2020 Archive

SFTPPlus Release 4.8.0

Thu 19 November 2020 | general release

We are announcing the latest release of SFTPPlus version 4.8.0.

New Features

  • The embedded OpenSSL libraries used on Windows, macOS, and generic Linux were updated to version 1.1.1h. [#5496]
  • You can now configure an overwrite rule for the file dispatcher event handler. [#5510-1]
  • You can now configure the file dispatcher event handler to copy a file using a temporary name and then rename it to the original name at the end of the transfer. [#5510]

Defect Fixes

  • The states for authentication methods are now correctly displayed in the Local Manager GUI. This regression was introduced in version 3.51.0. Since then, their states were always shown as disabled. [#5458]
  • When a transfer is configured with a stable_interval value lower than the value of changes_poll_interval, the stable_interval value is ignored. The number of seconds used is 1 more than what is set for changes_poll_interval. [client-side][#5496]

You can check the full release notes here.

• • •

SFTPPlus Release 4.7.0

Thu 05 November 2020 | general release

We are announcing the latest release of SFTPPlus version 4.7.0.

New Features

  • You can now configure the PGP and archive extraction event handlers using an event that has a list of files attached. [#5502]
  • The PGP and extract archive event handlers can now be configured to overwrite an existing destination. [#5503]
  • A new event handler was added to allow creating ZIP archives. [#5504]

Defect Fixes

  • A typo was fixed in the name of the configuration for {day.of_year_padded}. In previous version it was defined as day.of_year_paddedd. [#5504]
  • The SFTPPlus Windows Service manager was updated so that it no longer depends on the .NET framework.

You can check the full release notes here.

• • •

SFTPPlus Release 4.6.0

Fri 02 October 2020 | general release

We are announcing the latest release of SFTPPlus version 4.6.0.

New Features

  • You can now configure a file-dispatcher event handler to retry the processing of a file. [#5302]
  • The generic Linux package has been re-based on glibc version 2.5 to cover older distributions, including (but not limited to) Red Hat Enterprise Linux 5.11. [#5453]
  • You can now start the SysV init script and the OpenRC service file in debug mode using the "debug" option. [#5474]
  • Running multiple concurrent SFTPPlus instances from the same installation path is now documented for all Linux init systems. A simplified SysV init script for running multiple concurrent instances from the same installation path has been added and documented. [#5477]
  • You can now convert SSL files from PFX / P12 files to PEM format using the web management GUI. [#5489]

Defect Fixes

  • An internal error is no longer generated when the FTP command channels times out before the command channel. [server-side][ftp] [#5467-1]
  • The ProxyProtocol v2 support now works with FTPS explicit and implicit protocols. In the previous version, the Proxy Protocol was only supported for FTP. [server-side][ftp] [#5467-2]
  • A transfer no longer fails when the source detects a path with multiple operations on the same node id. [#5468-1]
  • An internal error is no longer generated when starting an FTP service without allowing any authentication credential type. [ftp][ftps][server-side] [#5476-1]
  • An internal error is no longer generated when starting an FTP service without a password-based authentication type. [ftp][server-side] [#5476-2]
  • When failing to allocate a new passive port, the error message now contains the error details provided by the operating system. [ftp][ftps][server-side] [#5476]
  • When failing to read the configuration file at startup, an error is now visible. [#5479]
  • A security issue was fixed where SFTPPlus was not checking if the remote peer has a copy of the private key when using the HTTP authentication method together with SSH key authentication. This security issue only affects SSH key authentication when using the external HTTP authentication method. This does not affect the SSH key authentication when using the embedded SFTPPlus credentails validation. [server-side][sftp][scp][security] [#5480]
  • Local Manager's user interface for the OS authentication method was updated to inform that all OS accounts are denied access when no OS group is configured. [server-side] [#5483]
  • An internal error is no longer raised when trying to directly access the HTTP service login URL while already authenticated. [server-side][http][https] [#5487]

Deprecations and Removals

  • Event with ID 50012 emitted by the Local Manager web interface was removed. It was replaced by the generic event with ID 50003, which is raised when failing to apply a configuration change request. [local-manager] [#5476-1]
  • Event with ID 20041 was removed as it is now redundant and never emitted. [server-side] [#5476-2]
  • The events with ID 10017 and 10018, emitted by the FTP service for an invalid configuration, were removed and replaced by the generic event ID 20158 emitted when a service fails to start. [ftp][ftps][server-side] [#5476]
  • Events with ID 30069 and 30070 were removed and replaced with the event ID 30007 which is emitted for any error occured during the SSH authentication protocol. [server-side][sftp][scp] [#5480]
  • Event with ID 50024 was removed and was replaced by ID 50023, which is emitted when an administrator request fails via the web based GUI. [#5489]

You can check the full release notes here.

• • •

SFTPPlus Release 4.5.0

Fri 04 September 2020 | general release

We are happy to announce the latest release of SFTPPlus, version 4.5.0.

This an important release in which we have introduces support for AS2 file transfer protocol and the ProxyProtocol v2 proxy protocol.

New Features

  • The HTTP/HTTPS file transfer services can now receive files using the Applicability Statement 2 (AS2) protocol. [server-side][http][https]. [#4568][#1059][#1308]
  • You can now configure a transfer to send files to a remote AS2 location. [client-side][http][https][as2] [#221]
  • You can now configure virtual folders directly into the account configuration. In previous version, virtual folders could only be configured at the group level for SFTPPlus embedded accounts. [server-side] [#5460]
  • You can now configure whether an HTTP authentication method will validate or not its URL configuration at startup. [server-side] [#5466]
  • The file transfer service can now handle new connection made using the Proxy Protocol version 2. This is done automatically without any extra configuration. [server-side][ftp][ftps][sftp][scp] [#5467]
  • The data for the emitted events now contain the filename and directory name as separate members for the associated file. [#5469]
  • When creating a matching expression based on the globbing rules, you can now use the exclamation mark to reverse the meaning of the expression. This can be used to define exclusion rules. [#5473]

Defect Fixes

  • An internal error is no longer raised when the FTP server is in debug mode and received commands with non-ASCII values. [server-side][ftp] [#5467]
  • A transfer no longer fails when the source detects 2 paths created at the same time for the same node id. [#5468]

You can check the full release notes here.

• • •

SFTPPlus Release 4.4.0

Thu 06 August 2020 | general release

We are happy to announce the latest release of SFTPPlus, version 4.4.0.

New Features

  • You can now define filtering expressions based on current date and time. [#5450]
  • You can now configure extra HTTP headers to be sent with the requests made by the HTTP Authentication method. [server-side] [#5456]

Defect Fixes

  • If during the file transfer the source or destination locations are no longer available, the transfer will now be paused and will automatically resume once the locations are available. [client-side] [#5443]
  • When the destination location for a transfer is not available, the files found in the source are queued and will be transferred as soon as the location is available again. In previous versions, a manual restart of the transfer was required to transfer the queued files. [client-side] [#5444]
  • You can now use virtual directories together with the SFTP protocol. Due to a defect in previous versions, the virtual directories were only available via the FTP/FTPS and HTTP/HTTPS protocols. [server-side][sftp] [#5457]

You can check the full release notes here.

• • •

SFTPPlus Release 4.3.0

Tue 21 July 2020 | general release

We are happy to announce the latest release of SFTPPlus, version 4.3.0.

New Features

  • You can now generate a self-signed certificate using the admin-command command line tool. [#239]
  • You can now configure the URL suffix used for the HTTP/HTTPS public access. [server-side][http][https] [#2586]
  • SFTPPlus can now use unencrypted OpenSSH RSA or DSA private keys stored as the openssh-key-v1 format. [sftp][scp] [#5435-1]
  • Alpine Linux 3.12 on x86_64 is now a supported platform. [#5435] [#5435]
  • The event with ID 50005 emitted when a configuration change is requested from the Local Manager now includes the UUID of the newly created component. [local-manager] [#5439]
  • Red Hat Enterprise Linux 5 was added as a platform with limited support. RHEL5 will each end of life in November 2020. Contact us if you need to run SFTPPlus on RHEL5. [#5448]

Defect Fixes

  • You can now use SFTPPlus on localized Windows versions. In previous versions, SFTPPlus was only working when English was the main language. [windows] [#1446]
  • You can now run SFTPPlus on Linux from an installation path containing Unicode/non-ASCII characters. [linux] [#2074]
  • Redirecting to directory paths containing Unicode characters no longer generates an internal server error. [server-side][http][https] [#2586]
  • When a file scheduled to be transferred is removed from source, transfer attempts will no longer occur for it. [client-side] [#3796-1]
  • When a file scheduled to be transferred is modified while waiting in the queue, transfer attempts will no longer occur for it. [client-side] [#3796]
  • When a transfer is manually stopped, pending retry attempts are canceled. In previous versions, the transfer of the latest file was still retried. [client-side] [#5390]
  • To reduce temporary memory allocations for running external processes, they are now executed by a dedicated process. [#5407]
  • Waiting for a file to be retried will not block the other files queued for the transfer. [client-side] [#5436]
  • A transfer is no longer retried and fails right away if the source file no longer exists on the source location. [client-side] [#5438]
  • Microsoft Certificate Authority root certificates were updated to include the new DigiCert SHA2 Secure Server CA used for Microsoft's login page. [client-side][sharepoint]. [#855]
  • The SysV init script properly manages the SFTPPlus daemon process again. This regression was introduced in version 4.2.0. [linux][#5446]
  • Self-signed certificates automatically created when initializing configuration are no longer created with Version 3. This fixes an error raised by latest Chrome-based browsers which resulted in rejecting HTTPS connections using these certificates. [https][#5446]

You can check the full release notes here.

• • •

Alternative to DWP EDI PGP Secure Email

Thu 09 July 2020 | email compliance

The Department for Work and Pensions (DWP) is the British government department responsible for welfare and pension policy.

DWP provides EDI (Electronic Data Interface) / EDT (Electronic Data Transfer) file exchange services with partners and service providers, including Social Housing Associations (HA), Local Authority or Local Council etc

Depending on you DWP service (lie JobCentre Plus, DWP Housing, DWP Child Care) you can chose between multiple file exchange methods/interfaces.

For example, if you are an Housing Association and need to exchange documents with DWP Housing for Universal Credit Creditors or Suppliers you have the following options:

  • EDI PGP Secure Email S/MIME
  • EDI Generic File Transfer Service (GFTS)

In this article we describe the the main benefit of using the EDI Generic File Transfer Service (GFTS) option with SFTPPlus as an Explicit FTP server over the PGP Secure Email (S/MIME) option.

Automated security

This is the main reason for using SFTPPlus. The transfer is fully automated preventing any human errors during day to day operations.

SFTPPlus will check the security of the connection and will abort on error. For example, man-in-the-middle attacks are automatically detected.

This is fully automated and there is no chance for a human to press an "Ignore errors" or "Continue anyway" button and process with a vulnerable connection.

Support and consultancy

With SFTPPlus you will get support and consultancy from a team of secure file transfer experts, with a long-term relationship with DWP.

We will help you design and implement the secure file exchange with DWP.

DWP Code of Connection (CoCo) guidance is provided on a current ‘as is’ basis. DWP will not comment on the implementations of the individual mail solutions used by external organisations with whom DWP corresponds.

We can help you understand the CoCo document and make sure the people from your organization will understand the requirements and security measurements.

We have worked together with DWP and its partners for more than 15 years. We helped DWP migrate from their legacy document service and we have an excellent understanding of legacy systems.

For example, we helped with the delivery and are currently supporting the Digital Children’s Platform (DOS 012) and the data exchange between DWP and the Scottish Government.

Automated file transfer

Just drag and drop or copy a file to a local directory and SFTPPlus will take care of the secure transfer.

On errors, like connection errors or remote servers not available due to a 10 minutes maintenance, SFTPPlus will automatically retry the delivery of the files.

If the remote service is unavailable for a long period of time, SFTPPlus can send an email notification to inform that the file was not sent.

You can then check your network connection and check with DWP to see why the service is not available.

Integration with external applications

SFTPPlus can interact and integrate with your existing business logic applications, like a data or a reporting tool.

Once a report is generated by your reporting tool, SFTPPlus will automatically pick that report and transfer it.

Data retention policy

The transferred files can be archived for a number of days.

If there was an error on the DWP-side, you can retransmit the file from the archive.

The archived files are also available to support any audit operation.

Archived files are automatically remove after a number of days, so that your archive size will not grow forever.

No external or 3rd party dependencies

You don't need to install extra PGP software,

No need to configure or modify the Windows Certificate Store.

No need for Outlook or other PGP enabled email clients.

Large file transfer

Your email server might have a limit to the size of an email message.

The majority of email servers will reject emails greater than 20MB.

Depending on the type of documents that you exchange, this might not be an issue, as you will always transfer smaller files.

Read more about securing SFTPPlus transfer options in our documentation page.

• • •

SFTPPlus Release 4.2.0

Wed 17 June 2020 | general release

We are happy to announce the latest release of SFTPPlus, version 4.2.0.

New Features

  • The HTTP Post event handler can now be configured to send a set of custom headers. [#3778-1]
  • The event emitted when a file is closed for an FTP/FTPS server-side connection now contains the overall transfer speed of that file. [server-side][ftp][ftps] [#3778-2]
  • You can now send HTTP POST events using a custom format. [#3778]
  • You can now configure a delay for the execution of the dispatch-file event handler and the execution is ignored if the targeted file no longer exists after the delay. [#814]

Defect Fixes

  • When copying local files using the file-dispatcher event handler, the copies are now created without keeping the source file's attributes. This prevents creating extra file versions on a versioned filesystem. [#2042]

You can check the full release notes here.

• • •

SFTPPlus Release 4.1.0

Thu 11 June 2020 | general release

We are happy to announce the latest release of SFTPPlus, version 4.1.0.

New Features

  • The LDAP authentication method now provides the option to construct the home folder path based on an LDAP attribute and a template. [server-side] [#1863-1]
  • You can now configure a default domain for LDAP users when used together with an Active Directory server. [server-side] [#1863]
  • The HTTP Request event handler can now send an event as an XML SOAP message or as a generic XML document. [#1973]
  • The SFTPPlus instance name is now visible in the Local Manager web-based administration console. [#5296]
  • You can now test the configuration of the email sender resource. [#5405-1]
  • You can now define a default list of email recipients used for sending email when there is no explicit configuration. [#5405-2]
  • You can now configure the SSL/TLS details for the email resource. [smtp][email] [#5405]
  • Destination path for a file dispatcher can now be defined based on extra event attributes other than the source path. [#55]
  • You can now configure multiple remote SSH/SFTP server identities for an SFTP location. This can be used for connecting to a disaster recovery server which uses a separate SSH identity. [client-side][sftp] [#135]

Defect Fixes

  • Firefox auto-completion no longer applies to the ssl_domain field for various services and the username and password values for email resources. [#1792]
  • The link for changing passwords is no longer visible for accounts authenticated using X.509 TLS/SSL certificates. [server-side][https] [#2828]
  • The email client resource now works with email servers over TLS 1.2. In previous versions, it was only working over older TLS versions. [#5404]

Deprecations and Removals

  • OS accounts are no longer supported on Apple macOS. [server-side] [#3135]
  • The install-service option was removed from the admin-command.bat command line tool. There is now a dedicated command named sftpplus-service.exe for managing the SFTPPlus Windows service. [windows] [#3878]
  • The legacy WebAdmin authentication method is no longer supported. If you are still using the SFTPPlus PHP Webadmin authentication, you can use the generic HTTP authentication method together with PHP WebAdmin version 1.11.0 or newer. [server-side] [#425]
  • The OS authentication method now requires explicit configuration for the allowed list of operating system groups. In previous versions, when the "allowed_groups" was not defined, the OS authentication was allowing users from any OS group. [security] [#4972]

You can check the full release notes here.

• • •

SFTPPlus Release 4.0.0

Fri 22 May 2020 | general release

We are happy to announce the latest release of SFTPPlus, version 4.0.0.

For this major release, we focused on increasing services security by introducing two-factor authentication, PGP/OpenPGP handling, and an SHA512-based scheme password upgrade, among others.

The web-based administrative interface was improved by reorganizing the menu, implementing PGP key generation and CSR creation, to name a few novelties. New tools were added, like the admin-shell command line interface.

For client transfers, there is now a single transfer type and you can change the copy or move type at any time. There are also advanced options for recursive transfers, including creating remote recursing directories and archiving files in a recursive directory structure.

Since this is a major release, some previous functionalities are no longer available. AIX, HP-UX, and Solaris are no longer among the supported operating systems. MySQL databases are no longer supported. Before proceeding with an upgrade, we recommend reviewing the "Deprecations and Removals" section below and following the upgrade instructions.

New Features

  • There is now an admin-shell command line interface that can be used to manage and configure the SFTPPlus process from the command line. It is the CLI equivalent of the Local Manager web-based GUI console. [#1158]
  • The openpgp event handler was added for encrypting and decrypting files using OpenPGP. [#1177]
  • You can now use SSL/TLS certificates to authenticate users against the HTTPS file transfer service. [server-side] [#143]
  • You can now send credentials for an account via email. [#1468]
  • You can now create PGP keys from the Local Manager web interface or the command line administrative tool. [#1591]
  • SFTPPlus administration accounts now support multi-factor authentication based on the TOTP standard. [#2000]
  • Two-factor authentication can be enabled for user accounts defined inside the SFTPPlus configuration. [#2401]
  • Logged date and time can now be formatted using ISO-8601 UTC, ISO 6501 UTC with fractional seconds, or ISO-8601 with local time. [#2919]
  • The OpenPGP event handler can now encrypt/decrypt files using asymmetric PGP keys. [#3797]
  • It is now possible to create a new Certificate Signing Request (CSR) using an existing private key. [local-manager] [#3806]
  • The Python extension event handlers can now be set up with a custom JSON-based configuration string. [#3921]
  • You can now disable the overwriting rule for a transfer destination. In this way, the file is uploaded right away, without doing any extra requests on the server. [client-side] [#4054-1]
  • Details of files transferred in the past (name, size, modified timestamp) can now be recorded to prevent transferring the exact same file more than once. [client-side] [#4369]
  • The extract-archive event handler now also supports extracting TAR, TAR.GZ, and TAR.BZ2 archives. [#495]
  • You can now configure the application authentication method to only accept members of selected groups. [server-side] [#4963]
  • Recursive transfers can now automatically create destination folders. [client-side] [#5004]
  • The SFTPPlus initialization command now also asks for initializing a custom administration password. With this change, Local Manager is now accessible by default for any IP source. [#5193]
  • Product version is no longer advertised during protocol handshake for FTP, SSH and HTTP. [#5222]
  • There is now a dedicated documentation page for macOS installations. [#5297]
  • SFTPPlus now uses by default the SHA-512 function for hashing passwords. The hash function is now configurable, following options are available: SHA-256, SHA-512, PBKDF2 SHA-256, PBKDF2 SHA-512. In previous versions, only SHA-256 was used. [server-side] [#5322]
  • Accounts names, administrator names, and passwords longer than 150 characters are no longer allowed. Passwords longer than 128 characters are no longer generated. [server-side] [#5333]
  • The extract-archive event handler now supports extracting ZIP files. [#5346]
  • For the monitor service, you can now configure the type of file operations for which to emit events. [#5347-1]
  • The local filesystem monitor service now has a new configuration option named file_age_notification. This was introduced to replace the warn_non_modified_files_interval configuration. [#5347-2]
  • The monitor service can now automatically delete old files. [#5347]
  • A new option, delete_source_on_success. is available for a transfer to configure if the file should be removed from the source directory after a successful transfer. [client-side] [#5393]
  • You can now archive files using a recursive folder structure. [client-side] [#5394]
  • The process-monitor resource was renamed as the analytics resource. It now monitors date, time, and source IP of successful authentications. [#64]
  • SFTPPlus now provides an embedded self-signed certificate which can be used as a starting point for configuring TLS-based services such as FTPS and HTTPS. This self-signed certificate is automatically used for these services if the ssl_certificate configuration option is empty. [server-side] [#723]
  • An account can now be configured to read authorized public SSH keys from any file found in a specified directory path. [server-side][scp][sftp] [#972]

Defect Fixes

  • On non-Windows systems, the extract-archive event handler can now handle paths with uppercase characters. In previous versions, it was always using lowercase characters for the destination's filename. [#1177]
  • The Windows start menu shortcut to the Local Manager page now works even when the Local Manager is configured for the 0.0.0.0 IP address. [#3030]
  • The PID file created when SFTPPlus starts in service/daemon mode is no longer readable by other system users. [linux][security] [#4402]
  • The SysV and OpenRC init scripts now work when SFTPPlus is started as root. This was a defect introduced in 3.42.0. [#4686]
  • The event with id 60005, emitted when failing to monitor the source path of a transfer, now contains the exact path which triggered the failure. In previous versions, it was only containing the base source path of the transfer. [client-side] [#5004]
  • A dedicated event is emitted when a service has no authenticated method. [server-side] [#5053]
  • The SFTP file transfer service now has improved performance for directory listing when a large number of files are present. [server-side][sftp] [#57]
  • You will now receive an error at service start if the configured SSH RSA or DSA keys are of an invalid type. [server-side][scp][sftp] [#723]
  • There is now a limit of 100kB for the file containing authorized public SSH keys for an account. [security][sftp][scp][server-side] [#972]

Deprecations and Removals

  • Event with ID 20078, used to signal that a service was stopped, was removed and replaced by event with ID 20157, used when any component is stopped. [#1158-1]
  • Event with ID 20045, used to signal that a service failed to stop, was removed and replaced by events with IDs 20159 and 20185, used when any component fails to stop. [#1158-2]
  • Event with ID 20077, used to signal that a service failed to start, was removed and replaced by event with ID 20158, used when any component fails to start. [#1158-3]
  • Event with ID 20076, used to signal that a service was successfully started, was removed and replaced by event with ID 20156, used when any component is successfully started. [#1158]
  • The 'Account activity' event handler now only works with the embedded standard SQLite database. Support for MySQL databases and custom SQLite databases was removed. [#1376]
  • Event with ID 20101, emitted when the configured password is invalid, was removed. It was replaced with event with ID 20142, emitted when authentication fails. [server-side] [#2000]
  • ./bin/admin-command.sh --start is no longer supported. Use ./bin/admin-command.sh start instead. [linux][macos] [#2783]
  • The address, port, and path configuration options were removed from the Syslog event handler. They are replaced by the single url configuration option. [#2914]
  • Default format used to store log entries was changed to show date and time first. Upgrading existing installations will not automatically switch to the new logging format. [#2919]
  • Event with ID 20089, raised when trying to delete the default group, was removed and replaced with the generic event 20108, raised when trying to delete a component which is already in use. [#316-1]
  • Only one email client resource is now supported. This is the resource with UUID DEFAULT-EMAIL-CLIENT. Any other email client resource is ignored. [#316-2]
  • The email_client_resource configuration option was removed from the email-sender event handler. Emails are now sent using the default email client. [#316-3]
  • Event with ID 20063, raised when the default group is missing, was removed as SFTPPlus will automatically create the default group if missing. [#316-4]
  • Event with ID 50020, raised when SFTPPlus Local Manager failed to start a database, was removed and replaced by ID 20112. [#316-5]
  • The Past Activity page in the Local Manager web console was renamed to Activity log. [#316-6]
  • Event with ID 20163, emitted by SFTPPlus when failing to record the date and time when an account was successfully authenticated, was removed and replaced with the generic ID 20174. [#316-7]
  • Event with ID 20116, raised when failing to create a DB table database, was removed and replaced by ID 20112. [#316-8]
  • The database event handlers no longer use a separate database configuration. Each database event handler has now its own database file. [#3168-1]
  • SFTPPlus no longer supports MySQL databases. If you need to send events to a MySQL database, please get in touch with our support. [#3168-2]
  • Events with IDs 20161, 20162, 20164 were removed and replaced by ID 20112, used for all database errors. [#3168-3]
  • Events with ID 20112 and 20117, emitted when a DB operation fails, were removed. They were replaced with specific event ID errors for each SFTPPlus component using the DB. [#3168-4]
  • Events with IDs 50019, 50021, 50022, 50025, emitted when a Local Manager DB operation fails, were removed. They were replaced with specific event ID errors for each Local Manager operation using the DB. [#3168-5]
  • Support for the MySQL database event handler was removed. [#3168]
  • Event with ID 20160 was removed and replaced with the generic event 20165 raised when a component fails. [db] [#316]
  • The %(event_id)s variable for the email_subject configuration was removed, after being deprecated in 3.16.0. It should be replaced by the {id} variable. [#3655]
  • The amend-content event handler was removed and replaced by the python:chevah.server.extension.amend_content.RemoveLastLine extension event handler. [#3921]
  • The digital-signature-validation event handler was removed and replaced by the python:chevah.server.extension.digital_signature.ValidateCSV_RSASSA_PSS extension event handler. [#3956]
  • The rotate_each configuration option from the local-file event handler was removed and replaced with rotate_on. Existing rotate_each configuration are interpreted as rotate_on: 00:00 time-of-day. [#4351]
  • TEST_DELAY_EXECUTION is no longer supported. [server-side][sftp] [#4976]
  • Passwords stored in plain text are no longer supported. [security] [#5154]
  • Events with IDs 10029, 10058, 10060, 10067, emitted by the FTP server, were removed. They were replaced with generic events. [server-side][ftp][ftps] [#5155]
  • The configuration/ssh-service.moduli file is no longer used by the SFTP and SCP services. SFTPPlus now has an embedded list of SSH moduli, refreshed every release. [server-side][sftp][scp] [#5222]
  • Red Hat Enterprise Linux 6 (RHEL 6) is no longer supported in SFTPPlus version 4.0.0. You can continue to use latest SFTPPlus 3.x.x version with RHEL 6. [#5261-1]
  • Ubuntu Server 16.04 is no longer supported in SFTPPlus version 4.0.0. You can continue to use latest SFTPPlus version 3.x.x with this version of Ubuntu Server. [#5261-2]
  • Apple OS X 10.8 and newer Mac OS X versions up to and including macOS 10.12 are no longer supported in SFTPPlus version 4.0.0. You can continue to use latest SFTPPlus version 3.x.x for these systems. Only macOS 10.13 and newer versions are supported in SFTPPlus version 4.0.0. [#5261-4]
  • The following Unix operating systems are no longer supported starting with SFTPPlus version 4.0.0: AIX, HP-UX, Solaris. You can continue to use SFTPPlus version 3.x.x on these operating systems. [#5261]
  • The permission configuration option for an account will now have inherit as the default value. In previous versions, it was set to allow-full-control. The default configuration for a group is still allow-full-control. [server-side][security] [#5339]
  • warn_non_modified_files_interval configuration option of the monitor service was removed and replaced with a new configuration option named file_age_notification. For backward compatibility, SFTPPlus can still read the configuration stored in warn_non_modified_files_interval, but it rewrites it as file_age_notification. [#5347]
  • The type configuration option for transfers was removed. It was replaced by the delete_source_on_success option. [#5393]
  • The execute_at_startup configuration option and functionality was removed. You can use the external-executable event handler to execute external scripts. Event with ID 20181 is emitted each time the SFTPPlus process starts. [#5413]
  • The account-activity event handler was removed. It was replaced by the process-monitor resource. [#64]
  • Event with ID 20182, emitted when an account is authenticated, was removed. Only the event with ID 20137 is now emitted on successful authentication. [#888-1]
  • Event with ID 20023, emitted when failing to read the file containing the authorized SSH keys for an account, was removed. It was replaced by the generic event with ID 20142. [#888-2]
  • Event with ID 50007, emitted when an administrator was successfully authenticated, was removed. It is replaced by the generic event with ID 20137. [#888]

You can check the full release notes here.

• • •

SFTPPlus Release 3.55.0

Tue 28 April 2020 | security release

We are announcing the latest release of SFTPPlus version 3.55.0.

This release includes a critical security issue for the Local Manager's web console GUI introduced with SFTPPlus version 3.24.0.

The vulnerability is a local one if Local Manager only accepts local connections, as configured by default.

Your SFTPPlus setup is not affected if you are not using the default-enabled "Store in database" event handler.

In order to audit for potential security breaches, parse the log files for events with ID 50026 and check them for any unauthorized access. Unfortunately, you can only identify unauthorized access by its timestamp.

No user data or passwords can be compromised this way. The usernames and file names are found in the logs and can be exposed to unauthorized parties.

To fix this security issue, you need to upgrade SFTPPlus to version 3.55.0.

If you can't upgrade right away, you should harden the configuration by deleting the "Store in database" event handlers. If you would rather keep using this feature without updating, make sure the Local Manager is only available through secured channels such as a VPN tunnel.

New Features

  • Ubuntu 20.04 on x86_64 is now a supported platform. [#1512]
  • The "Download as CSV" functionality from the Activity Log will now download only the entries selected by the active filters. [#4233]
  • The embedded OpenSSL libraries on Windows, generic Linux, and macOS were updated to version 1.1.1g. [#5400]
  • Red Hat Entreprise Linux 8 on X86_64 is now a supported platform. [#5324]
  • The bundled OpenSSL libraries on Windows, SLES 11, and generic Linux distributions were updated to version 1.1.1g. [#5357]

Defect Fixes

  • The "Download as CSV" link from the Local Manager no longer allows unauthenticated requests. [security][web-manager] [#4233]

Deprecations and Removals

  • The macOS package no longer depends on the system-included LibreSSL libraries. On macOS, SFTPPlus now uses embedded OpenSSL libraries. [#5400]
  • On SLES 11, RHEL 6, and other unsupported Linux distributions, SFTPPlus uses a generic glibc-based Linux runtime which includes OpenSSL 1.1.1 libraries. [#5312]

You can check the full release notes here.

• • •

SFTPPlus Release 3.54.0

Tue 21 April 2020 | general release

We are announcing the latest release of SFTPPlus version 3.54.0.

New Features

  • You can now define custom triggers for the HTTP / HTTPS service. These triggers are available as buttons in the web client GUI and as custom actions in the HTTP API. [server-side][http][https] [#3832]
  • You can now configure the SFTPPlus Let's Encrypt resource with email addresses as contact information to be submitted to the ACME server. [#5351-1]
  • SFTPPlus now supports the Let's Encrypt ACME v2 protocol. [#5351]
  • 64bit packages for Windows x64 were added. [#5376]

Defect Fixes

  • You can now define the password when creating a new account. This was a defect introduced in a previous version. [#5379]

Deprecations and Removals

You can check the full release notes here.

• • •

Modern Slavery Act Statement for Financial Year 2019 - 2020

Mon 30 March 2020 | general compliance press

The modern slavery banner.

We are announcing that we have updated our Modern Slavery Act Statement to account for Financial Year 2019-2020.

This statement has been published in accordance with the Modern Slavery Act 2015.

It sets out the actions ProAtria has taken to combat slavery and human trafficking in our operations and supply chains for the financial year 2019 - 2020

Click here to read the latest statement.

• • •

SFTPPlus Release 3.53.0

Fri 17 January 2020 | general release

We are announcing the latest release of SFTPPlus version 3.53.0.

New Features

  • A new option was defined for the overwrite_rule configuration to allow the file to be skipped and not transferred when destination already has a file with the same name. [client-side][sync] [#4709]
  • The bundled OpenSSL libraries in Windows, Generic Linux, and OS X, were updated to version 1.1.1d. [#5348]

Defect Fixes

  • SFTPPlus can now successfully push large files over SFTP even if the remote SFTP server is not accepting large file chunks. This affected large file transfers to servers such as Microsoft's OpenSSH For Windows Server. [sftp][client-side] [#5367]

Deprecations and Removals

  • Support for Debian Linux 9 on X86_64 was removed. Please use the generic Linux package on any Debian Linux version. [#5373]

You can check the full release notes here.

• • •