Last Revision: November 29, 2023
The information in this document is current as of the date of publication. To check for any later information about this release, please see Trustwave Knowledge Base article Q21180.
For the latest product documentation, please see the Trustwave SPE Support website: https://support.trustwave.com/Trustwave-SPE/.
New Features
System Requirements
Upgrade Instructions
Uninstalling
Release History
For more information about additional minor features and bug fixes, see the release history.
For feature enhancements in earlier releases, please refer to the Release Notes for the specific release.
Trustwave SPE 4.3.5 requires you to install the latest Trustwave SEG 8.3 release (8.3.2 or later; please see Trustwave Knowledge Base article Q21180 for the most current information).
For a detailed list of requirements, see the Administrator Guide. Note in particular:
This release supports direct upgrade from version 4.3.0 and above. To upgrade from earlier released versions, first upgrade the earlier version to at least version 4.3.0 (for details, see the release notes for version 4.3.0).
Before upgrading, review the upgrade notes (below) for all versions later than the version you are upgrading from. Check system requirements.
To upgrade from version 4.3.0 or above:
Note: For more details of recommended steps, see Trustwave Knowledge Base article 12201.
To upgrade the Connector Agent at customer sites, run the Connector Agent installer on each Customer server.
Note: Be sure to review upgrade notes for all versions later than the installed version!
For upgrade notes affecting earlier releases, please refer to the Release Notes for the specific release.
For full details of the uninstall process, see the Administrator Guide. In general, uninstallation can be completed as follows:
Uninstallation leaves Trustwave SEG servers and databases intact. However, the configuration left in place may not be suitable for use outside the Trustwave SPE environment.
The following items have been changed or updated in the specific build versions of Trustwave SPE listed. To check for any later information about the current release, please see Trustwave Knowledge Base article Q21180.
Note: For additional information about changed items, review the Release Notes for your installed version of Trustwave SEG.
| SPE-6420 | Documentation for the REST API is provided as web help and a PDF document. |
| SPE-6820 | The product installer did not detect the fact that product services were stopped. Fixed. |
| SPE-6859 | SQM users created from SSO were assigned an incorrect timezone. Fixed. |
| SPE-6860 | SQM SSO did not support IdP initiated login. Fixed. |
| SPE-6889 | The included versions of .NET and other runtime prerequisites are updated. |
| SPE-6892 | On initial configuration, the Site Admin email was not saved. Fixed. |
| SPE-6895 | The admin page for customer Themes is removed. This feature is no longer supported. |
| SPE-6896 | The customer Notification pop-up did not display if a custom landing page was set. Fixed. |
| SPE-6897 | In HTML editors, the word "Start" in text caused validation errors. Fixed. |
| SPE-6906 | The setting for disallowing customer use of the global Syslog server was not honored. Fixed. |
| SPE-6907 | Customer Console SSO did not support IdP initiated login. Fixed. |
| SPE-6931 | Database connection strings now include the application name. |
| SPE-6936 | Searching Message History for all Deadletters did not return all results on a busy system. Fixed. |
| SPE-6937 | Setting Relay Groups for a customer from the customer detail page was not audited. Fixed. |
| SPE-6939 | The list of domains requiring outbound TLS did not allow wildcard entries. Fixed. |
| SPE-6943 | When logging in to the Customer Console with SSO, the selection of landing page was not honored. Fixed. |
| SPE-6944 | Customer Single Sign On now requires a Partner Certificate to be uploaded and performs additional security checks on the SAML response. |
| SPE-6946 | Administrator editing of customer logins reset the theme to Light. Fixed. |
| SPE-6948 | Updating a SQM user profile when SSO was enabled removed any previous password. Fixed. |
| SPE-6949 | Configuration changes were not replicated in some cases, especially if "permanent reload" was selected. Fixed. |
| SPE-6950 | The list of domains requiring outbound TLS could be updated if the feature was disabled. Fixed: to avoid any confusion the list is disabled if the feature is disabled. |
| SPE-6951 | When a Customer inherited Customer Group membership through their Reseller, this could not be altered. Fixed - Service Provider users can update the groups for these customers. |
| SPE-6955 | An option to require new customers to accept a EULA is available. |
| SPE-5036 | The Reseller Reference field allows longer values. |
| SPE-5540 | SQM processing of release requests has been improved to allow releasing from template messages. |
| SPE-6456 | In the customer console message search, submenus for Deadletter types did not show correctly. Fixed. |
| SPE-6683 | In the customer console SQM logins view, editing a record did not correctly populate the domain menu. Fixed. |
| SPE-6709 | The virtual directory for SQM now follows the setting made in the Admin view of the Console. |
| SPE-6723 | Enabling Syslog caused unnecessary service restarts. Fixed. |
| SPE-6725 | In earlier 4.3.x releases, the "show notifications" profile option displayed for administrative users that never see the Notifications. Fixed. |
| SPE-6728 | The installed product contained unnecessary localization folders. Fixed. |
| SPE-6747 | Reseller login domains are now appended with
.reseller to avoid conflict with customer logins. |
| SPE-6767 | Syslog now supports TCP delivery over TLS. |
| SPE-6781 | Customers can manage DKIM keys for their domains. |
| SPE-6803 | Customers can add, manage, and delete domains from their configuration. |
| SPE-6813 | SQM message viewer returned an error when retrieving details for a message with no body part. Fixed. |
| SPE-6817 | The system Admin login cannot be made read-only. |
| SPE-6843 | The database table for safe and blocked senders now provides the dated added for each entry. |
| SPE-6847 | Domain editing in admin and reseller consoles now shows the "pending verification" state as appropriate. |
| SPE-6857 | SQM SSO logins failed if the user display name was not populated. Fixed: If a display name is not supplied in SSO, the local part of the username is used. |
| SPE-6853 | Customers can enable DMARC processing for their domains. |
| SPE-4871 | CSV export of Reports such as Reseller Detail did not correctly present arrays or lists. Fixed. |
| SPE-5772 | Marshal Interface Agent now allows for High Availability with a hot spare secondary instance. See Trustwave Knowledge Base article Q21191. |
| SPE-5964 | A new SQM site is included. |
| SPE-6226 | Status information on the Mail Server dashboard refreshed incorrectly. Fixed. |
| SPE-6335 | The test feature for Header Rewrite ignored the parsing method selected. Fixed. |
| SPE-6364 | If the Primary user of a customer changes, the new Primary user is granted access to all user groups. This ensures customers can always see and manage their User Groups. |
| SPE-6375 | Audit History display could not be sorted. Fixed. |
| SPE-6408 | Editing an inactive domain of an inactive customer showed an incorrect customer association. Fixed. |
| SPE-6410 | Deletion of a customer could time out. Addressed by increasing the timeout values for database queries and web pages. |
| SPE-6419 | Policy import and export is available in the admin view of the Management Interface. |
| SPE-6439 | The message forwarding action showed the option to "delete the message", but this option is not allowed and was not applied when forwarding. Fixed. |
| SPE-6443 | The message history view did not refresh automatically when a message was released. Fixed. |
| SPE-6444 | Message Viewer Log tabs now include a Copy button. |
| SPE-6445 | "All/None" selection is available on additional checkbox lists. |
| SPE-6450 | Audit History did not display the checksum of new Identity Provider certificates. Fixed. |
| SPE-6483 | Handling of exceptions returned from MailMarshal API calls is improved. |
| SPE-6484 | When a preset group package rule is edited by a customer, the group editor opens in a side panel. |
| SPE-6493 | The Connections Rejected values on the Array dashboard did not include a total. Fixed. |
| SPE-6496 | The Connections Rejected values on the Array dashboard were not populated. Fixed. |
| SPE-6498 | The Top Quarantine Folders portlet is implemented in the Array dashboard. |
| SPE-6511 | The display of service status in the Mail Server dashboard was not correctly persisted. Fixed. |
| SPE-6517 | In rare cases Marshal Interface Agent invoked a specific programming call that is not available in the current .NET version. Fixed. |
| SPE-6521 | Remote HTTP access from Marshal Interface Agent has been updated to use a newer web client. |
| SPE-6523 | SSO authentication is available for the customer view of the Management Interface. |
| SPE-6524 | Certain binary files in the distribution were not digitally signed. Fixed. |
| SPE-6533 | The check for an available delivery server when saving a route is not performed if the route is marked "not available for sending." This allows messages to be held if the route is known to be down. |
| SPE-6536 | The display of service status in the Mail Server dashboard could show as blank instead of stopped. Fixed. |
| SPE-6541 | Message text displayed in the message viewer was unexpectedly modified in some cases. Fixed. |
| SPE-6549 | Menus in the admin view of the Management Interface are aligned with the user's permission to use the related pages. |
| SPE-6552 | The Management Interface did not honor role-based settings for visibility of rule conditions. Fixed. |
| SPE-6555 | CSV export did not quote text as required. Fixed. |
| SPE-6559 | A customer cannot be moved to a reseller if the reseller lacks permission to provide packages that the customer uses. |
| SPE-6565 | In version 4.3.0 a development-only option was visible in the profile menu. Fixed. |
| SPE-6580 | Deleting a reseller removed IP access settings of an unrelated customer. Fixed. |
| SPE-6585 | Message queue display for customers was not correctly limited. Fixed. |
| SPE-6612 | .NET runtimes bundled with the installer are updated. |
| SPE-6613 | When .NET runtimes found on the server may be mismatched, the installer raises a warning message and exits. See Trustwave Knowledge Base article Q21193. |
| SPE-6618 | Some links in the Management Interface packages page for customers opened/expanded an incorrect child item. Fixed. |
| SPE-6631 | The EULA was not included in the installation folder for new installations in earlier 4.3 release. Fixed. |
| SPE-6637 | Upgrade did not remove some un-needed files that had been installed by earlier versions. Fixed. |
| SPE-6641 | In the Admin view of the Management Interface, when a site or support login is granted "access to all customers" the detailed selections are hidden for clarity. |
| SPE-6642 | Newer versions of Visual C++ runtimes and OLE DB drivers are installed. |
| SPE-6653 | The message search date and time selector did not take account of time zones. Fixed. |
| SPE-6654 | SQM now allows users to maintain Blocked Senders lists. |
| SPE-6658 | Upgrade now ensures that the built in Administrator login has full permission in the Management Interface. |
| SPE-6674 | SQM action pages such as the release page now require a confirming click to avoid unintended action from visits by URL scanning software. |
| SPE-6677 | SPF based Relay Groups calculated the required IP ranges incorrectly (off by one). Fixed. |
| SPE-6681 | In earlier 4.3 releases, checksums were not logged to Connector Agent audit logging. Fixed. |
| SPE-6682 | When SSO is enabled for SQM, new users still received a registration mail with login and password. Fixed. |
| SPE-6718 | The Reputation Service Test button did not work for some data values. Fixed. |
| SPE-6729 | Message History CSV export now includes the Description column. |
| SPE-6743 | Reseller logins to the Customer view of the Management Interface were logged out when viewing certain pages. Fixed. |
| SPE-6744 | HTTP socket usage for connections between SPE components has been reduced by re-using existing client connections. |
| SPE-6745 | Deleted mail servers were not correctly removed from Management Interface views and deletion was repeatedly logged. Fixed. |
| SPE-6748 | Files with specific characters in their names could not be downloaded from Message History. Fixed. |
| SPE-6749 | The message viewer did not remove some embedded videos when rendering a HTML body. Fixed. |
| SPE-6754 | Internal clients did not re-use HTTP connections to the MIA service. Fixed. |
| SPE-6755 | Site Logins now have the same permissions as the customer Primary login. |
| SPE-6779 | SQM with SSO enabled created new users automatically even when the Self Provisioning option was not selected. Fixed. |
| SPE-6814 | Read-only logins to the Management Interface had access to add and delete items on some pages. Fixed. |
| SPE-3662 | A full message can be downloaded from the Message Viewer (in Management Interface). |
| SPE-4665 | Searching message history for "dead letter" or "quarantined" classifications did not return correct results. Fixed. |
| SPE-4724 | User group member "full names" could not include Unicode characters. Fixed. |
| SPE-4740 | The Admin Console unintentionally limited the number of relaying sources for a customer. Fixed. |
| SPE-5006 | In some 4.2 releases, removing customer package access from a Distributor did not remove access for Customers. Fixed. |
| SPE-5290 | In some 4.2 releases, IP group replication did not properly set timestamps. Fixed. |
| SPE-5294 | Domains could not be deleted in some cases. Fixed. |
| SPE-5305 | Disabled Preset Group rules were applied due to incorrect user matching. Fixed. |
| SPE-5404 | The Marshal Agent Registry Cleaner ran on servers that did not have the Array Manager installed. Fixed. |
| SPE-5448 | In the Admin Console Array settings, the last updated time for custom file types was never updated. Fixed. |
| SPE-5466 | Some table in the SPE Configuration database were not pruned. Fixed. |
| SPE-5488 | The first push of a new group from Connector Agent could be rejected with Update Interval Error. Fixed. |
| SPE-5536 | The array reload history report now includes information about validation errors. |
| SPE-5613 | The customer package summary report did not include customers with no distributor or reseller when "all" was selected. Fixed. |
| SPE-5629 | Array statistics pruning logic is improved. |
| SPE-5637 | SPE database pruning logic is improved. |
| SPE-5640 | Scheduled reports failed with no notice if they referenced invalid (deleted) items such as domains or groups. Fixed: reports run (output may be blank) and an email message is sent detailing the issue. |
| SPE-5649 | Tabs and line breaks in TextCensor expressions were not correctly escaped, causing failure to load in the SEG engine. Fixed. |
| SPE-5650 | Upgrade from version 3.7.0 failed due to a missing database deletion. Fixed. |
| SPE-5657 | SQM SSO can be set to force authentication through the IDP for additional security. |
| SPE-5658 | In release 4.2.4, Customer Console reports with a Domains parameter were not correctly saved. Fixed. |
| SPE-5673 | The TextCensor scripts used for Keywords Detection could be selected by Advanced customers, causing replication failure. Fixed. |
| SPE-5686 | Deletion of a customer could fail if user digest subscriptions existed. Fixed. |
| SPE-5695 | Deletion of a customer could fail if relay group overrides existed. Fixed. |
| SPE-5698 | Marshal Interface Agent status logging could have a database deadlock. Fixed. |
| SPE-5765 | When Syslog is enabled, customers can be allowed or denied access to the configured global server. |
| SPE-5770 | Changes to hostname and access token from Client Settings were not saved to the database. Fixed. |
| SPE-5775 | Text log files were not deleted as expected in some cases. Fixed. |
| SPE-5805 | Digest templates did not show the "Release" option on very narrow screens. Fixed. |
| SPE-5860 | The Messages Detail by Classification report did not correctly translate timezone information. Fixed. |
| SPE-5862 | Items classified as Outbound Messages - Keywords Detection could not be viewed in the Customer Console. Fixed. |
| SPE-5866 | Account identifiers can be up to 100 characters. |
| SPE-5867 | Customers now have a configurable Primary Domain used for password resets. |
| SPE-5868 | Settings are available to control ability of end users to enter wildcards or "own domain" entries in Safe Senders. Denying these options enhances blocking of spoofed messges. |
| SPE-5869 | Executive Names lists can use a single Connector Agent group as well as manual entries. |
| SPE-5870 | SQM SSO is enhanced with an available URL path and other options to minimize the need for users to log in repeatedly. |
| SPE-5917 | Site and Support logins could not see the Relays information. Fixed. |
| SPE-5921 | Searching in Help did not work due to security updates in browsers. Fixed. |
| SPE-5989 | References to "Trustwave SEG" have been replaced by "MailMarshal". |
| SPE-6008 | System TextCensor scripts that included explicitly named items were not correctly replicated. Fixed. |
| SPE-6021 | Links in digests now include the customer primary domain SSO redirection, if configured. |
| SPE-6025 | The array SMTP authentication rule (Array Receiver configuration) did not specify that messages should be accepted. Fixed. |
| SPE-6048 | Array level Header Rewrite did not apply to all selected fields. Fixed. |
| SPE-6131 | Validation of email address syntax has been improved. |
| SPE-6194 | Changing a customer package rule from "deactive" to "disabled" state set the rule to enabled. Fixed. |
| SPE-6195 | Array reload flags can be manually set to force application of configuration. |
| SPE-6198 | The version of .NET used is updated to 6.0. |
| SPE-6211 | ESMTP authentication is evaluated after local domain rejection. |
| SPE-6231 | Evaluation of local domains could be bypassed by a crafted entry. Fixed. |
| SPE-6291 | Editing of the File Type rule condition could cause duplicate entries where an items was in more than one group. Fixed. |
| SPE-4432 | Archived messages were included in the "Top sources of blocked messages" report. Fixed. |
| SPE-4433 | Messages between customers, that were classified by the sending customer, could appear in the receiving customer's classification reports. Fixed. |
| SPE-4585 | SSO login resiliency and logging are improved. |
| SPE-4728 | When "Reject Unknown Domains" was selected, mail for expired trial customers was rejected. Updated behavior: Mail for expired trial customers is passed through without processing even if "Reject Unknown Domains" is selected. |
| SPE-4745 | The Customer Console now provides the "prepend to subject" rule action. |
| SPE-4768 | A Category Script can be restricted to a specific customer. |
| SPE-4960 | In previous 4.X versions, newly added classifications were not visible to customer administrators. Fixed. |
| SPE-5004 | In the Customer Console, message retrieval security is enhanced. |
| SPE-5125 | In the Admin Console, the Apply DKIM rule action option for failed signing did not show all available folders (standard outbound folders). Fixed. |
| SPE-5144 | Excessive logging in MIA file updates has been removed. |
| SPE-5147 | In version 4.2.0, reports and other long running processes could time out after 100 seconds. Fixed. |
| SPE-5189 | Configuration updates are now checked for referential integrity before being applied. Backups of the SEG Registry keys are automatically maintained to support this feature. |
| SPE-5216 | In earlier 4.2 releases, the Scheduled Reports page in the Customer Console did not work from Internet Explorer. Fixed. |
| SPE-5217 | SQM SSO could cause synchronization issues doe to very long internal random user passwords. Fixed. |
| SPE-5245 | All user groups could be reloaded unnecessarily in rare cases. Fixed. |
| SPE-5247 | In release 4.2.0, replication of rule criteria could be incorrect for certain values of the SPE module licensing. |
| SPE-5275 | A customer with SQM SSO configured could not be deleted. Fixed. |
| SPE-5277 | Reports could fail with a JSON length error. Fixed. |
| SPE-5299 | In the Customer Console, text entered in the email history search is now trimmed to reduce issues with pasted values. |
| SPE-5337 | In the Customer Console, minimum password length was not properly enforced in some cases. Fixed. |
| SPE-5341 | Installation includes the MSOLEDBSQL database driver (supporting TLS v1.2 secured connections). |
| SPE-5349 | CSV export files now include the UTF-8 Byte Order Mark for ease of use with Microsoft Excel. |
| SPE-5387 | The upgrade process for SPE-4283 (Connector Agent groups not used directly in rules) updated the groups but not rules. Fixed. |
| SPE-5389 | Marshal Agent code is updated to use .NET Core. |
| SPE-5392 | SQL scripts needed by SPE are updated in the SEG database only for new arrays or if explicitly requested. |
| SPE-5453 | In some cases selecting "Force Reload" or "Apply Configuration" in the Admin Console did not trigger the required action. Fixed. |
| SPE-5515 | Marshal Agent is more resilient to errors in worker threads. |
| SPE-5529 | Preset user groups were re-synchronized unnecessarily when a customer was deleted. Fixed. |
| SPE-5626 | The Database Wizard now uses the MSOLEDBSQL driver for enhanced TLS compatibility. |
| SPE-4213 | Scheduled Report logging and error logging have been improved. |
| SPE-4445 | HTML to plain text conversion uses an updated solution. |
| SPE-4472 | Rules and policies are now identified with a GUID to assist with replication and upgrades. |
| SPE-4473 | A new Admin Console report shows customer packages for each customer. |
| SPE-4494 | In the Admin Console, Relay groups IP entries ending in 0 were not allowed. Fixed. |
| SPE-4504 | Scheduled report parameters are stored in JSON format. |
| SPE-4527 | In version 4.0, the buttons on the SQM Welcome page did not function correctly. Fixed. |
| SPE-4531 | The URL for SQM is written to SEG node configuration for use in notifications. |
| SPE-4533 | Routing Tables replicated to SEG use the new required format. |
| SPE-4565 | The Customer Console Message Template editor better handles cancellations and changes. |
| SPE-4566 | In the Admin Console, validation of TLS domain entries did not correctly handle subdomains. Fixed. |
| SPE-4567 | TextCensor scripts saved in the Customer Console were not correctly replicated due to an incorrect parameter. Fixed. |
| SPE-4578 | In the Customer Console, users with appropriate privileges can choose which login is "primary" for the customer. |
| SPE-4590 | The Marshal Interface Agent now exposes a REST interface which is used for communication by other SPE components. |
| SPE-4603 | Outbound customer package rules no longer allow IP groups. |
| SPE-4615 | The Customer Console User Groups page did not work correctly when a total of more than 100,000 users was imported. Fixed. |
| SPE-4619 | In the Customer Console, the CSV Message History export now includes the "Type" column. |
| SPE-4625 | In the Admin Console, templates used in Array Templates were marked as "not used". Fixed. |
| SPE-4628 | In the Customer Console, refreshing while editing templates did not work as expected. Fixed. |
| SPE-4637 | Scheduled reports were generated for inactive customers. Fixed. |
| SPE-4638 | In the Customer Console, Message Template editing did not always show the correct tabs or convert between Plain and HTML as expected. Fixed. |
| SPE-4657 | In release 4.0.3, Visual C++ 2010 (required for TextCensor administration) was not installed on an Admin Console-only server. Fixed. |
| SPE-4671 | The Admin Console supports selection of key length for DKIM keys. |
| SPE-4672 | In the Admin Console, performance of the Domains page is improved. |
| SPE-4687 | In the Customer Console, From IP is included in Message history export. |
| SPE-4695 | Preset Rule user groups were not correctly written in specific cases. Fixed. |
| SPE-4699 | Preset IP Groups are only available for inbound rules. |
| SPE-4700 | In the Customer Console, loading time for the Package Policies page is improved. |
| SPE-4705 | DMARC evaluation rules support ignoring the PCT keyword. |
| SPE-4718 | In the Admin Console, a Reseller could set the Customer Host to be the same URL as the global host. Fixed. |
| SPE-4723 | In the Admin Console, editing usage of a Customer Package altered IP Group user matching on the package for other customers. Fixed. |
| SPE-4725 | The PDF generation module is update to the latest version to support Windows Server 2016. |
| SPE-4729 | The Customer Console message viewer allows the entire message to be downloaded. |
| SPE-4730 | The Customer Console message viewer allows message logs to be easily copied to the clipboard. |
| SPE-4736 | The Customer Console report "Messages per classification per user" returned multiple lines for Classification Group members. Fixed. |
| SPE-4737 | Message Templates and Message Stamps could include bare Linefeeds. Fixed: Linefeeds are corrected to CRLF. |
To review Release History for earlier versions, please see the Release Notes for the specific versions.
Copyright © 2023 Trustwave Holdings, Inc.
All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. No part of this document may be reproduced in any form or by any means without the prior written authorization of Trustwave. Trustwave assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
The authors make no representation or warranties with respect to the accuracy or
completeness of the contents of this document and specifically disclaim any
implied warranties of merchantability or fitness for a particular purpose. No
warranty may be created or extended by sales representatives or written sales
materials. The advice and strategies contained herein may not be suitable for
your situation. You should consult with a professional where appropriate.
Neither the author nor Trustwave shall be liable for any loss of profit or any
commercial damages, including but not limited to direct, indirect, special,
incidental, consequential, or other damages.
Trustwave and the Trustwave logo are trademarks of Trustwave. Such trademarks shall not be used, copied, or disseminated in any manner without the prior written permission of Trustwave.
Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com.