Symantec Messaging Gateway 10.5.3 Release Notescollegecirculars.unipune.ac.in/sites/.../Symantec_Messaging_Gateway... · Supported web browsers ... Symantec Messaging Gateway 10.5

Symantec™ MessagingGateway 10.5.3 ReleaseNotes

powered by Brightmail™

Symantec MessagingGateway 10.5.3 ReleaseNotes

This document includes the following topics:

■ About Symantec Messaging Gateway 10.5.3

■ What's new

■ Documentation

■ Support policy

■ Supported platforms

■ Unsupported platforms

■ Supported web browsers

■ Supported paths to version 10.5.3

■ Unsupported paths to version 10.5.3

■ Important information about installation in virtual environments

■ Important information before you update to version 10.5.3

■ Resolved issues

■ Known issues

About Symantec Messaging Gateway 10.5.3Copyright 2014 Symantec Corporation. All rights reserved.

Symantec Messaging Gateway 10.5.3 is the upgrade to previous versions ofSymantecMessagingGateway. All functionality of SymantecMessagingGateway10.5.2 is maintained unless otherwise noted.

Note: You must be at Symantec Messaging Gateway 10.5.1 or later in order toupdate to Symantec Messaging Gateway 10.5.3. You can only update to version10.5.1 from version 10.0.3 or later.

What's newThis release of Symantec Messaging Gateway fixes known defects and addressesknownvulnerabilities, and also includes the followingnewand enhanced features:

■ This version requires your browser to useTLS1.2whenyou access the ControlCenter.

■ You can import and export RSA tokens to enable automated tasks withoutstoring passwords in configuration files or scripts.

■ You can change the size for individual lines in a remote syslog from the defaultof 1K to 4k.

■ The Message Audit Log now records that a message is received through TLS.

■ Language Identification scanning isnowskippedonly if thebodyof themessageis over 100K.

■ Incoming TLS connections now support PFS (Perfect Forward Secrecy).

DocumentationYou can access English documentation at the following website:

http://www.symantec.com/business/support/index?page=content&key=53991&channel=DOCUMENTATION&sort=recent

The site provides best practices, troubleshooting information, and other resourcesfor Symantec Messaging Gateway.

Check the followingwebsite for any issues that are found after these release noteswere finalized:

http://www.symantec.com/docs/TECH223626

Symantec Messaging Gateway 10.5.3 Release NotesAbout Symantec Messaging Gateway 10.5.3

4




To access the software update description from the Control Center, clickAdministration > Hosts > Version. On the Updates tab, click View Description.

To view the Symantec support policy for Symantec Messaging Gateway, see thefollowing links:

http://go.symantec.com/security_appliance_support

http://go.symantec.com/appliance_hw_support

To read the translated 10.5 documentation, go to the following URLs, and thenclick the Documentation link:

Chinese (Simplified)

http://www.symantec.com/business/support/index?page=landing&key=53991&locale=zh_CN

Chinese (Traditional)

http://www.symantec.com/business/support/index?page=landing&key=53991&locale=zh_TW

Japanese

http://www.symantec.com/business/support/index?page=landing&key=53991&locale=ja_JP

Korean

http://www.symantec.com/business/support/index?page=landing&key=53991&locale=ko_KR

You can access English documentation at the following website:


The site provides best practices, troubleshooting information, and other resourcesfor Symantec Messaging Gateway.

Support policySymantecprovides standard support for only themost current build of the licensedsoftware.

Formore information about Symantec's support policies, go to the followingURL:


Supported platformsYou can update to Symantec Messaging Gateway 10.5.3 on any of the followingplatforms:

5Symantec Messaging Gateway 10.5.3 Release NotesSupport policy


http://go.symantec.com/appliance_hw_support

http://www.symantec.com/business/support/index?page=landing&key=53991&locale=zh_CN

http://www.symantec.com/business/support/index?page=landing&key=53991&locale=zh_TW

http://www.symantec.com/business/support/index?page=landing&key=53991&locale=ja_JP

http://www.symantec.com/business/support/index?page=landing&key=53991&locale=ko_KR




■ All supported hardware versions: 8380 purchased after March 2009, 8360purchased after March 2009, and 8340 purchased after September 2010

■ VMware ESXi/vSphere 5.0/5.1/5.5

■ MicrosoftHyper-V:WindowsServer 2008 andHyper-VServer 2008,WindowsServer 2012 and Hyper-V Server 2012

■ For more information about Symantec Messaging Gateway hardware testingsupport, go to the following URL:http://www.symantec.com/docs/TECH123135

Unsupported platformsUnsupported platforms are as follows:

■ Any virtual platform that is not listed in the Supported Platforms section ofthis document.

■ Hardware platforms 8220, 8240, 8260, 8320, and 8340 (PowerEdge 860 andR200 versions) purchased on or before September 2010

■ Hardware platforms 8360 (PowerEdge 1950 versions 1 and 2) and 8380(PowerEdge 2950 versions 1 and 2) purchased on or before March 2009.

For more information about Symantec Messaging Gateway hardware testingsupport, go to the following URL:


To determine what hardware version you have, at the command line type thefollowing:

show --info

Supported web browsersYou can access the Symantec Messaging Gateway Control Center on any of thefollowing supported web browsers:

■ Internet Explorer 8 or later. See the associated knowledge base article fordetails about using IE8.http://www.symantec.com/docs/TECH215638

■ Firefox 28 or later

■ Chrome 34 or later

Symantec Messaging Gateway 10.5.3 Release NotesUnsupported platforms

6




Supported paths to version 10.5.3You can update to Symantec Messaging Gateway 10.5.3 by using any of thefollowing methods:

■ Software update from version 10.5.1 or later on supported hardware or insupported virtual environments

■ OSRestore from ISO on supported hardware or in supported virtualenvironments

■ VMware installation with OVF file

Unsupported paths to version 10.5.3You cannot update to Symantec Messaging Gateway 10.5.3 by using any of thefollowing methods:

■ Versions earlier than 10.5.1

■ Direct upgrade from beta versions

Important information about installation in virtualenvironments

Symantec Messaging Gateway 10.5 supports two virtual environments: VMwareand Microsoft Hyper-V.

To install on VMwareTwo methods for installing on supported VMware platforms are:

You can load the ISO file into a preconfigured virtual machine.

You can use the ISO file on VMware ESXi/vSphere 5.0/5.1/5.5.

ISO file

You can also load the OVF, which includes the virtual machineconfiguration.

You can use the OVF for VMware ESXi/vSphere 5.0/5.1/5.5.

OVF template

To install on Hyper-VThere is one method for installing on supported Hyper-V platforms:

7Symantec Messaging Gateway 10.5.3 Release NotesSupported paths to version 10.5.3

You can load the ISO file into a preconfigured virtual machine.

You can use the ISO file on Windows Server 2008 and Hyper-V Server2008, Windows Server 2012 and Hyper-V Server 2012.

ISO file

See the SymantecMessagingGateway 10.5 InstallationGuide for instructions andsystem requirements.

Note: In a virtual environment, verify that your virtual environment can support64-bit virtualization before you update to Symantec Messaging Gateway 10.5.When Intel Virtualization Technology (also known as Intel-VT) is enabled in theBIOS, it allows the CPU to support multiple operating systems, including 64-bitarchitecture. On many Intel processors this setting may be disabled in the BIOSand must be enabled prior to installing Symantec Messaging Gateway 10.5. AMDprocessors that support 64-bit architecture usually have this setting enabled bydefault. See KB 1003945 from VMware for more information:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003945

Important information before you update to version10.5.3

This topic contains the migration information that you should read before youupdate to version 10.5.3. Youmust update to SymantecMessagingGateway 10.5.3from Symantec Messaging Gateway 10.5.1 or later.

Note: The software update process can take several hours. During this process,mail throughput is unaffected. However, the mail that is intended for quarantineremains in the delivery queue until migration is complete.

Table 1-1 describes suggested best practices that you should consider when youupgrade from any version.

Table 1-1 Best practices for all upgrades

DescriptionItem

Symantec strongly recommends that you take a full system backup before you runthe software update and store it off-box.

Perform a backup.

Symantec Messaging Gateway 10.5.3 Release NotesImportant information before you update to version 10.5.3

8



Table 1-1 Best practices for all upgrades (continued)

DescriptionItem

The software update processmay take several hours to complete. If you restart beforethe process is complete, data corruption is likely to occur. If data corruption occurs,the factory image must be reinstalled on the appliance.

Do not restart.

If your site policies allow it, delete all Scanner and DDS log messages.Delete log messages.

To reduce Scanner update time and complexity, you should stopmail flow to Scannersand drain all queues.

To halt incoming messages, click Administration > Hosts > Configuration, and edita Scanner. On the Services tab, click Do not accept incoming messages and clickSave. Allow some time formessages to drain from your queues. To check the queues,clickStatus>SMTP>MessageQueues. Flush themessages that are left in the queues.

Stop mail flow to Scannersand flush queues before youupdate.

Symantec strongly recommends that you update your Control Center before youupdate your Scanners to thematching version. If youdonot update theControl Centerfirst, Symantec recommends that you use the command line interface to updateremote Scanners. It is crucial that the time frame inwhich you update your Scannersto 10.5 is kept as short as possible: the Control Center is unable to propagateconfiguration changes to Scanners that are on different versions. Configurations inwhich the Control Center and Scanners run different versions for an extended periodare unsupported.

Update Control Center first.

The Control Center appliance is offline and unusable during the update process.Scanners cannot quarantine messages on the Control Center during the softwareupdate, so messages build up in a queue. Updating a Control Center appliance cantake quite some time. Plan to update the Control Center appliance during off-peakhours.

Whenyoumigrate a Scanner, it goes offline. Scanner resources are unavailable duringthemigration process. Software update of a Scanner takes less time than the softwareupdate of the Control Center.

Perform software update atoff-peak hours.

Resolved issuesThis section describes the issues that are resolved in 10.5.3.

9Symantec Messaging Gateway 10.5.3 Release NotesResolved issues

Table 1-2 Resolved issues

Description and knowledge base article link (ifapplicable)

Issue

Only the minus sign is used to delimit thesubaddress.

See the associatedknowledgebase article for details:


In previous releases if you enabledRemove subaddress in recipientvalidationdirectoryquery, both "+"and "-" were used to delimit thesubaddress.

The language identification scanning isnowskippedonly if the body of the message is over 100K.


Language identification scanning didnot occur if amessage as awholewasover 100 KB.



TheMessageAudit Log didn't updatethe status for themessages thatweredeleted due to a verdict ofvirus/worm/unscannable. It showedthe status as "Processing Status".

TheUI is now consistentwith the product behavior.



Unchecking Enable scanning ofnon-plain text attachments forwords in dictionaries also preventsscanning of plain text attachments.

The Message Audit logs now show authenticateduser name when SMTP authentication is used.

See the associatedknowledgebase article for details:http://www.symantec.com/docs/TECH225281

In somecases,MessageAudit logs didnot show the authenticated usernamewhenSMTPauthenticationwasused.

This issue is now resolved.



In some cases, Microsoft Office2007-formatteddocument incorrectlytriggered a Content Policy based onthe attachment size.

This fix is not an automatic change. Reset thetimezone manually.



Selecting the timezone "(GMT-04:00)Atlantic Time (Canada)" resulted intimezone being set to "(GMT-05:00)Eastern Time (US & Canada)".

When you view the raw message for a rejectedmessage (e.g. invalid format), it now behaves asexpected and displays the raw message data.


In some cases, after submissiondetails was selected for a rejectedsubmission, the browser hung.

Symantec Messaging Gateway 10.5.3 Release NotesResolved issues

10









Table 1-2 Resolved issues (continued)


Issue

The verdict "Message was sent by a suspectedspammer"hasbeendeprecated. Symantecno longertests for this condition. All references to it havebeen removed.

See the associated knowledge base article fordetails:http://www.symantec.com/docs/TECH225284

"Message was sent by a suspectedspammer" appeared in the MessageAudit Logunder untested verdicts forall messages.

Customers can modify any part of the spamnotification URL and retain the originalfunctionality.


Under Spam Quarantine Settings,the spam notification URLautomatically included /brightmail.

Content filtering now detects the Dictionary wordsthat are enclosed in quotes.


In some cases, the content filteringprocess failed todetect theDictionarywords that were enclosed in quotes.

The GMT:Greenwich Mean Time timezone optioncan now be selected during the install process inboth the CLI and the Control Center.


The GMT timezone option was onlyavailable in the Control Center.

The snmpd process no longer listens on either porton an externally accessible interface when SNMPis disabled.


When SNMP was not enabled, thesnmpdprocessused theUDPprotocolto listen on port 161, and the TCPprotocol to listen on port 199 on allinterfaces.

Both pages now display all details and fields asexpected.


The Message Audit Log MessageDetail page and the QuarantineMessage Detail pages cut off thebottom portion of the screen,obscuring some display fields.

All combinations of FIPS mode and CBC on/off willappropriately configure SSH such that it functionsas expected.


Enabling FIPSwhile configuring SSHtodisableCBCciphers caused theSSHdaemon to stop responding.

11Symantec Messaging Gateway 10.5.3 Release NotesResolved issues








Table 1-2 Resolved issues (continued)


Issue



Incoming TLS connections did notsupport PFS (Perfect ForwardSecrecy).


In some cases, when Marketing,Newsletter, or Suspicious URLpolicies were enabled, they did nottrigger as expected.

Known issuesThis section describes the known issues in version 10.5.3.

Table 1-3 Known issues

DescriptionIssue

When a .zip file is split into several parts and sentonepartpermessage, SymantecMessagingGatewaydoes not consistently detect all file parts. Othercompressed files, such as RAR files, that aresimilarly divided, are scannedproperly. Not all suchmessages are considered unscannable, as would beexpected.



Split .zip file detection is notconsistent.

WhenSymantec Content Encryption andSymantecBounceAttackValidation are used together, repliesto encrypted messages that are sent from thecontent encryptionwebportal are flagged as invalidbounce messages and rejected.



Replies to messages that are sentthrough the Symantec ContentEncryption service always fail BounceAttack Validation.

Symantec Messaging Gateway 10.5.3 Release NotesKnown issues

12





Table 1-3 Known issues (continued)

DescriptionIssue

Embedded images in RTF file attachments are notextracted correctly, so Content Filtering policiesthat are intended to detect images are not triggered.



Content Filtering policy does notdetect images within RTFattachments.



The Symantec Messaging GatewayInstallation Guide incorrectly statesthat inbound local delivery is limitedto three servers, while the SymantecMessaging Gateway AdministrationGuide states correctly that localdelivery is unlimited.

The topic "About using SMTP authentication" liststhe MUA versions that Symantec MessagingGateway has been tested against. This list shouldinclude Microsoft Outlook 2010, but it should notinclude Thunderbird 2 or Mail.app on MacOS.



In theControl Center onlineHelp andin the Symantec Messaging GatewayAdministration Guide, the list ofsupported MUAs is incorrect.

Non-RFC5322-compliant messages cannot besubmitted for Customer-Specific Spam Rules eventhough the messages are delivered to user inboxeswithout issue.



Messages cannot be submitted forCustomer-Specific Spam Rulesthrough the Control Center whenthey have lines over 998 characterslong .

When administrators log in, their permissions arecached. They continue with the same rights untilthey log out. Also, administrators with full rightsto the Control Center can delete their own accountswithout receiving a warning.



The Control Center allows activesessions for administrators withdeleted accounts.

13Symantec Messaging Gateway 10.5.3 Release NotesKnown issues







DescriptionIssue

With any TLS setting enabled for a FIPS-enabledDLP appliance, messages that are sent to DLP inReflectmode get stuck in the Delivery queue due toa failed TLS negotiation.



TLS to FIPS-enabled DLP PreventServer Version 12 fails negotiation.



Microsoft Office 2007 documentswith files embedded using the 'Linkto file' option trigger the"unscannable due to limits exceeded"policy.

WhenDisarmremovesFlashcontent fromMicrosoftPowerPoint documents, Flash content that iscontained in a multilevel embedded attachment isnot replaced with a white image as expected.Instead, the first image in the Flash content isdisplayed.



When Disarm removes Flash fromPowerPoint, Flash is not replacedwith a white image in a multilevelembedded attachment.



Selecting "Enable HTML textscanning" in a Content Filter ruleonly applies to themessage body, notto the message's attachments.



Whenyou enableSenderID/SPF, thechecking of SPF TXT recordsreturned byDNS is case-sensitive forkeywords such as "a", "mx", and "ip".

The errors heartbeat_init ->

gimli_heartbeat_attachandheartbeat_init->Default appear at startup, and can be safelyignored.



Errors are displayed in the MTA Log(maillog).


14








DescriptionIssue

The Disarm service cannot be started or stoppedfrom the Control Center. Starting or stoppingDisarm can only be done from the Command LineInterface, using the service mta commands.



Stopping and starting the BrightmailEngine (or MTA) from the ControlCenter does not restart Disarm.



Unsaved changes to quarantinesettings are lost when you edit thenotification template.

Disarm logs can display the errorCReconstructor::LogStats: cannot create

directory for '$filename' with

error:File exists. This error can be safelyignored.



Misleading error messages mayappear in the Disarm logs.

There are several update issues that all involvedifferences between the true status of the updateand its status as displayed in the Control Center.

Viewing the update.log from the Command LineInterfacewill always provide accurate information.



In the Control Center, on theAdministration > Host Version >Updates page, the status displayedfor a specific hostmaynot accuratelyreflect the actual status of the hostor of the update process.



Release and view links are not visiblewhen spam summary messages areviewed as text-only.



The cc-config entry in theCommand Line Reference and manpage does not include informationabout the limit-tlsv1.1 option.

The uncompressed size of attachments is alwaysused when testing file size.



Documentation incorrectly statesthat file attachment size limitsconsiders only the compressed sizeof compressed attachments.










DescriptionIssue



The Symantec Messaging GatewayInstallation Guide omits AD 2012from list of supported directoryservers.

In the 10.5.1 Symantec Messaging GatewayAdministrationGuide, the note section on page 774should read: Note: If you make an error when youtype the host name, you block all access to theControl Center. If this situation occurs, use thecommanddelete bcchostacl fromthecommandline to clear the list of computers that are permittedto access theControl Center. See delete onpage 855.

In the 10.5.1 Symantec MessagingGateway Administration Guide, onpage 774, the command used to cleara hostname enterred in error ismisidentifies. It says to use clearbcchostacl instead of deletebcchostacl.



Symantec Messaging Gateway maybe unable to deliver mail if TLSdelivery is being attempted and thethe receiving MTA strictlyimplements TLSv1.



Symantec Messaging Gateway mayfail to process certainmessages withbadly formatted MIME attachmentheaders.

If inbound and outbound mail is received ondifferent interfaces or ports, this problem will notoccur.



If both inbound and outbound mailis received on the same IP addressand port, mail from an IP addresswith a broken PTR record will bedeferred.

This is expected behavior in versions 10.5 and later.



The Symantec Messaging Gatewayreaches out tohttps://tmsg.symantec.com/ to reporttelemetry. This site is notdocumented in our list of accessedweb sites.


16







DescriptionIssue

When you import two certificates that have thesame private key into the Symantec MessagingGateway, the second certificate overwrites the firstcertificate. There is nowarningwhen you are aboutto overwrite a certificate, just a confirmationmessage that the certificate was updated.



Multiple certificates using the sameprivate key are not allowed on theSymantec Messaging Gateway.



When you create a custom date andtimestamp format, you mayencounter unexpected results.

Some very short messsages in non-US ASCII charsets may not display correctly when usingAuto-Detect or Auto Chinese.



Some messages held in theQuarantine folder may not displaycorrectly when selected.

Whendomainsareunable tonegotiate anacceptablecipher, they bounce amessage instead of deliveringit without TLS. To deliver messages in thiscircumstance, disable opportunistic TLS.



Symantec Messaging Gateway maybe unable to deliver mail if TLSdelivery is being attempted,whendomains are unable to negotiate anacceptable cipher.







18

Documents

Symantec Messaging Gateway 10.5.3 Release Notescollegecirculars.unipune.ac.in/sites/.../Symantec_Messaging_Gateway... · Supported web browsers ... Symantec Messaging Gateway 10.5