 and above, PDF attachments with Unicode characters in the filename were not unpacked and scanned. Fixed. (February 7, 2012) (SPE Only)

MM-157 TLS certificate creation now supports Subject Alternative Names.
MM-1603 Rule printing output was not correctly escaping HTML. Fixed.
MM-1633 Connection and Content Analysis rules now include TLS properties criteria.
MM-1688 Connection and Content Analysis rules now include a "Received via TLS" condition.
MM-1928 Setting content size or count rule conditions to 0 caused the Engine to stop. Fixed.
MM-2328 The OpenSSL library that MailMarshal uses has been updated to version 1.0.0e.
MM-2544 Initial changes have been made to support IPv6 in a future release. (No IPv6 functionality is available for use in this release.)
MM-2783 Outbound TLS is enabled by default for new installations.
MM-3120 The SMTP Authentication username (if any) is logged to the Receiver and Engine text logs.
MM-3276 The installer logic to stop and re-start the WMI service has been improved.
MM-3635 Dead Letter rules now allow the Send mail template notification action.
MM-3650 Messages that would have been deadlettered with "too many lines before boundary" are now unpacked and the pre-boundary material is scanned as text. The registry entry for MaxPreBoundaryLines is irrelevant and is removed on upgrade.
MM-3651 Dead Letter rule actions were not applied correctly where different actions were required for different recipients. Fixed.
MM-3694 The default Receiver Socket Timeout (SMTP transmission timeout) has been changed to 30 seconds (was 300 seconds).
MM-3726 The SpamProfiler cartridge has been updated to version 3051.
MM-3750 Outbound TLS can be configured to offer a client certificate if requested.
MM-3756 The product is rebranded as M86 MailMarshal SEG.
MM-3779 Database upgrade now checks for pre-existing customer created objects with the same name as objects that would be created.
MM-3797 Retrieval of User Group information from the Array Manager to processing servers could cause performance issues when used over slow WAN links. Fixed.
MM-3799 Dead Letter rules now allow the Delete action.
MM-3800 Dead Letter rules now allow the BCC action.
MM-3801 Dead Letter rules now allow the Set Message Routing to Host action.
MM-3802 Dead Letter rules now allow the Write log message with classification action.
MM-3813 It is now possible to specify that message delay notifications should be sent externally. See Trustwave Knowledge Base article Q14383.
MM-3819 Dead Letter rules now allow the Where detected as spam by SpamProfiler condition.
MM-3822 Dead Letter rules now allow the Move to folder action.
MM-3850 More detailed debugging information about SpamProfiler classification is included in message log files.
MM-3870 Unpacking and file type functionality can now be updated automatically, using the same Internet update functions used for SpamCensor.
MM-3872 Setting count rule conditions to "less than 0" was allowed by the Configurator. Fixed.
MM-3954 In version 6.9, MailMarshal rejected messages when the local part of the email address was longer than the RFC length of 64 characters. This restriction is now disabled by default. To enforce the restriction, contact Trustwave Support for details of a registry entry. (January 17, 2012)

MM-3904 DOC files with poor formatting in the User Summary Info area can cause MailMarshal services to stop. If you encounter this issue, please contact Trustwave Support for details of a setting to skip processing of this part of documents.
MM-3907 Sent History retention cannot be set to less than one month. If Sent History items are consuming excessive disk resource, please contact Trustwave Support for details of additional options.
MM-3909 In earlier 6.9 versions, messages with invalid envelope information were not properly deadlettered. Fixed.
MM-3911 Unpacking of certain poorly formatted PDF files can fail. If you encounter this issue, please contact Trustwave Support for details of additional options.
MM-3912 Word documents with null fields in Document Summary Info could cause the Engine to stop. Fixed.
MM-3913 Certain Word documents with invalid document summary information were incorrectly deadlettered. Fixed.
MM-3918 It is now possible to specify that message delay notifications should be sent externally. See Trustwave Knowledge Base article Q14383. (November 3, 2011)

MM-3755 Messages with attached Office 2003 documents that contained embedded Office 2007/2010 documents were deadlettered. Fixed.
MM-3855 In 6.9.7, specific formatting in OLE document summary information could cause messages to be incorrectly deadlettered. Viewing these messages in the Console could cause additional problems. Fixed. (October 18, 2011)

MM-3770 Upgrade now provides more user friendly information about status during database upgrade.
MM-3771 Upgrade now provides more user friendly information about status while calculating time required for database upgrade.
MM-3816 In 6.9.6, the Web Console could return an error for non-administrative users under Windows Authentication. Fixed.
MM-3817 In 6.9.6, OLE documents with document summary information over a certain length could cause the Engine to stop. Fixed.
MM-3818 In 6.9.6, unpacking of OLE data from Excel files could cause the Engine to stop in specific cases. Fixed.
MM-3836 In 6.9.6, checking of mailbox name length could return an incorrect result for some cases using ESMTP extensions. Fixed.
MM-3844 In 6.9.6, warning messages generated during PDF unpacking were not handled correctly in some cases. Fixed: The affected documents are unpacked and scanned. Any warnings concerning embedded content (such as images in unsupported formats) are logged to the Engine text logfile. (September 7, 2011)

MM-108 Many images are now extracted from PDF documents.
MM-1483 Help and header text for the Rule Profiler function has been added to mmlookup.exe.
MM-1567 PDF unpacking now handles Unicode.
MM-2236 Some PDF files caused recursion in the Engine and could not be unpacked. Fixed.
MM-2363 The version of 7zip (archive unpacker) included with MailMarshal has been updated to 9.20. This version handles additional compression formats.
MM-2834 PDF files with limitations on printing and other functions were incorrectly identified as Encrypted PDF. Fixed.
MM-2837 Image Analyzer has been updated to version 5.
MM-2859 Binary files are now better recognized as type COM or EXE.
MM-2977 PDF Xref detection is improved.
MM-3332 Receiver, Engine, and Sender logs for each message are now stored in the message file. The Console message viewer displays the available information in separate tabs. Message log information for items that have been successfully delivered is now retained in a reserved folder named "Sent History."
MM-3339 Messages to be sent over TLS were not properly retried after temporary failure. Fixed.
MM-3366 The Receiver service could incorrectly detect that the mailbox name was too long (more than 255 characters). Fixed.
MM-3367 Certain Office 2007 documents were not recognized due to internal structure. Fixed.
MM-3387 SQL code for database creation and upgrade is now within a transaction to allow easier rollback if problems are encountered.
MM-3405 MailMarshal Sender throughput has been enhanced with increased buffer sizes.
MM-3406 MailMarshal Receiver throughput has been enhanced with increased buffer sizes.
MM-3410 DBlog files now correctly handle larger content.
MM-3419 Office 2007 files generated through the OpenXML SDK were not correctly unpacked. Fixed.
MM-3422 PDF unpacking has been improved, notably for Unicode and some encodings of images.
MM-3427 The MailMarshal database now supports index partitioning if installed on SQL Server Enterprise Edition (for new databases only).
MM-3431 Database and processing enhancements have been made to support MailMarshal SPE with multiple customers.
MM-3456 User Defined and custom document properties are now unpacked and scanned in Word 2003 and Word 2007 documents.
MM-3472 The Server Tool now checks the validity of the configured database on startup (this allows the database to be re-created when the SQL server has been rebuilt).
MM-3494 Word documents encrypted with IRM in Word 2007 (2003 compatibility mode) were deadlettered. Fixed: these documents are correctly recognized.
MM-3495 The minimum version allowed for upgrade is 6.5.1.
MM-3513 Messages quarantined with a default release action of "skip remaining rules" were not reprocessed as requested upon release. Fixed.
MM-3514 Console Dashboard data was never purged from the database. Fixed.
MM-3536 TLS now allows selection of a minimum cipher strength for inbound and outbound connections.
MM-3538 The certificate used to sign executable files has been updated.
MM-3539 The message parking feature logged redundant messages when a message was unparked. Fixed.
MM-3550 Logging of low disk space warnings has been enhanced for readability.
MM-3551 The Array Manager could stop unexpectedly if a new database was created and configuration was not synchronized. Fixed.
MM-3553 Routing enhancements have been made to support MailMarshal SPE with multiple customers.
MM-3582 A full BTM database update could stop message processing for a significant time. Fixed.
MM-3598 PDF unpacking has been enhanced. Images, attachments, and annotations are unpacked.
MM-3604 Deadlettered messages can be passed through to users by rule action.
MM-3611 Sender and Recipient IP addresses could be logged incorrectly (with reversed octets). Fixed.
MM-3612 The integration with Norman Endpoint Protection is updated.
MM-3613 Retention and permissions for Deadletter folders are now set through the Configurator.
MM-3622 Receiver rules with the message size conditions "equal to" and "not equal to" caused the receiver to fail. Fixed.
MM-3628 EMF files are now correctly unpacked and the contents are scanned. See also MM-3725.
MM-3634 New database objects are included to summarize traffic data for MailMarshal SPE installations.
MM-3649 Additional logging has been added in the Engine service for Dead Letter rule processing.
MM-3676 Configuration of the Marshal IP Reputation Service was invalidated when another Reputation Service was configured. Fixed.
MM-3684 Error messages logged to the Event Log could cause issues due to recursive substitution of variables. Fixed.
MM-3691 BTM updates could prevent reloading of configuration at the Engine. Fixed.
MM-3696 PDF unpacking has been improved. Incorrect character strings are no longer present.
MM-3697 PDF unpacking now supports "linearized" PDF.
MM-3699 Selecting the default message digest template for new digests loaded additional incorrect characters. Fixed.
MM-3705 The Console and Configurator now use the terms "Connection Policy" or "Connection Log", "Content Analysis Policy" or "Content Analysis Log," and "Delivery Log".
MM-3712 A more descriptive logging message is written by the Array Manager on shutdown when the SQL database is unavailable.
MM-3722 The Sender would stop in the unlikely event that no route at all could be found for a message. Fixed.
MM-3725 Files unpacked from EMF files (MM-3628) are only saved and scanned if they are of a recognized type. Type BIN (unknown) files are not saved. (November 16, 2010)

MM-3330 The Receiver service could stop if it encountered to a RPC exception while attempting to log Receiver Rule entries. Fixed.
MM-3342 The Controller service could stop due to a problem with the Group Manager function. Fixed.
MM-3415 The Route to host function failed for messages with more than 127 recipients. Fixed.
MM-3420 SPF evaluation could cause a service failure while evaluating certain malformed SPF redirects. Fixed.
MM-3424 Deleted text (tagged w:delText) was not extracted from Office 2007 documents and could not be scanned. Fixed.
MM-3442 A vulnerability was identified in the SQM website code that could potentially allow inappropriate access to some information. Fixed.
MM-3452 Reloading configuration under very heavy load could cause a deadlock condition and processing services could stop responding. Fixed.
MM-3453 SpamCensor, BTM, and Console RSS updates could fail through some firewalls due to wrongly formatted HTTP request headers. Fixed.
MM-3465 Some SPF related updates in earlier releases were not applied to code used by the Engine. The related Release History items are MM-2228, MM-2676, MM-3116, and MM-3138. Fixed. (June 3, 2010)

MM-3363 The Array Manager did not correctly use the Windows authentication credential entered in Server Tool. Fixed.
MM-3365 In version 6.8, when a message was split for sending due to a large number of recipients, sending for additional groups of recipients was delayed. Fixed.
MM-3368 The default rule "Attachment Management (Outbound): Park Large Files for Later Delivery" was not updated with the new release action parameter in version 6.7. This could cause the engine to stop. Fixed.
MM-3369 Database names were not correctly escaped in all cases. This problem could result in inability to connect to a database with a name containing characters other than a-z and 0-9. Fixed.
MM-3377 The Array Manager did not correctly return the date of a message when queried by MailMarshal SPE. Fixed.
MM-3379 Database upgrade from version 6.4 to 6.8 could time out. Fixed. The problem could also be worked around by upgrading to version 6.7 and then to 6.8.
MM-3380 Upgrade did not correctly use port numbers in the connection string when connecting to SQL. Fixed.
MM-3385 In MailMarshal 6.8.2, SpamCensor processed message components in an incorrect order, and results could differ from other versions. Fixed. (April 27, 2010)

MM-333 Console day folder display and digest generation were affected by Daylight Saving changes in a few cases. Fixed.
MM-558 Users can add email addresses to the Safe Senders list when releasing a message from a digest. The administrator can enable or disable this feature.
MM-601 The registry location for MailMarshal is now HKEY_LOCAL_MACHINE\SOFTWARE\Marshal. Upgrading moves the registry hive.
MM-809 The GetVersion stored procedure now has public execute rights to allow non-administrators to connect from the reporting console.
MM-1327 End-user whitelists and blacklists were not correctly updated if system times differed between the Array Manager and nodes. Fixed.
MM-1790 Many issues with updates through proxy have been resolved. See MM-2273. Updates affected include SpamCensor, BTM, and RSS feeds.
MM-1839 The Array Manager could stop if the SQL Server was slow to start during system startup. Fixed.
MM-2273 Web updates now use libcurl (instead of the deprecated Microsoft component WinInet).
MM-2450 End user whitelist and blacklist information was updated inefficiently, which could affect performance with large sets. Fixed.
MM-2501 The Receiver service could fail during shutdown in some cases. Fixed.
MM-2575 In some earlier versions, using a database with case-sensitive settings caused errors. Fixed.
MM-2726 Group reload times can now be specified (with a Registry entry).
MM-2727 LDAP and AD user group names could not be entered in the Configurator by typing. Fixed.
MM-2730 When a sending route is available but some messages are being refused with 400 level responses, the particular messages are now retried less often to save MailMarshal processing effort.
MM-2776 The MailMarshal Engine could stop unexpectedly while committing configuration under heavy load with McAfee virus scanning enabled. Fixed.
MM-2807 The installation package has been updated to SQL 2008 Express SP1.
MM-2840 Obsolete command line virus scanners McAfee NetShield and Vet NT 10.x have been removed from the selection list. The scanners continue to work if installed.
MM-2975 Transmission of log files from the Controller to the Array Manager has been made more efficient.
MM-3003 The Web Components installer did not check for all IIS prerequisites on some operating systems. Fixed.
MM-3011 The version of MSSavi.DLL included with MailMarshal has been updated to
MM-3013 MailMarshal now unpacks ISO image files.
MM-3010 IP addresses could be shown reversed in results of database queries. Fixed.
MM-3024 MailMarshal now supports installation on Windows 7, including Windows 7 Logo certification.
MM-3043 Logging by the Array Manager Spam RPC interface has been improved.
MM-3049 Certain PDF files caused an error in processing. Fixed.
MM-3055 The product has been rebranded for M86 Security.
MM-3064 Deleting all policy groups and creating a new one caused the Configurator to fail. Fixed.
MM-3066 DNS Blacklist rules could cause processing delays if the DNS server was unavailable. DNSBL requests are now cached separately from delivery requests to enhance performance.
MM-3067 Upgrade did not correctly handle LDAP groups used in the SpamProfiler Receiver exclusions. Fixed.
MM-3068 No Reputation Service entries could be created when using a Temporary key. Fixed: this restriction now only applies to the Marshal IP Reputation Service, by design.
MM-3070 The administrator can now allow end users to subscribe and unsubscribe from digests.
MM-3072 The Blended Threats Module has been updated with new rule conditions and a "hold queue" action.
MM-3073 Many improvements have been made to SQL support, including support for instances, support for Windows authentication, and assignment of user rights.
MM-3074 The Marshal IP Reputation Service "Test" button could return incorrect results depending on the response from DNS name servers. Fixed.
MM-3075 Sophos Anti-Virus (not Sophos for Marshal) could return "Not enough storage is available to complete this operation" on configuration commit. Fixed.
MM-3076 The MailMarshal Today page now provides summary information  for a user selectable time period and is renamed the Dashboard.
MM-3095 BTM updates could cause the MailMarshal Engine to stop due to a database exception. Fixed.
MM-3096 The Server Tool has been improved.
MM-3110 Submitting a message to M86 as spam or not spam from the Console now submits the message log as well as the message.
MM-3116 SPF evaluation did not correctly check PTR domains. Fixed.
MM-3135 Certain malformed TNEF files caused an error in processing. Fixed: These files are deadlettered.
MM-3138 SPF evaluation could fail in rare cases due to an issue with timeout evaluation. Fixed.
MM-3141 Certain PDF files caused an error in processing. Fixed.
MM-3147 IP group updates did not occur unless configuration was reloaded. Fixed. Also, reload times can now be specified (with a Registry entry).
MM-3165 After upgrading to version 6.7, some messages quarantined before the upgrade could not be released using the Console due to a change in message release handling. Fixed.
MM-3166 Certain PDF files caused an error in processing due to invalid paths in embedded files. Fixed.
MM-3205 The BTM status display in Configurator and Console did not show "out of date" while the initial database download was in progress. Fixed.
MM-3208 Some Configurator dialogs did not display toolbars correctly with some display themes. Fixed.
MM-3214 In version 6.7, the option "override default folder security" was selected by default for all folders. Fixed: this option is selected by default only for folders that may contain dangerous items (to avoid accidental release of these items).
MM-3270 Users imported with Group File Import tool were marked as "never seen" for pruning. Fixed: Imported users are now marked as "Seen today."
MM-3271 Partial message bodies shown in digests were not properly escaped or encoded. Fixed.
MM-3301 The Web Components installer now allows installation on Windows Server 2008, Web edition.
MM-3328 Unpacking of large Excel files could use excessive memory. Fixed.
MM-3344 The "Archive messages visible for..." setting did not apply in all locations within the Console. Fixed.
MM-3348 The Message Release external command did not work for nodes with ID greater than 9. Fixed. (November 2, 2009)

MM-466 SpamCensor now checks attached email messages as well as the top level message.
MM-1664 User groups can be "pruned" of entries that have not matched recently.
MM-1675 The MMC "export list" functionality now works in the Console message search window.
MM-1763 The SQM website can now authenticate users in multiple AD domains.  For details, see Knowledge Base article Q12902.
MM-1774 When a key request is submitted, MailMarshal opens a webpage providing more information about the key request process.
MM-1799 Some Excel 2007 documents saved in Excel 2003 format were detected as type OLE. Fixed.
MM-2010 Image Analyzer could return different scores for the same image. Fixed.
MM-2028 From and Recipient IP addresses are now included in the message record in the database.
MM-2060 Unpacking of OpenOffice file types has been validated.
MM-2299 SQM website searching on "From" addresses has been improved.
MM-2128 MailMarshal now correctly detects Microsoft Document Imaging (MDI) files.
MM-2314 Web installer and CD-Rom autorun packages are now digitally signed.
MM-2395 Watermark text is now extracted from many Microsoft Office files including Word 2003 and 2007, PowerPoint 2003 and 2007, and Word XML formatted files.
MM-2440 Message purging performance has been significantly improved for large installations with long archive retention.
MM-2441 SMTP response text returned by the Receiver can now be customized. For details, see Knowledge Base article Q12897.
MM-2482 The default retention period for new Archive folders is now 3 months.
MM-2487 User groups can be searched for an email address.
MM-2525 Web Components did not function correctly on SBS2008. Fixed.
MM-2560 Emptying the Console Mail Recycle Bin did not delete all physical files. Fixed. Note that the fix only corrects the deletion behavior. Earlier files must be removed manually.
MM-2571 Installation now checks for supported SQL service pack as well as major version.
MM-2588 An updated Quarantine Sync tool is provided with the product installation.
MM-2590 The SQM website now provides users the option to receive or not receive digests (if enabled by the administrator).
MM-2595 Configuration commits can now be scheduled through the Configurator | Server Properties.
MM-2612 When the SQM website connects to a different version Array Manager, the message returned to the web user is now informative.
MM-2640 MailMarshal expected a specific, older version of MSXML. Fixed.
MM-2643 Unpacking of BinHEX files has been improved.
MM-2652 The SpamProfiler registry settings were not correctly updated during upgrade from 6.4. Fixed.
MM-2662 In the Web Admin Console, Mail History and Folder searches only returned the first page of results. Fixed.
MM-2669 When a user group was renamed in the Configurator, the name was not updated in the rule wizard display. This was a display issue only. Fixed.
MM-2672 The Sender could consume all threads delivering a single message to many domains. Fixed: a maximum of 10 concurrent threads will be used for each message.
MM-2673 Default thread counts for "small" and "large" sites have been increased. Upgrading does not change existing settings.
MM-2676 The Receiver service could stop unexpected due to an error in the SPF evaluation. Fixed.
MM-2689 The ability to add file fingerprints from the Console has been reinstated. The feature can be enabled for specific folders.
MM-2694 Creating an account with a password over 60 characters caused the Configurator to fail. Fixed: a limit of 100 characters is supported and enforced.
MM-2706 Certain binary files were incorrectly recognized as type ARJ. Fixed.
MM-2707 File type identification now includes separate types for web form text and web form binary data.
MM-2708 Multiple local domain and default route entries could be added to a routing table. Fixed. For upgraded installations, the Configurator enforces a single entry when the routing table is edited.
MM-2712 Messages with MIME content-type fields spanning thousands of lines could cause the MailMarshal Engine to fail. Fixed.
MM-2713 SpamProfiler updates could fail due to a download timeout, particularly if the update was started manually. Fixed.
MM-2718 SpamCensor can now scan MIME headers for all parts of a message.
MM-2719 SpamProfiler cartridge version 3050 is included in the product installation.
MM-2728 File type identification has been improved for Word 6 and Word Document with IRM types.
MM-2750 Configuration reload status now displays in the MMC status bar (lower right).
MM-2760 Certain Excel 2007 files caused the MailMarshal Engine to fail during unpacking. Fixed.
MM-2789 Upgrading the database from version 6.5.4 or below could fail due to the database update script attempting to drop a non-existent property. Fixed.
MM-2795 In some earlier versions, attachments with filenames in Arabic caused message to be deadlettered. Fixed.
MM-2803 In version 6.5.4, when the DNS server was not contactable, messages were returned instead of being queued. Fixed.
MM-2818 Handling of bare LF characters at the end of messages by the Sender has been corrected.
MM-2819 Handling of bare LF characters by the Receiver has been corrected.
MM-2820 The Sender now delivers the oldest untried messages for a route first.
MM-2821 The Sender now limits thread usage so that no one type of delivery can consume all available threads. The delivery types are new messages, deferred messages, DNS routes, and static routes.
MM-2822 A DNS lookup that returned "no data" resulted in the message being retried. Fixed: the message is now marked as undeliverable.
MM-2823 PDF unpacking is now more robust when unpacking malformed attachments.
MM-2826 SpamProfiler scores are now logged to text logs as with SpamCensor scores.
MM-2857 SpamProfiler has been moved out of the Receiver process for reliability.
MM-2867 A new Upgrade Tasks page is included in the Configurator.
MM-2879 The default SpamProfiler threshold is now >99 (was >95).
MM-2913 Visual C++ redistributable versions included in the installer have been updated.
MM-2922 The version of MSSavi.DLL included with MailMarshal has been updated to This DLL resolves issues with Sophos engine updates while under load.
MM-2960 Configuration changes have been made to improve compatibility of the Web Components with SBS2008 and Windows 2008 64 bit editions. Additional manual changes may be required. For details, see Knowledge Base article Q12671.
MM-2964 The MailMarshal engine could fail while unpacking specific embedded PDF files. Fixed.
MM-2986 The default SMTP response when a message is refused at the Receiver due to SpamProfiler evaluation has been improved. The new text is: 550 Message refused by MailMarshal SpamProfiler.
MM-3036 Key requests did not include information about some additional items enabled by the existing key. Fixed.
MM-3037 The SQM website might not show the latest messages on the main page, because the user last logged in time was not always set correctly. Fixed.
MM-3045 When multiple virus scanners were in use, a virus could be undetected if the first scanner invoked did not detect it. Fixed.

To review Release History prior to version 6.7, please see the Release Notes for the specific versions.

Legal Notice

Copyright © 2013 Trustwave Holdings, Inc.

All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. No part of this document may be reproduced in any form or by any means without the prior written authorization of Trustwave. While every precaution has been taken in the preparation of this document, Trustwave assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

While the authors have used their best efforts in preparing this document, they make no representation or warranties with respect to the accuracy or completeness of the contents of this document and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the author nor Trustwave shall be liable for any loss of profit or any commercial damages, including but not limited to direct, indirect, special, incidental, consequential, or other damages.

The most current version of this document may be obtained from Trustwave Knowledge Base article Q14535.


Trustwave and the Trustwave logo are trademarks of Trustwave. Such trademarks shall not be used, copied, or disseminated in any manner without the prior written permission of Trustwave.

About Trustwave®

Trustwave is a leading provider of compliance, Web, application, network and data security solutions delivered through the cloud, managed security services, software and appliances. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its TrustKeeper® portal and other proprietary security solutions. Trustwave has helped hundreds of thousands of organizations—ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers—manage compliance and secure their network infrastructures, data communications and critical information assets. Trustwave is headquartered in Chicago with offices worldwide. For more information, visit