From 99cbfe61cf68ade2547243c3184292c55ad1e0f1 Mon Sep 17 00:00:00 2001 From: Doug Koerich Date: Tue, 19 May 2026 17:12:25 -0300 Subject: [PATCH 1/5] Doc: new FIPS 140-3 compliant license signing (SparkPost/Momentum#1064) Signed-off-by: Doug Koerich --- content/momentum/4/before-you-begin.md | 10 ++++++++-- content/momentum/changelog/5/index.md | 1 + content/momentum/navigation.yml | 2 ++ 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/content/momentum/4/before-you-begin.md b/content/momentum/4/before-you-begin.md index 505b325a1..5f54f3f73 100644 --- a/content/momentum/4/before-you-begin.md +++ b/content/momentum/4/before-you-begin.md @@ -1,5 +1,5 @@ --- -lastUpdated: "03/26/2020" +lastUpdated: "05/19/2026" title: "Before You Begin" description: "This chapter describes issues that need to be considered or addressed prior to preparing for the installation on Analytics and or Platform MTA nodes For each of your servers that run the MTA you will need a license file in this directory opt msys ecelerity etc You will need to..." --- @@ -15,4 +15,10 @@ You will need to provide Message Systems with a MAC address for each MTA node in ### Note -The [Momentum REST Injector](/momentum/3/3-rest) introduced in Momentum 3.14 continues to work in Momentum 4 and does not require a license. You can still use this injector to inject messages with simple template substitutions, but it has a very limited feature set compared to the Momentum 4 REST APIs. \ No newline at end of file +Starting with Momentum 5.3.0, licenses issued by Message Systems are signed with ECDSA P-256 / SHA-256 ([FIPS 186-4](https://csrc.nist.gov/pubs/fips/186-4/final)). A re-issued license in this format is required only on deployments that **enforce** FIPS 140-3 at the crypto-library level — for example, when running against SafeLogic CryptoComply (a FIPS 140-3 validated drop-in for OpenSSL), or against OpenSSL 3.x configured with `default_properties = fips=yes`. In those configurations the DSA-2048 / SHA-1 verify path is rejected as non-compliant and the MTA reports the license as invalid. + +Existing DSA-2048 / SHA-1 licenses continue to validate on all other deployments, including OpenSSL 3.x with the FIPS provider merely loaded (without `default_properties = fips=yes`). + +### Note + +The [Momentum REST Injector](/momentum/3/3-rest) introduced in Momentum 3.14 continues to work in Momentum 4 and does not require a license. You can still use this injector to inject messages with simple template substitutions, but it has a very limited feature set compared to the Momentum 4 REST APIs. diff --git a/content/momentum/changelog/5/index.md b/content/momentum/changelog/5/index.md index bb0d99fc4..25c3fcd29 100644 --- a/content/momentum/changelog/5/index.md +++ b/content/momentum/changelog/5/index.md @@ -6,6 +6,7 @@ name: "Momentum 5.x Changelogs" description: "Momentum 5.x Changelogs" --- +* [Momentum 5.3.0 Changelogs](/momentum/changelog/5/5-3-0) * [Momentum 5.2.1 Changelogs](/momentum/changelog/5/5-2-1) * [Momentum 5.2.0 Changelogs](/momentum/changelog/5/5-2-0) * [Momentum 5.1.1 Changelogs](/momentum/changelog/5/5-1-1) diff --git a/content/momentum/navigation.yml b/content/momentum/navigation.yml index d48717903..bdf6aabcf 100644 --- a/content/momentum/navigation.yml +++ b/content/momentum/navigation.yml @@ -1981,6 +1981,8 @@ - link: /momentum/changelog/5 title: Momentum 5.x Changelog items: + - link: /momentum/changelog/5/5-3-0 + title: Momentum 5.3.0 Changelog - link: /momentum/changelog/5/5-2-1 title: Momentum 5.2.1 Changelog - link: /momentum/changelog/5/5-2-0 From 7db2f6b49cb40051d8dcaefe28b98a016c6f39df Mon Sep 17 00:00:00 2001 From: Doug Koerich Date: Tue, 19 May 2026 17:17:50 -0300 Subject: [PATCH 2/5] Doc: missed the new changelog page (SparkPost/Momentum#1064) Signed-off-by: Doug Koerich --- content/momentum/changelog/5/5-3-0.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 content/momentum/changelog/5/5-3-0.md diff --git a/content/momentum/changelog/5/5-3-0.md b/content/momentum/changelog/5/5-3-0.md new file mode 100644 index 000000000..7b8809a5d --- /dev/null +++ b/content/momentum/changelog/5/5-3-0.md @@ -0,0 +1,13 @@ +--- +lastUpdated: "07/01/2026" +title: "Momentum 5.3.0 Changelog" +description: "Momentum 5.3.0 was released on 2026-07-01. This section will list all of the major changes that happened with the release of Momentum 5.3.0. Depending on installation type, all changes may not be applicable" +--- + +This section will list all of the major changes that happened with the release of **Momentum 5.3.0**. Depending on installation type, all changes may not be applicable + + + +| Type | Ticket | Description | +| --- | --- | --- | +| Feature | I-1064 | Added support for [license](/momentum/4/before-you-begin#momentum-license) signatures using ECDSA P-256 with SHA-256 ([FIPS 186-4](https://csrc.nist.gov/pubs/fips/186-4/final)), required on deployments that enforce FIPS 140-3 (for example, SafeLogic CryptoComply, or OpenSSL 3.x configured with `default_properties = fips=yes`). Existing DSA-2048 / SHA-1 licenses continue to validate on all other deployments, including OpenSSL 3.x with the FIPS provider loaded but without strict enforcement. | From 58279afeb6963c808e8537a3c74a2568ea5bc39f Mon Sep 17 00:00:00 2001 From: Doug Koerich Date: Tue, 19 May 2026 17:24:35 -0300 Subject: [PATCH 3/5] Doc: summarizing in the changelog table (SparkPost/Momentum#1064) Signed-off-by: Doug Koerich --- content/momentum/changelog/5/5-3-0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/momentum/changelog/5/5-3-0.md b/content/momentum/changelog/5/5-3-0.md index 7b8809a5d..e2b3be0f8 100644 --- a/content/momentum/changelog/5/5-3-0.md +++ b/content/momentum/changelog/5/5-3-0.md @@ -10,4 +10,4 @@ This section will list all of the major changes that happened with the release o | Type | Ticket | Description | | --- | --- | --- | -| Feature | I-1064 | Added support for [license](/momentum/4/before-you-begin#momentum-license) signatures using ECDSA P-256 with SHA-256 ([FIPS 186-4](https://csrc.nist.gov/pubs/fips/186-4/final)), required on deployments that enforce FIPS 140-3 (for example, SafeLogic CryptoComply, or OpenSSL 3.x configured with `default_properties = fips=yes`). Existing DSA-2048 / SHA-1 licenses continue to validate on all other deployments, including OpenSSL 3.x with the FIPS provider loaded but without strict enforcement. | +| Feature | I-1064 | Added support for [license](/momentum/4/before-you-begin#momentum-license) signatures using ECDSA P-256 with SHA-256. | From 77f00133b5dbd05677dc2b31b70973fb93d9f8b0 Mon Sep 17 00:00:00 2001 From: Doug Koerich <122404417+dkoerichbird@users.noreply.github.com> Date: Wed, 20 May 2026 10:35:27 -0300 Subject: [PATCH 4/5] Adding notice about Node.js 24 to be installed separately (Momentum#1214) (#839) Signed-off-by: Doug Koerich --- content/momentum/changelog/5/5-3-0.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/momentum/changelog/5/5-3-0.md b/content/momentum/changelog/5/5-3-0.md index e2b3be0f8..66b1633f3 100644 --- a/content/momentum/changelog/5/5-3-0.md +++ b/content/momentum/changelog/5/5-3-0.md @@ -11,3 +11,4 @@ This section will list all of the major changes that happened with the release o | Type | Ticket | Description | | --- | --- | --- | | Feature | I-1064 | Added support for [license](/momentum/4/before-you-begin#momentum-license) signatures using ECDSA P-256 with SHA-256. | +| Feature | I-1214 | Removed `msys-nodejs` RPM from the Momentum bundle, to be replaced with the 3rd-party `nodejs` package. Node.js LTS 24+ must be installed separately from the system or a vendor repository. | From 9608bf0b726bf1df6f0dbe13c25e1ab61692ce93 Mon Sep 17 00:00:00 2001 From: Doug Koerich Date: Wed, 20 May 2026 11:14:12 -0300 Subject: [PATCH 5/5] Doc: ha_proxy_client fix for changed remote IP (TASK-227757) Signed-off-by: Doug Koerich --- content/momentum/4/modules/ha-proxy-client.md | 3 ++- content/momentum/changelog/5/5-3-0.md | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/content/momentum/4/modules/ha-proxy-client.md b/content/momentum/4/modules/ha-proxy-client.md index 4ba958ca8..9690fbab3 100644 --- a/content/momentum/4/modules/ha-proxy-client.md +++ b/content/momentum/4/modules/ha-proxy-client.md @@ -1,5 +1,5 @@ --- -lastUpdated: "10/05/2021" +lastUpdated: "05/20/2026" title: "ha_proxy_client - HAProxy protocol client module" description: "The ha_proxy_client module is used to configure Momentum to use HAProxy's PROXY protocol version 2 for outbound connections (see https://github.com/haproxy/haproxy/blob/master/doc/proxy-protocol.txt). This can be leveraged in cases where your sending IPs are deployed on a different machine than Momentum." --- @@ -7,6 +7,7 @@ description: "The ha_proxy_client module is used to configure Momentum to use HA ## Configuration * When configured for a binding or binding group Momentum will connect to the given `ha_proxy_server` and prefix the SMTP session with a PROXY protocol version 2 header. +* `ha_proxy_server` accepts either a literal `IP:port` or a `hostname:port`. When a hostname is used, Momentum resolves it at configuration load and then re-checks DNS during each [health check](#health-check): if the resolved address leaves the answer set (for example, the backend was redeployed with a new IP) Momentum will switch new connections to the updated address automatically, with no restart or configuration reload required. Detection happens through Momentum's DNS cache, so the [`resolv_conf`](/momentum/4/config/ref-resolv-conf) setting and DNS TTLs apply; expect a delay of up to one health check interval plus the record TTL before the switch. * The `dst_addr` and `dst_port` will be filled in with the resolved MX, the `src_addr` will be filled in with the configured value of `ha_proxy_src_addr` if the destination family is IPV4, or `ha_proxy_ipv6_src_addr` if the destination family is IPV6. If you need to deliver to both IPV4 and IPV6 destinations then you must configure both options for the binding or binding_group. * The `ha_proxy_bypass` option allows you to bypass the proxy and follow the normal delivery method on a domain by domain basis. * It is the customers responsibility to configure a listener at `ha_proxy_server` that listens for PROXY protocol and forwards traffic based on `dst_addr:dst_port`. diff --git a/content/momentum/changelog/5/5-3-0.md b/content/momentum/changelog/5/5-3-0.md index 66b1633f3..5766ca0b0 100644 --- a/content/momentum/changelog/5/5-3-0.md +++ b/content/momentum/changelog/5/5-3-0.md @@ -12,3 +12,4 @@ This section will list all of the major changes that happened with the release o | --- | --- | --- | | Feature | I-1064 | Added support for [license](/momentum/4/before-you-begin#momentum-license) signatures using ECDSA P-256 with SHA-256. | | Feature | I-1214 | Removed `msys-nodejs` RPM from the Momentum bundle, to be replaced with the 3rd-party `nodejs` package. Node.js LTS 24+ must be installed separately from the system or a vendor repository. | +| Fix | TASK-227757 | [`ha_proxy_client`](/momentum/4/modules/ha-proxy-client) now re-resolves a hostname-based `ha_proxy_server` during each health check, so backend IP changes are picked up automatically without restart. |