Upload
phamlien
View
215
Download
0
Embed Size (px)
Citation preview
Symantec™ MessagingGateway 10.5.3 ReleaseNotes
powered by Brightmail™
Symantec MessagingGateway 10.5.3 ReleaseNotes
This document includes the following topics:
■ About Symantec Messaging Gateway 10.5.3
■ What's new
■ Documentation
■ Support policy
■ Supported platforms
■ Unsupported platforms
■ Supported web browsers
■ Supported paths to version 10.5.3
■ Unsupported paths to version 10.5.3
■ Important information about installation in virtual environments
■ Important information before you update to version 10.5.3
■ Resolved issues
■ Known issues
About Symantec Messaging Gateway 10.5.3Copyright 2014 Symantec Corporation. All rights reserved.
Symantec Messaging Gateway 10.5.3 is the upgrade to previous versions ofSymantecMessagingGateway. All functionality of SymantecMessagingGateway10.5.2 is maintained unless otherwise noted.
Note: You must be at Symantec Messaging Gateway 10.5.1 or later in order toupdate to Symantec Messaging Gateway 10.5.3. You can only update to version10.5.1 from version 10.0.3 or later.
What's newThis release of Symantec Messaging Gateway fixes known defects and addressesknownvulnerabilities, and also includes the followingnewand enhanced features:
■ This version requires your browser to useTLS1.2whenyou access the ControlCenter.
■ You can import and export RSA tokens to enable automated tasks withoutstoring passwords in configuration files or scripts.
■ You can change the size for individual lines in a remote syslog from the defaultof 1K to 4k.
■ The Message Audit Log now records that a message is received through TLS.
■ Language Identification scanning isnowskippedonly if thebodyof themessageis over 100K.
■ Incoming TLS connections now support PFS (Perfect Forward Secrecy).
DocumentationYou can access English documentation at the following website:
http://www.symantec.com/business/support/index?page=content&key=53991&channel=DOCUMENTATION&sort=recent
The site provides best practices, troubleshooting information, and other resourcesfor Symantec Messaging Gateway.
Check the followingwebsite for any issues that are found after these release noteswere finalized:
http://www.symantec.com/docs/TECH223626
Symantec Messaging Gateway 10.5.3 Release NotesAbout Symantec Messaging Gateway 10.5.3
4
To access the software update description from the Control Center, clickAdministration > Hosts > Version. On the Updates tab, click View Description.
To view the Symantec support policy for Symantec Messaging Gateway, see thefollowing links:
http://go.symantec.com/security_appliance_support
http://go.symantec.com/appliance_hw_support
To read the translated 10.5 documentation, go to the following URLs, and thenclick the Documentation link:
Chinese (Simplified)
http://www.symantec.com/business/support/index?page=landing&key=53991&locale=zh_CN
Chinese (Traditional)
http://www.symantec.com/business/support/index?page=landing&key=53991&locale=zh_TW
Japanese
http://www.symantec.com/business/support/index?page=landing&key=53991&locale=ja_JP
Korean
http://www.symantec.com/business/support/index?page=landing&key=53991&locale=ko_KR
You can access English documentation at the following website:
http://www.symantec.com/business/support/index?page=content&key=53991&channel=DOCUMENTATION&sort=recent
The site provides best practices, troubleshooting information, and other resourcesfor Symantec Messaging Gateway.
Support policySymantecprovides standard support for only themost current build of the licensedsoftware.
Formore information about Symantec's support policies, go to the followingURL:
http://go.symantec.com/security_appliance_support
Supported platformsYou can update to Symantec Messaging Gateway 10.5.3 on any of the followingplatforms:
5Symantec Messaging Gateway 10.5.3 Release NotesSupport policy
■ All supported hardware versions: 8380 purchased after March 2009, 8360purchased after March 2009, and 8340 purchased after September 2010
■ VMware ESXi/vSphere 5.0/5.1/5.5
■ MicrosoftHyper-V:WindowsServer 2008 andHyper-VServer 2008,WindowsServer 2012 and Hyper-V Server 2012
■ For more information about Symantec Messaging Gateway hardware testingsupport, go to the following URL:http://www.symantec.com/docs/TECH123135
Unsupported platformsUnsupported platforms are as follows:
■ Any virtual platform that is not listed in the Supported Platforms section ofthis document.
■ Hardware platforms 8220, 8240, 8260, 8320, and 8340 (PowerEdge 860 andR200 versions) purchased on or before September 2010
■ Hardware platforms 8360 (PowerEdge 1950 versions 1 and 2) and 8380(PowerEdge 2950 versions 1 and 2) purchased on or before March 2009.
For more information about Symantec Messaging Gateway hardware testingsupport, go to the following URL:
http://www.symantec.com/docs/TECH186269
To determine what hardware version you have, at the command line type thefollowing:
show --info
Supported web browsersYou can access the Symantec Messaging Gateway Control Center on any of thefollowing supported web browsers:
■ Internet Explorer 8 or later. See the associated knowledge base article fordetails about using IE8.http://www.symantec.com/docs/TECH215638
■ Firefox 28 or later
■ Chrome 34 or later
Symantec Messaging Gateway 10.5.3 Release NotesUnsupported platforms
6
Supported paths to version 10.5.3You can update to Symantec Messaging Gateway 10.5.3 by using any of thefollowing methods:
■ Software update from version 10.5.1 or later on supported hardware or insupported virtual environments
■ OSRestore from ISO on supported hardware or in supported virtualenvironments
■ VMware installation with OVF file
Unsupported paths to version 10.5.3You cannot update to Symantec Messaging Gateway 10.5.3 by using any of thefollowing methods:
■ Versions earlier than 10.5.1
■ Direct upgrade from beta versions
Important information about installation in virtualenvironments
Symantec Messaging Gateway 10.5 supports two virtual environments: VMwareand Microsoft Hyper-V.
To install on VMwareTwo methods for installing on supported VMware platforms are:
You can load the ISO file into a preconfigured virtual machine.
You can use the ISO file on VMware ESXi/vSphere 5.0/5.1/5.5.
ISO file
You can also load the OVF, which includes the virtual machineconfiguration.
You can use the OVF for VMware ESXi/vSphere 5.0/5.1/5.5.
OVF template
To install on Hyper-VThere is one method for installing on supported Hyper-V platforms:
7Symantec Messaging Gateway 10.5.3 Release NotesSupported paths to version 10.5.3
You can load the ISO file into a preconfigured virtual machine.
You can use the ISO file on Windows Server 2008 and Hyper-V Server2008, Windows Server 2012 and Hyper-V Server 2012.
ISO file
See the SymantecMessagingGateway 10.5 InstallationGuide for instructions andsystem requirements.
Note: In a virtual environment, verify that your virtual environment can support64-bit virtualization before you update to Symantec Messaging Gateway 10.5.When Intel Virtualization Technology (also known as Intel-VT) is enabled in theBIOS, it allows the CPU to support multiple operating systems, including 64-bitarchitecture. On many Intel processors this setting may be disabled in the BIOSand must be enabled prior to installing Symantec Messaging Gateway 10.5. AMDprocessors that support 64-bit architecture usually have this setting enabled bydefault. See KB 1003945 from VMware for more information:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003945
Important information before you update to version10.5.3
This topic contains the migration information that you should read before youupdate to version 10.5.3. Youmust update to SymantecMessagingGateway 10.5.3from Symantec Messaging Gateway 10.5.1 or later.
Note: The software update process can take several hours. During this process,mail throughput is unaffected. However, the mail that is intended for quarantineremains in the delivery queue until migration is complete.
Table 1-1 describes suggested best practices that you should consider when youupgrade from any version.
Table 1-1 Best practices for all upgrades
DescriptionItem
Symantec strongly recommends that you take a full system backup before you runthe software update and store it off-box.
Perform a backup.
Symantec Messaging Gateway 10.5.3 Release NotesImportant information before you update to version 10.5.3
8
Table 1-1 Best practices for all upgrades (continued)
DescriptionItem
The software update processmay take several hours to complete. If you restart beforethe process is complete, data corruption is likely to occur. If data corruption occurs,the factory image must be reinstalled on the appliance.
Do not restart.
If your site policies allow it, delete all Scanner and DDS log messages.Delete log messages.
To reduce Scanner update time and complexity, you should stopmail flow to Scannersand drain all queues.
To halt incoming messages, click Administration > Hosts > Configuration, and edita Scanner. On the Services tab, click Do not accept incoming messages and clickSave. Allow some time formessages to drain from your queues. To check the queues,clickStatus>SMTP>MessageQueues. Flush themessages that are left in the queues.
Stop mail flow to Scannersand flush queues before youupdate.
Symantec strongly recommends that you update your Control Center before youupdate your Scanners to thematching version. If youdonot update theControl Centerfirst, Symantec recommends that you use the command line interface to updateremote Scanners. It is crucial that the time frame inwhich you update your Scannersto 10.5 is kept as short as possible: the Control Center is unable to propagateconfiguration changes to Scanners that are on different versions. Configurations inwhich the Control Center and Scanners run different versions for an extended periodare unsupported.
Update Control Center first.
The Control Center appliance is offline and unusable during the update process.Scanners cannot quarantine messages on the Control Center during the softwareupdate, so messages build up in a queue. Updating a Control Center appliance cantake quite some time. Plan to update the Control Center appliance during off-peakhours.
Whenyoumigrate a Scanner, it goes offline. Scanner resources are unavailable duringthemigration process. Software update of a Scanner takes less time than the softwareupdate of the Control Center.
Perform software update atoff-peak hours.
Resolved issuesThis section describes the issues that are resolved in 10.5.3.
9Symantec Messaging Gateway 10.5.3 Release NotesResolved issues
Table 1-2 Resolved issues
Description and knowledge base article link (ifapplicable)
Issue
Only the minus sign is used to delimit thesubaddress.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH163815
In previous releases if you enabledRemove subaddress in recipientvalidationdirectoryquery, both "+"and "-" were used to delimit thesubaddress.
The language identification scanning isnowskippedonly if the body of the message is over 100K.
http://www.symantec.com/docs/TECH167825
Language identification scanning didnot occur if amessage as awholewasover 100 KB.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH211478
TheMessageAudit Log didn't updatethe status for themessages thatweredeleted due to a verdict ofvirus/worm/unscannable. It showedthe status as "Processing Status".
TheUI is now consistentwith the product behavior.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH216384
Unchecking Enable scanning ofnon-plain text attachments forwords in dictionaries also preventsscanning of plain text attachments.
The Message Audit logs now show authenticateduser name when SMTP authentication is used.
See the associatedknowledgebase article for details:http://www.symantec.com/docs/TECH225281
In somecases,MessageAudit logs didnot show the authenticated usernamewhenSMTPauthenticationwasused.
This issue is now resolved.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH216386
In some cases, Microsoft Office2007-formatteddocument incorrectlytriggered a Content Policy based onthe attachment size.
This fix is not an automatic change. Reset thetimezone manually.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH215942
Selecting the timezone "(GMT-04:00)Atlantic Time (Canada)" resulted intimezone being set to "(GMT-05:00)Eastern Time (US & Canada)".
When you view the raw message for a rejectedmessage (e.g. invalid format), it now behaves asexpected and displays the raw message data.
See the associatedknowledgebase article for details:http://www.symantec.com/docs/TECH225282
In some cases, after submissiondetails was selected for a rejectedsubmission, the browser hung.
Symantec Messaging Gateway 10.5.3 Release NotesResolved issues
10
Table 1-2 Resolved issues (continued)
Description and knowledge base article link (ifapplicable)
Issue
The verdict "Message was sent by a suspectedspammer"hasbeendeprecated. Symantecno longertests for this condition. All references to it havebeen removed.
See the associated knowledge base article fordetails:http://www.symantec.com/docs/TECH225284
"Message was sent by a suspectedspammer" appeared in the MessageAudit Logunder untested verdicts forall messages.
Customers can modify any part of the spamnotification URL and retain the originalfunctionality.
See the associatedknowledgebase article for details:http://www.symantec.com/docs/TECH225285
Under Spam Quarantine Settings,the spam notification URLautomatically included /brightmail.
Content filtering now detects the Dictionary wordsthat are enclosed in quotes.
See the associated knowledge base article fordetails:http://www.symantec.com/docs/TECH225286
In some cases, the content filteringprocess failed todetect theDictionarywords that were enclosed in quotes.
The GMT:Greenwich Mean Time timezone optioncan now be selected during the install process inboth the CLI and the Control Center.
See the associatedknowledgebase article for details:http://www.symantec.com/docs/TECH225308
The GMT timezone option was onlyavailable in the Control Center.
The snmpd process no longer listens on either porton an externally accessible interface when SNMPis disabled.
See the associated knowledge base article fordetails:http://www.symantec.com/docs/TECH225309
When SNMP was not enabled, thesnmpdprocessused theUDPprotocolto listen on port 161, and the TCPprotocol to listen on port 199 on allinterfaces.
Both pages now display all details and fields asexpected.
See the associatedknowledgebase article for details:http://www.symantec.com/docs/TECH225311
The Message Audit Log MessageDetail page and the QuarantineMessage Detail pages cut off thebottom portion of the screen,obscuring some display fields.
All combinations of FIPS mode and CBC on/off willappropriately configure SSH such that it functionsas expected.
See the associatedknowledgebase article for details:http://www.symantec.com/docs/TECH225076
Enabling FIPSwhile configuring SSHtodisableCBCciphers caused theSSHdaemon to stop responding.
11Symantec Messaging Gateway 10.5.3 Release NotesResolved issues
Table 1-2 Resolved issues (continued)
Description and knowledge base article link (ifapplicable)
Issue
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH225317
Incoming TLS connections did notsupport PFS (Perfect ForwardSecrecy).
See the associatedknowledgebase article for details:http://www.symantec.com/docs/TECH225279
In some cases, when Marketing,Newsletter, or Suspicious URLpolicies were enabled, they did nottrigger as expected.
Known issuesThis section describes the known issues in version 10.5.3.
Table 1-3 Known issues
DescriptionIssue
When a .zip file is split into several parts and sentonepartpermessage, SymantecMessagingGatewaydoes not consistently detect all file parts. Othercompressed files, such as RAR files, that aresimilarly divided, are scannedproperly. Not all suchmessages are considered unscannable, as would beexpected.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH176884
Split .zip file detection is notconsistent.
WhenSymantec Content Encryption andSymantecBounceAttackValidation are used together, repliesto encrypted messages that are sent from thecontent encryptionwebportal are flagged as invalidbounce messages and rejected.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH174807
Replies to messages that are sentthrough the Symantec ContentEncryption service always fail BounceAttack Validation.
Symantec Messaging Gateway 10.5.3 Release NotesKnown issues
12
Table 1-3 Known issues (continued)
DescriptionIssue
Embedded images in RTF file attachments are notextracted correctly, so Content Filtering policiesthat are intended to detect images are not triggered.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH208718
Content Filtering policy does notdetect images within RTFattachments.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH193367
The Symantec Messaging GatewayInstallation Guide incorrectly statesthat inbound local delivery is limitedto three servers, while the SymantecMessaging Gateway AdministrationGuide states correctly that localdelivery is unlimited.
The topic "About using SMTP authentication" liststhe MUA versions that Symantec MessagingGateway has been tested against. This list shouldinclude Microsoft Outlook 2010, but it should notinclude Thunderbird 2 or Mail.app on MacOS.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH211461
In theControl Center onlineHelp andin the Symantec Messaging GatewayAdministration Guide, the list ofsupported MUAs is incorrect.
Non-RFC5322-compliant messages cannot besubmitted for Customer-Specific Spam Rules eventhough the messages are delivered to user inboxeswithout issue.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH205682
Messages cannot be submitted forCustomer-Specific Spam Rulesthrough the Control Center whenthey have lines over 998 characterslong .
When administrators log in, their permissions arecached. They continue with the same rights untilthey log out. Also, administrators with full rightsto the Control Center can delete their own accountswithout receiving a warning.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH208723
The Control Center allows activesessions for administrators withdeleted accounts.
13Symantec Messaging Gateway 10.5.3 Release NotesKnown issues
Table 1-3 Known issues (continued)
DescriptionIssue
With any TLS setting enabled for a FIPS-enabledDLP appliance, messages that are sent to DLP inReflectmode get stuck in the Delivery queue due toa failed TLS negotiation.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH212117
TLS to FIPS-enabled DLP PreventServer Version 12 fails negotiation.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH216390
Microsoft Office 2007 documentswith files embedded using the 'Linkto file' option trigger the"unscannable due to limits exceeded"policy.
WhenDisarmremovesFlashcontent fromMicrosoftPowerPoint documents, Flash content that iscontained in a multilevel embedded attachment isnot replaced with a white image as expected.Instead, the first image in the Flash content isdisplayed.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH211474
When Disarm removes Flash fromPowerPoint, Flash is not replacedwith a white image in a multilevelembedded attachment.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH211464
Selecting "Enable HTML textscanning" in a Content Filter ruleonly applies to themessage body, notto the message's attachments.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH208735
Whenyou enableSenderID/SPF, thechecking of SPF TXT recordsreturned byDNS is case-sensitive forkeywords such as "a", "mx", and "ip".
The errors heartbeat_init ->
gimli_heartbeat_attachandheartbeat_init->Default appear at startup, and can be safelyignored.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH216379
Errors are displayed in the MTA Log(maillog).
Symantec Messaging Gateway 10.5.3 Release NotesKnown issues
14
Table 1-3 Known issues (continued)
DescriptionIssue
The Disarm service cannot be started or stoppedfrom the Control Center. Starting or stoppingDisarm can only be done from the Command LineInterface, using the service mta commands.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH216412
Stopping and starting the BrightmailEngine (or MTA) from the ControlCenter does not restart Disarm.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH211466
Unsaved changes to quarantinesettings are lost when you edit thenotification template.
Disarm logs can display the errorCReconstructor::LogStats: cannot create
directory for '$filename' with
error:File exists. This error can be safelyignored.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH211467
Misleading error messages mayappear in the Disarm logs.
There are several update issues that all involvedifferences between the true status of the updateand its status as displayed in the Control Center.
Viewing the update.log from the Command LineInterfacewill always provide accurate information.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH210607
In the Control Center, on theAdministration > Host Version >Updates page, the status displayedfor a specific hostmaynot accuratelyreflect the actual status of the hostor of the update process.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH211468
Release and view links are not visiblewhen spam summary messages areviewed as text-only.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH211470
The cc-config entry in theCommand Line Reference and manpage does not include informationabout the limit-tlsv1.1 option.
The uncompressed size of attachments is alwaysused when testing file size.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH216385
Documentation incorrectly statesthat file attachment size limitsconsiders only the compressed sizeof compressed attachments.
15Symantec Messaging Gateway 10.5.3 Release NotesKnown issues
Table 1-3 Known issues (continued)
DescriptionIssue
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH225349
The Symantec Messaging GatewayInstallation Guide omits AD 2012from list of supported directoryservers.
In the 10.5.1 Symantec Messaging GatewayAdministrationGuide, the note section on page 774should read: Note: If you make an error when youtype the host name, you block all access to theControl Center. If this situation occurs, use thecommanddelete bcchostacl fromthecommandline to clear the list of computers that are permittedto access theControl Center. See delete onpage 855.
In the 10.5.1 Symantec MessagingGateway Administration Guide, onpage 774, the command used to cleara hostname enterred in error ismisidentifies. It says to use clearbcchostacl instead of deletebcchostacl.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH215003
Symantec Messaging Gateway maybe unable to deliver mail if TLSdelivery is being attempted and thethe receiving MTA strictlyimplements TLSv1.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH216389
Symantec Messaging Gateway mayfail to process certainmessages withbadly formatted MIME attachmentheaders.
If inbound and outbound mail is received ondifferent interfaces or ports, this problem will notoccur.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH211480
If both inbound and outbound mailis received on the same IP addressand port, mail from an IP addresswith a broken PTR record will bedeferred.
This is expected behavior in versions 10.5 and later.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH216382
The Symantec Messaging Gatewayreaches out tohttps://tmsg.symantec.com/ to reporttelemetry. This site is notdocumented in our list of accessedweb sites.
Symantec Messaging Gateway 10.5.3 Release NotesKnown issues
16
Table 1-3 Known issues (continued)
DescriptionIssue
When you import two certificates that have thesame private key into the Symantec MessagingGateway, the second certificate overwrites the firstcertificate. There is nowarningwhen you are aboutto overwrite a certificate, just a confirmationmessage that the certificate was updated.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH218025
Multiple certificates using the sameprivate key are not allowed on theSymantec Messaging Gateway.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH208718
When you create a custom date andtimestamp format, you mayencounter unexpected results.
Some very short messsages in non-US ASCII charsets may not display correctly when usingAuto-Detect or Auto Chinese.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH225315
Some messages held in theQuarantine folder may not displaycorrectly when selected.
Whendomainsareunable tonegotiate anacceptablecipher, they bounce amessage instead of deliveringit without TLS. To deliver messages in thiscircumstance, disable opportunistic TLS.
See the associatedknowledgebase article for details:
http://www.symantec.com/docs/TECH225316
Symantec Messaging Gateway maybe unable to deliver mail if TLSdelivery is being attempted,whendomains are unable to negotiate anacceptable cipher.
17Symantec Messaging Gateway 10.5.3 Release NotesKnown issues
Symantec Messaging Gateway 10.5.3 Release NotesKnown issues
18