New Appliance Release 15.0.5

A new SEPPmail Appliance release has been published.

Admin:

Fixed an issue where a CSR could not be displayed in the detail view
Enforce new admin password after initial login
Check that the private key and the certificate match when importing an SSL certificate that was issued on the basis of a generated CSR
Disable all DNS local zone input fields if “Use DHCP settings” is selected

System Services:

Clustering:

Logging:

MPKI:

OpenPGP:

RestAPI:

Fixed an issue in the /mailsystem/template endpoint when adding templates/disclaimers
Fixed an issue in the /system/dns/localzones/{domainName} endpoint with the DELETE operation
Fixed an issue with setting a customer’s maximumEncryptionLicenses and maximumLFTLicenses settings
Fixed an issue with an empty response for Crypto/Keymaterial
Fixed an issue when creating a webmail user
Fixed an issue with a path parameter in PUT and DELETE of endpoint /mailsystem/manageddomain/{domainName}/group/{groupName}

Security:

Fixed a possible path traversal vulnerability in PDF generation, found by Infoguard (CVE-2026-8811)
- With the same vulnerability disclosure, Infoguard found some SSH configuration issues for our update server.
Base64-encode all PGP decrypted content to prevent MIME structure injection
Refactor the hashencrypt function, used by pwsend and cache mode, to use AES-256-CBC with PBKDF2 (CVE pending)
- Since we already had planned the refactoring, this function was also criticised by ETH.

Webmail (GINA):

Fixed an issue in the webmail password reset process
Use PBKDF2-512 as password hashing algorithm (CVE pending)
- The old hashing algorithm was criticised in the ETH findings

Please see the revision history and the extended release notes for further details.

May 30, 2026 · 15:33 CEST