Tip: All changes are tracked in the Gateway documentation, see the information in the last row of the documentation agreement.
For the latest 14.1 releases, see https://downloads.seppmail.com/extrelnotes/141/ERN14.1.html
For the latest 14.0 releases, see https://downloads.seppmail.com/extrelnotes/140/ERN14.0.html
For the latest 13.1 releases, see https://downloads.seppmail.com/extrelnotes/131/ERN13.1.html
SEPPmail Gateway news via Statuspal As of July 2025, SEPPmail Secure E-Mail Gateway customers and partners can register for Statuspal messages under the link https://seppmail.statuspal.eu/#subscribe. Information about the Gateway is now also published here.
Release Date: November 4th, 2025
SEPPmail version: 15.0
Author: Birgit Grossmann
The "Save and apply all" button in the Advanced System Settings did not ensure that the changes were actually saved and applied. This has been fixed now.
Under "Managed Domains" it is now possible to regenerate DKIM and ARC keys. In addition, the Master ARC key can also be regenerated under "Mail System".
Regenerate DKIM Key
Regenerate ARC Key
When the SEPPmail Gateway performs its revocation checks for root CA certificates, it sets the status to "untrusted" if the CA certificate has been revoked.
The file.app, which we use to bypass the upload of LFT attachments, has not previously returned any error messages when an upload was unsuccessful. As a result, users were never able to tell whether the upload had been successful or not. From version 15.0.0 onwards, we have error codes with meaningful error descriptions.
The X-Forwarded-For IP address is now logged in the Apache access log for the GINA GUI. This also gives us information about whether there is a proxy in front of the system that sets the HTTP header.
By default, the setting for "Verify recipient addresses using SMTP lookups" under "Mail System" is now inactive (not checked). The setting is therefore deactivated for new installations.
Under "Mail System", you can disable client certificate verification in the submission port settings. This also means that Postfix no longer transmits the list of subjects of the root CA certificates, which causes problems in some Exchange installations because the list is too large.
Enable or disable client certificate verification
For SwissSign MPKI, the specification of GivenName and Surname is only necessary for Gold products. Both values are therefore only required for Gold products, and a corresponding error message is displayed if the two values cannot be determined for the Gold products.
SEPPmail Gateway now offers a REST connection to the PKI of SwissSign.
New SwissSign REST MPKI connector
The new Harica MPKI connector replaces the no longer functional DFN connector.
New Harica MPKI connector
If the classic SwissSign MPKI Connector is used (not the new SwissSign Rest MPK Connector), it can now be used to issue domain certificates for managed domains.
Generate new SwissSign S/MIME Key
If a user's licence is revoked, either manually or after 3 months of inactivity, their S/MIME certificates will be revoked from version 15.0.0 onwards.
Previously, there was a problem that if a customer was exported from one appliance and then imported onto another appliance, deleting the customer on the original appliance would revoke all certificates belonging to the customer's users. This would also render all user certificates imported onto the new appliance useless. Now, when deleting a customer, you can choose whether or not to revoke the certificates or the users. Revocation is disabled by default.
Revoke user certificates before deletion
There was a discrepancy between the number of licensed users in the customer overview and the customer detail view. This has been fixed now.
Previously, the use of managed domains was not comprehensively searched for when they were deleted. This meant that some components retained the already deleted managed domains in their data. These references are now correctly cleared up.
It is now possible to manage encryption policies via the RestAPI.
Backups from non-multi-customer appliances (extension .bak) can now be imported as a new customer.
Import customer from Backup file
Our internal CMS module, which handles encryption, decryption and signatures, has so far been very complicated and memory-intensive. We are now using a more elegant approach, which reduces memory consumption considerably and is a little faster.
Previously, some headers were only written to the email via the RuleSet. This meant that these headers were not present in a self-written RuleSet, which in turn could lead to problems in the M365 environment, as the connectors created by our PowerShell module expect certain headers. These headers are now added directly by the RuleEngine functions.
There are two new functions for the RuleEngine that allow you to turn an email into an LFT message or revert an LFT message to an email. The functions are called make_lft and revert_lft, have no arguments, and return a corresponding value depending on success or failure, so that they can also be used in if conditions.
The new RuleEngine function getusetattr( “ATTRIBUTE_NAME”, “VARIABLE_NAME” ) is available. It has two required parameters: one is the user attribute to be queried and the other is the variable to which the value should be written. The function returns true if it was successful, so it can also be used in IF conditions.
An error in the code meant that changes to the language settings of a GINA domain, i.e. the texts used in the language, were not applied. This has been fixed now.
When GINA user authentication against the appliance's internal database was enabled, failed login attempts were not logged, meaning that users were never locked out after reaching the maximum number of unsuccessful login attempts. This has been fixed now.
The option "Certificate login" in the GINA settings has been removed.
--- end of document ---