Licensing of S/MIME gateway option
At the request of many of our customers we changed the licensing of the S/MIME gateway. It is now no longer licensed by user
count but by the number of S/MIME keys. No license is required for S/MIME keys used as domain certificate (see next section).
New S/MIME gateway features
The S/MIME gateway now support the non-standardized concept of domain certificates. This feature can be used for free on almost
all systems (exception: licenses without mail option like Enterprise VPN or Enterprise Proxy). With domain certificates, the
S/MIME communication with specific peers is protected by a single S/MIME certificate for the whole domain instead of one certificate
per email address. It is even possible to use the certificate of an internal CA. The peers however have to use S/MIME software
which supports this concept and set it up accordingly.
It is no longer necessary to add users when the S/MIME gateway is used in combination with an internal mail server. For internal
mail servers that guarantee correct sender addresses, a separate list with corresponding S/MIME keys is now maintained.
In the user administration you can now configure multiple S/MIME keys per user. When signing outbound emails the system will
automatically select the matching key.
In previous releases it was possible to add multiple keys per user to decrypt inbound emails which had been encrypted with
an old key. This functionality is now provided by the key-ring (see next section).
Backup when updating a key-pair in the keyring
When changing a key-pair in the keypair, a backup of the previous key-pair is kept on the device.
The S/MIME gateway uses backup keys to decrypt emails which have been encrypted with the old key during a key rollover phase.
Removal of expired entries in DNS IP objects
The default setting for deleting expired entries in DNS IP objects has been changed from "immediately" to "after 6 hours".
This prevents permanent service restarts if DNS entries change after few minutes or even seconds. The update will alter the
configuration of all IP objects which remove "immediately" automatically.
Let's Encrypt certificates
The Let's Encrypt client now uses the ACMEv2 protocol.
DHCP relay server
On all ethernet and VLAN interfaces the device can now act as a DHCP relay server, forwarding requests from clients to a DHCP
server in a different network.
Endless loop when viewing IPsec log
In most IPsec log lines there's a link which opens an extra window to show all lines associated with the same connection.
This extra window caused an endless loop, resulting in permanent high system load.
Minor bugfixes and improvements