Let’s Encrypt revoking some certificates – Check to see if you are impacted

Are you using Let’s Encrypt with MDaemon or SecurityGateway (or anywhere else)? If so, great! But due to a bug re-validating CAA records, Let’s Encrypt will be revoking a subset of otherwise valid certificates. This bug has existed since 2019-07 and therefore could apply to any certificate issued prior to the fix which was applied 2020-02-29.

So what should you do? Well, luckily there is a tool to check your certificate, so you should check to see if your certificate is being revoked and if so, issue a new certificate as quickly as possible.

Modern browsers don’t check certificate revocations immediately or on all requests, so just because your browser works does not mean there is no impact! If your certificate is revoked you may see an impact some time in the next week or so, or you might not see it at all while users of other operation system / browser / client combinations may have a different experience.

Use received date instead of date header

By default WorldClient uses the “Date” header of inbound mail rather then the time/date when the message was received. This is normally desired as it allows the receiver to see the order messages were sent, even if some mail was delayed in transit.

However, with spammers and other nefarious individuals being able to tamper with Date headers, this is not always desired and some even consider this a security issue in that it allows a sender to lie about when a message was sent.

There is a switch in WorldClient to tell WorldClient to use the timestamp when the message was retrieved, rather then relying on the date header, if you so desire:

In the WorldClient.ini file, [Special] section, look for the following key:

UseReceivedDate=No

If you set that to “Yes” then it will use the date your mailserver received the message rather then the Date header.  However, in the case of MultiPOP’d mail, it will actually list the date/time that MultiPOP retrieved the article, so it loses some effectiveness.

Note that if you change this switch, it will only apply to newly received messages.  Messages which have already been received will still use the “Date” header. Delete your “message.idx” files to cause WorldClient to rebuild it’s indexes.

Also note that this only applies to WorldClient, POP mail clients can do whatever they want, and IMAP exposes both dates to clients allowing clients to display either or both dates, depending on the client’s capabilities.

Disable WorldClient language and Theme selector

Some users want to completely disable the new option available to users to pick their language & theme at the WorldClient login.

This is an easy one, add either or both of these items into the [Default:Settings] section of \MDaemon\WorldClient\domains.ini:

HideLoginLanguage=Yes
HideLoginTheme=Yes

Note that users can still change their language and theme from within WorldClient’s option page as was possible prior to MDaemon 10.