Jobs (DE)Terms of UsePrivacy PolicyLegal Notice

Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

Transparent HTTPS proxying with chromium-based browsers

Starting with Chromium 124 it was no longer possible to access web pages with chromium based browsers like Chrome or Edge via transparent HTTPS proxying.

Damaged mail headers in S/MIME gateway

While modifying long subject lines and the content type of a message in release 7.2-1.5 a control character has been inserted that resulted in a truncated subject or failure to decrypt on some systems.

Automatic certificat management

Customers that need to purchase lots of certificates (e.g. when using the S/MIME gateway) can now automate the process of requesting and renewing certificates via the managed PKI interface (MPKI) of a CA. This new feature is still experimental and currently supports SwissSign only. We are happy to add further CAs. All we need is an interface description and a test account.

Additional categories for the commercial URL filter

We've added the categories Alcohol, Softdrugs, Parked domains and AI chatbots.

Security fixes in several components

The update fixes less critical security vulnerabilities in the Linux kernel, IPsec server, web proxy, DNS and system libraries.

Avira antivirus

Minor bugfixes and improvements

DMARC verification of inbound mails

In addition to SPF, DMARC verification is now also available for mails received from the Internet with SMTP. DMARC combines SPF with DKIM. The check is successful if either the SPF or the DKIM check succeeds and in addition the sender address as displayed by the user's mail program ("From" header) matches the SPF or DKIM domain respectively. As for SPF, it's the owner of a domain who decides if recipients of mails from this domain can perform a DKIM check and what to do in case of a failure: reject the mail, treat it as potential SPAM or just let it pass.

Options for retrieving and sending mails

To better support medical practices that want to use the mail server anti-malware options also for KIM mails (Kommunikation im Medizinwesen), several configuration options have been added. This should allow connecting with all kinds and configurations of KIM client modules. In the POP client you can now add a client certificate and the server port (here: port of KIM client module) is freely configurable. For outbound mails it is also possible to adjust the server port (KIM client module) freely. In addition SMTPS is now also supported for outbound connections and you can configure login credentials when routing an external domain (here: kim.telematik).

Scheduled mailbackup by user

Previously a backup of the local mailboxes was always stored as a single large file. In order to use less storage while creating the backup, you can now choose to store one file per user account.

Interruptions of Windows IKEv2 IPsec connections

Clients were disconnected during re-keying that typically occurs after one hour.

Download of URL filter lists in UTF-8 encoding

Previously the import of UTF-8 encoded lists failed.

Minor bugfixes and improvements

Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

DKIM signatures for emails

Outbound mails can now be signed with DKIM. To configure this feature, add a new entry of type "RSA key (SSH, DKIM)" to the keyring and generate a new key. Publish the public key in the DNS of the domain you want to sign. Finally associate the key with the domain in the domain configuration of the mail server and outbound mails will be signed. Have you configured SPF in the DNS of the domain? Then you could also add a DMARC record now.

Wizard for adding Wireguard clients

Previously a common wizard for adding both, a router or a client was available. Due to frequent misconfigurations we now added a dedicated wizard for adding clients.

Security fixes in several components

The update fixes less critical security vulnerabilities in the Linux kernel, the SSH server and system libraries.

Cluster service

Minor bugfixes and improvements

Several bugfixes for IPsec in 7.2 releases

In specific configurations of IPsec connections via an ADSL interface a route was missing after the re-connect of the ADSL line. So even though the IPsec connection was up, no data was transmitted.
Transparent proxying in ipsec interfaces worked only when configured with DNAT rules. Enabling the checkboxes had no effect.
IKEv2 connections to peers behind a NAT router were not re-negotiated by Dead Peer Detection when the IP of the NAT router changed.

Web proxy crash

The update fixes a crash that could have been triggered by a malicious web server.

New OpenVPN release

A new OpenVPN version is installed with this update. Please note that the new release requires a sufficiently large netmask for the transfer network. The netmasks 255.255.255.252 and 255.255.255.248 are no longer acceptable. The default 255.255.255.0 is more than sufficient.

OpenVPN password authentication

One-time passwords used to be the only user authentication method for the OpenVPN server. From now on it is also possible to authenticate with just the user password or with both, user password and one-time password.

Individual credentials for submitting outbound mails to provider relay

You can now configure individual SMTP credentials by sender address (envelope from) for submitting outbound mails to a provider relay.

DHCP server support for indirect networks

The IPv4 DHCP server now supports networks that have to connect via a DHCP relay.

Network 239.255.255.0/24 on bridged interfaces

It is no longer necessary to configure a route to accept multicast packets to IPs from network 239.255.255.0/24.

Various system components

Among others, the web server and the archive tool tar are updated. The security vulnerabilities that have been fixed are located in unused subcomponents.

Minor bugfixes and improvements

IPsec L2TP and IPsec with IPComp compression

In some environments IPsec L2TP packets were sporadically misrouted. With IPsec compression enabled, some packets were mistakenly dropped by the firewall.

Making use of the Windows certificate store with OpenVPN

New types of the Windows installation packages for OpenVPN store the key-pair in the Windows certificate store. For normal connections the user certificate store is used. PLAP/SBL (Start before Login) packages have to add the key to the machine certificate store.

Automatic download of URL lists

Maintaining or importing data into URL filter lists used to be a manual task. Now it is possible to automatically download URL lists from a web server. The lists may include whole domains, URLs, IP addresses and patterns such as "example.*".

Minor bugfixes and improvements

Security vulnerabilities in web proxy

Several vulnerabilities have been fixed in the web proxy. The most critical one allows an attacker to execute code on the device, provided user authentication with the digest algorithm is enabled. An other critical vulnerabilitiy allowed smuggling of requests or responses through the proxy by sending contradictory meta information.

IPsec connections to clients

In version 7.2-1.0 connections of type "Windows IKEv2" failed to be loaded due to an error in the configuration template. The same happened for connections of type "Client" if the IKEv2 protocol was selected and no virtual IP was configured.
When downloading a setup package for Windows IPsec-L2TP (Powershell) a setup package for Windows IKEv2 was delivered.

Wireguard DNS suffix

While preparing a Wireguard configuration for the peer, you can now include a DNS suffix.

Minor bugfixes and improvements

Secure

DEFENDO forces a collection of best-of-breed security modules like firewall, VPN, proxies, virus scanner and anti spam system to interact for one purpose:
To be protected from all online threats and unwanted contents like malicious code, spam and hacker attacks.

Flexible

Each IT scenario is different. The DEFENDO product family will adapt precisely to your demands.
DEFENDO applies for simple Internet connections of small companies, for headquarters / branch office WANs, as well as for complex multi-tiered firewall systems.

More good reasons

  • No backdoors
  • More than 20 years of Internet security experience
  • Award-winning product
  • Support by our development engineers
  • Reseller loyalty
  • Made in Germany