AUP Version 7.0 Build 454.6

SPECIAL NOTES ABOUT THIS UPDATE:

This is a plug and play update; rebuilt for the latest Windows Operating Systems with a number of enchancments and fixes.

SEE SPECIAL UPGRADE NOTES

- NEW: New component: Wildcat! GeoLocation IP This new system will allow for the filtering of IP connections based on their Geographical IP Location in the world. This is a tremendous boost to filtering bad connections into to your system. This is now installed via the 7.0.454.6 CD and also via the AUP AutoUpdate. See Wildcat! GeoIP Location Filters for details.

- ENH: Wildcat! login event log now adds the call type to the log. - NEW: New Wildcat! Geo IP/location (wcGeoIP) Server/Database for Filtering based on IP and world Location. - FIX: Fixed reading default data\iptrack.ini values when sections were missing. - FIX: Fixed wcx access to a wc:\http\ folder which contained a ".wctaccess" access file. See new .wctaccess rules. - NEW: The Wildcat! server (wcserver) will now support the following additional .wctaccess file rules. Allow System # Allow System Agent Access Allow Configuration # Allow Configuration Agent Access Allow MasterSysop # Allow Authenticated User with master sysop security See more WCWEB for detailed information.

- ENH: Updated wcDNS to take into account a CNAME result in a rDNS (PTR) lookup. This happens when subnets /27 or less are setup with their ISP using IETF RFC2317 "Classless IN-ADDR.ARPA delegation". - ENH: wcDNSGetRecords() now switches to STREAM mode when a query gets a UDP truncate response.

- UPD: WCSSL was updated using OpenSSL v1.02g. - UPD: WCSSL was updated for ECDHE cipher curves. This allows for usage of new Elliptical Curves for DH key exchanges. This will provide modern PCI security certification with Grade A+ ratings using Qualys SSL Labs testing. - UPD: A new PCI ECDHE cipher is available for "Set PCI Compliance" operations. If you delete the SSL\CIPHERS.TXT file and rerun WCSSLCONFIG.EXE, a new file will be creates for selecting the recommended ciphers.

- ENH: Added logic to prevent loop back when MX set to Localhost - CHG: Now NULL Return Path is allowed for Authorized Sessions. To return back to previous logic, set the "wcSMTP\UserAuth.RejectNull" dword registry value to 1. wcregedit /local /value:wcsmtp\UserAuth.RejectNull /dword:1 - ENH: New wcSMTP WCX hooks for GeoLocation IP Filtering. SMTPCMD-CONNECT.WCX if exist, called at the connection level SMTPCMD-EHLO.WCX if exist, called at the EHLO/HELO command - FIX: When sending mail, fixed situation where a timeout occured at the MAIl FROM, RCPT TO and DATA smtp states, which promoted a prematured pernament failure causing the destination address to be added to the data\badrcpt.txt file. With the fix, retries will be attempted until exhausted. - FIX: Fixed situation where the USERID number was not written to the meta messages being received when the email's userid was an Internet Email Conference user name. - FIX: Fixed Router DKIM signing for SHA256 private keys. - DOC: Technical note on preparing the outgoing EHLO/HELO host name.. See the techincal note regarding the EHLO/HELO host name: Setting the EHLO/HELO host name

- NEW: When importing email, dupes will be moved to the "Dupe\" spool subfolder. Note: WcConfig allows you to set an "Allow Duplicate Messages" checkbox option per mail area/conference.

- FIX: Fixed URL parsing bug - FIX: Corrected Questionnaire processor issue with embedded javascript. - NEW: Added "; secure" to setting cookies in web server for SSL operations. This addresses PCI requirements for some PCI audit vendors. - NEW: Added "; httponly" to setting cookies in web server for PCI operations and when HKLM\Software\SSI\wcWeb\EnableHttpOnly" DWORD is true (default). This addresses PCI requirements for some PCI audit vendors. - ENH: WcWeb will now check for the proper VDG for the wcssl_http_redirect.htm template when SSL is enforced for all connections. - ENH: Updated the SoundManager2 Audio files. Helps with better mobile and non-flash, HTML5 audio player. - FIX: For running CGI scripts, the optional registry string wcWeb\NoContentStatus404 now defaults to TRUE. This will now return a 404 status for CGI scripts, i.e. PHP, that return a status 200 but with an empty content. This should reduce PHP attacks on wcWEB because attackers may use a 200 reponse as a reason to continue attacking. Hoping the 404 response will reduce this overhead. - NEW: It is now possible to add additional Web Response headers to all requests. This is done using the new file: data\AddExtraHeaders.txt This file is distributed by SSI and it is preconfigured to support enchanced PCI operations which are constantly adding PCI requiremetns using new headers for security purposes. If you want to add your own response headers, create a custom file: data\AddExtraHeaders-customer.txt - ENH: wcWEB PCI security operations was enhanced as follows: 1) Added Response Header: Strict-Transport-Security: max-age=31536000; includeSubDomains "Strict-Transport-Security" is added when SSL is required for all connections. required: "max-age=time" in secs, default 365 days optional: "; includeSubdomains" applies to all *.example.com sub urls optional: "; preload" related to browser preloading your domain for HTTPS see https://www.troyhunt.com/understanding-http-strict-transport Note: This header is added via via data\AddExtraHeaders.txt. 2) Added Response Header: X-XSS-Protection: 1; mode=block see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection Note: This header is added via via data\AddExtraHeaders.txt. 3) Message_Create.htm template was updated to remove an Javascript injection possibility. There was no security issue, but the PCI Auditor requested that this be changed. - NEW: This is actually done 9 years ago, but WCT templates has "SafeQuery.XXXXX" macro that can be used instead of "Query.XXXX" But using SafeQuery, this will prevent Cross-Script Javascription injection. This is required for PCI compliance. - NEW: WcWEB now supports the following additional wc:\http folder ".wctaccess" file rules: Allow System # Allow System Agent Access Allow Configuration # Allow Configuration Agent Access Allow MasterSysop # Allow Authenticated User with master sysop security These are intended to be usey by special WCX application access to a HTTP subfolder for access. For example, the Wildcat! AVS application (wcAVS) setup performs editing of files in the "wc:\http\services\avs" folder.

- UPD: The help file wcIDE.CHM was renamed to wcDEV.CHM. The AUP and CD installed will have wcDEV.CHM. - FIX: Fixed INPUT function non-echoing issue - CHG: For Telnet connections, only the IP address is set, not the old format "hostname [ip]". GetCallerId() will only returns the IP address. Use the DnsGetAddressDomain() function to get the host name (domain) for your application. example: dim domain as string domain = DnsGetAddressDomain(GetIpAddress(GetCallerId())) - FIX: Corrected library Win32ini.wcc WritePrivateProfileString() function which were corrupting passed key values. - FIX: Fixed WcDEV Editor non-existing file load issue related to a MFC CDocument MRU behavior change. This should eliminate the popup error "Encountered an improper argument". - FIX: Corrected ParseEmailAddress() null address check in msgutil.wcc - NEW: New wcGetGeoIP() function to create IP filters by GEO location. See the new wcBASIC header file: include\wcGeoIP.wch example: #include "wcgeoip.wch" dim gip as TWildcatGeoIP if WcGetGeoIP("46.146.232.196", gip) then print "gip.country: ";gip.country print "gip.city: ";gip.city end if - NEW: New wcDKIM-related wcBASIC headers and wcDKIM examples: - wcBasic Headers for wcDKIM: wcbasic\include\wcdkim.wch wcbasic\include\wcdkimapi.wch wcbasic\include\wcdkimlib.wch - wcDKIM signing and verification examples: examples\wcdkim\wcdkim-example-signing.wcc examples\wcdkim\wcdkim-example-verify.wcc

- NEW: New FTP wcx hook: - ftpcmd-connect.wcx, is called at the connection level before the welcome response is sent. - ENH: Internal FTPCMD-xxxx.wcx override commands will now continue when the GlobalResult is FALSE. Returning TRUE will skip the internal FTP command processor. - FIX: Fixed an ABORT issue with PORT channels which failed to open, most likely related to FTP clients behind NAT and Firewalls. This fix provides a fremendous enhancement for the wcFTP sesssion reliability.

- FIX: Fixed System Security System Access not sticking when saving - FIX: Fixed Allow Replay IP not sticking when saving - NEW: Mail Areas/Conferences now have a new option: [_] Allow Duplicate Messages When set, dupe checking for new messages, imported messages into the conference will be disabled. Note: It was always possible for Native/wcBASIC developers to use the AddMessage() function TMsgHeader (mh) flag setting: mh.MailFlags = mfNoDupeChecking - NEW: File Areas now have a new options: [_] Allow File Comments When set, user file comments and discussions will be enabled by Wildcat! Add-on File Management products. [_] Allow Directory Watch When set, this will set a flag for add-on File Area Monitoring tools to watch the file area for file drops or removals. The concept is similar to using WcRefresh, but is done automatically by the File Area "Watch Dog" tools.

- CHG: For Telnet connections, the GetCallerID() will return the the IP address only. The old format was "hostname [ip]" is obsolete. This makes the GetCallerID() funtion consistent with all internet hosting protocols. - FIX: Fixed WCT template readering/processing issue with no proper End Of Line (EOL) character(s). This fix will now allow WCT template files to be saved using MAC, UNIX or DOS EOL characters or none at all.

- NEW: New wcGetGeoIP() function to return Geographical Location information by IP Address. See the updated header files: wctype.h and wcserver.h Example: C/C++ #include #include .... TWildcatGeoIP gip = {0}; if (WcGetGeoIP(ip,gip,"en")) { // display gip } Example: wcBASIC #include "wcgeoip.wch" .... dim gip as TWildcatGeoIp if (WcGetGeoIP(ip,gip,"en")) then // display gip end if If wcGetGeoIp() returns false, GetLastError() should be used to get the possible error and reason. The possible errors are: WC_DBASE_NOT_AVAILABLE WC_RECORD_NOT_FOUND WC_SUCCESS

- DOC: WcSAP updated to version 2.42 - DOC: wcSAP Filter Changes for Santronics IP addresses: For nearly 20 years, Santronics used a class C bank of IP addresses at 208.247.131.0/24. These old IP addresses were used for wcSAP accept and rejection rules in the distributed wcsap/wcSapFilter.txt. Our network IPs have changed and you need to modify the rules otherwise your wcSMTP/wcSAP setup will reject all emails from Santronics.com or Winserver.com. We can simply give you our new current IPs and can simply change the rules below replaced the old with new IP addresses, however, please use the suggested changes to avoid future issues with changed Santronics IP addresss: - ACCEPT rules located near the top Reason SSI Domain/IP accepted Accept if %CIP% in 208.247.131.* ; SSI domain connection - REJECT rules located in near the bottom Reject if .santronics.com in .%CDN% and %CIP% !in 208.247.131.* Reject if .winserver.com in .%CDN% and %CIP% !in 208.247.131.* Reject if .isdg.net in .%CDN% and %CIP% !in 208.247.131.* Reject if .catinthebox.net in .%CDN% and %CIP% !in 208.247.131.* Please change the above as follows: - ACCEPT rules located near the top, replace it with these lines: ;------------------------------------------------------------ ; Optional Santronics wcsapfilter-ssi.txt file ;------------------------------------------------------------ include wc:\wcsap\wcsapfilter-ssi.txt ;------------------------------------------------------------ - REJECT rules located in near the bottom, simple remove these lines. The new wcsapfilter-ssi.txt file will isolate any Santronices rules from your own wcSAP filter rules and customization, thus allowing us to update the rules as necessary via AUP or CD updates. This file may or may not be available. The include statement will ignore a missing file. - ENH: Changed the default WCSAP CBV UseEhlo setting to True. This will help resolve any invalid "HELO [ip-address]" command issued by the CBV which can be flagged by some reputation systems. - FIX: Fixed a SPF DATAGRAM lookup issue where it didn't switch to STREAM mode. - NEW: Added new wcsapFilter.txt rule support for CIDR IP comparisons for the conditions IN and !IN. Example: Reason SSI Domain/IP accepted Accept if %CIP% in 76.245.57.64/27 ; SSI domain connection

- ENH: When creating a list digest, the following list options will be set or unset: [_] Allow Posting [X] Add Subject List Tag [_] Allow Attachments [X] Strip HTML - NEW: Added Captcha to List subscrption template. This may be required by some new RBL sites that will check to see if your subscription module cab be exploited by robots. Captcha will help prevent robots. - NEW: Prepared the templates for Mobile GUI. Note this is not complete but we are getting there with smart phones with HTML5. Try using the WCLS subscriptions pages to see how they work via your Smart phone or tablet. - ENH: Automatic check for ADSP, DMARC policies. Each mailing list will, by default, have a new option "CheckADSP" (Check Author Domain Signning Policy) enabled. To turn this off, edit/add the following [DKIM] section to the specific list wclsdata\list\*.list file: [DKIM] CheckADSP=0 ADSP stands for "Author/Authorized Domain Signature Policy." It is both specific IETF RFC protocol and also a concept in DKIM Author Domain policy modeling. DMARC is a specific protocol but it has the same ADSP concept, the same basic idea of protecting the author domain. The purpose of CheckADSP is to check for restrictive ADSP or DMARC DNS record policies for the domain attempting to subscribe or post mail into a list. When CheckADSP=1, the user using a restrictive domain, such as yahoo.com, will be not be allowed to subscribe and/or not allowed to post mail for distribution. The exception are list digests since these are read only distributions, all digest members should be allowed to post mail in a digest list. Without this ADSP/DMARC check, when a message is submitted to a list with a restrictive domain, it can cause a major problem of deactiving all subscribers due to email delivery rejection problems at the user's email receivers performing ADSP/DMARC checks. WCLS now includes a new SMTPFILTER-LISTCHECKER.WCX which is used to control restrictive users from posting in a a mailing list. NOTE: At this time, wcListServer.exe does not do any ADSP/DMARC specific controls but it will in the future. This will allow for restricted users to be subscribed for read-only. No posting allowed. - NEW: New options were added to the CLI utility wcladmin.exe: The complete CLI options are: -e [listname] - export members in listname (default all lists) -i filename - import formatted text file. (use -e to redirect export to file name) -ip listname filename - import Plain text file of addresses into list -d listname [members] - delete member(s) in list. -l [listname] - show list names and description -L [listname] - show detail list information -s listname [members] - show members active/inactive status in listname -si listname [members] - show Inactive members in listname -sa listname [members] - show Active members in listname -a listname [members] - make member(s) active in listname -a- listname members - make member(s) inactive in listname -show flag listname members - show flag in list for members\n" flag: *|nopost|adminhold|nosend|inactive\n" -set flag listname members - set flag in list for members\n" flag: nopost|adminhold|nosend|inactive\n" -unset flag listname members - unset flag in listname for members\n" flag: nopost|adminhold|nosend|inactive\n" -sql [listname] - create SQL Insert statements for list members -rep listname [fields] - table report of list fields, use -rep for more help The new options for this release are: -l [listname] - show list names and description -L [listname] - show detail list information -s listname [members] - show members active/inactive status in listname -sa listname [members] - show Active members in listname -a- listname members - make member(s) inactive in listname -show flag listname members - show flag in list for members\n" flag: *|nopost|adminhold|nosend|inactive\n" -set flag listname members - set flag in list for members\n" flag: nopost|adminhold|nosend|inactive\n" -unset flag listname members - unset flag in listname for members\n" flag: nopost|adminhold|nosend|inactive\n" The -l option will show the list names and description. The -L option will show the list name, description and options. The -s option will show the member active/inactive status and the -sa option will show the active members to augment the -si option which shows the inactive members. While the -a option made the member active, the -a- will make the member inactive. The -show option will show the flags for members in the list. The flag can be: inactive The member is inactive. adminhold The member is on hold, can't post or get mail. nopost Don't allow member to post mail nosend Don't Send Mail to member in distribution * Show all flags (for -show only) You can now -set or -unset a flag for a member in a list. The listname and members parameters can now be wildcards, examples; wcladmin -l list-* Show list names that begin with "list-" wcladmin -s * *@yahoo.com Show the status of all yahoo.com users in all list. wcladmin -show * winserver * Show the flags for members in list winserver How to use new powerful flags, -show, -set and -unset: In the past, wcladmin only allowed you to re-activate a member that was automatically set inactive via wcSMTP when it failed to deliver mail the user. With the updated wcladmin, you can reactivate the user with the -a- option or -unset option. WCLS provided other useful flags which were managed via WCLS Setup User Editor or you exported and imported the records via wcladmin. wcladmin now allows to access the follow flags and database fields: -------------- ------------------------- ----------------------- wcladmin set/unset flag Database Field Name Comment -------------- ------------------------- ----------------------- inactive TDistribList.Inactive Member is inactive adminhold TDistribList.AdminHold Mo posting/sending nopost TDistribList.NoPosting no posting allowed by member nosend TDistribList.DontSendMail don't send mail to member Use the flags to control which members should not be sending mail or should not be allowed to post. example: Put on administrative hold the members from example.dom in all list wcladmin -set adminhold * *@example.com

- NEW: New utility ListUsers.exe Listusers.exe is a CLI (command line interface, console) utility to list your Wildcat! users. You can create table displays showing various user fields. To see the command line options, type ListUsers /? ListUsers v3.4 for v7.0.454.6 (c) copyright 1998-2016 by Santronics Software Inc. usage: listusers [options] [user_name_search_spec] /server:cmp connect to specific server computer name /sort:id sort by user id (default) /sort:name sort by user name /sort:lname sort by user last name /sort:lcall sort by user last call /sort:sec sort by user's primary security profile /email show email address (extended field) /pop show pop3snoop (extended field) /lc show last call /fc show first call /ps show password state /pd show password change date /to show times on /tl show time left /pn show phone number /ed show expire date /bd show birth date /lho show logon hours override flag /sb show subscription balance /nb show netmail balance /uv[:NRPV] show users validation. Filter it with NRPV flags N-None, R-Validation Required, P-Prevalidated or V-Validated A few examples: Listusers displays users id, name and security. Listusers "* smith" displays users with last name smith Listusers /lc "*@*" displays users last call with email address login names Listusers /uv:rp show users who are not validated or prevalidated. listusers /tl /lc shows users time left and last call listusers /email show users email address, if any