Symantec Messaging Gateway 9.5.4 Release Notes

Symantec™ MessagingGateway 9.5.4 Release Notes

powered by Brightmail™

Symantec MessagingGateway 9.5.4 ReleaseNotes

This document includes the following topics:

n About Symantec Messaging Gateway 9.5.4

n Documentation

n Supported platforms

n Supported Web browsers

n Supported paths to version 9.5.4

n Unsupported paths to version 9.5.4

n Important information about installation on VMware

n Special instructions for users who upgrade from 9.5.0-19

n Important information before you update to version 9.5.4

n Known issues

n Resolved issues

About Symantec Messaging Gateway 9.5.4Copyright 2012 Symantec Corporation. All rights reserved.

Symantec Messaging Gateway 9.5.4 is the upgrade to previous versions ofSymantec Messaging Gateway, formerly Symantec Brightmail Gateway. Allfunctionality of SymantecMessagingGateway9.5.4 ismaintainedunless otherwisenoted.

DocumentationYou can access English documentation at the following Web site:

www.symantec.com/business/support/index?page=content&key=53991&channel=DOCUMENTATION

The site provides best practices, troubleshooting information, and other resourcesfor Symantec Messaging Gateway.

Check the following Web site for any issues that are found after these releasenotes were finalized:

http://www.symantec.com/docs/TECH185792

To access the software update description from the Control Center, clickAdministration > Hosts > Version. On the Updates tab, click View Description.

To view the Symantec support policy for Symantec Messaging Gateway, see thefollowing links:

http://go.symantec.com/security_appliance_support

http://go.symantec.com/appliance_hw_support

To read the translated 9.5 documentation, copy and paste any of the followingURLs into a Web browser, and then click the Documentation link:

Chinese (Simplified)

http://www.symantec.com/business/support/index?page=landing&key=53991&locale=zh_CN

Chinese (Traditional)

http://www.symantec.com/business/support/index?page=landing&key=53991&locale=zh_TW

Japanese

http://www.symantec.com/business/support/index?page=landing&key=53991&locale=ja_JP

Korean

http://www.symantec.com/business/support/index?page=landing&key=53991&locale=ko_KR

Symantec Messaging Gateway 9.5.4 Release NotesDocumentation

4




http://go.symantec.com/security_appliance_support

http://go.symantec.com/appliance_hw_support

http://www.symantec.com/business/support/index?page=landing&key=53991&locale=zh_CN

http://www.symantec.com/business/support/index?page=landing&key=53991&locale=zh_TW

http://www.symantec.com/business/support/index?page=landing&key=53991&locale=ja_JP

http://www.symantec.com/business/support/index?page=landing&key=53991&locale=ko_KR

Supported platformsYou can update to Symantec Messaging Gateway 9.5.4 on any of the followingplatforms:

n All supported hardware versionsFor more information about Symantec Messaging Gateway hardware testingsupport, on the Internet, go to the following URL:http://www.symantec.com/docs/TECH186269To determine what hardware version you have, at the command line type thefollowing:show -i

n VMware ESX or ESXi 3.5 - 4.1

n vSphere 4.1/4.0

Supported Web browsersYou can access the Symantec Messaging Gateway Control Center on any of thefollowing supported Web browsers:

n Internet Explorer 8/7

n Firefox 3.5.x - 7

Supported paths to version 9.5.4Youcanupdate toSymantecMessagingGateway9.5.4 byusing anyof the followingmethods:

n Software update from version 8.0.3 or later

n OSrestore fromISOonsupportedhardwareor in supportedvirtual environment

n VMware installation with OVF fileSee “Important information about installation on VMware” on page 6.

Unsupported paths to version 9.5.4You cannot update to Symantec Messaging Gateway 9.5.4 by using any of thefollowing methods:

n Software update from versions earlier than 8.0.3

n Direct upgrade from beta versions

5Symantec Messaging Gateway 9.5.4 Release NotesSupported platforms


Important information about installation on VMwareYou can install Symantec Messaging Gateway 9.5.4 on supported VMwareplatforms by loading either of the following:

You can load the ISO file into a preconfigured virtual machine.

You can use the ISO file on VMware ESX or ESXi 3.5 - 4.1 or vSphere4.1/4.0.

ISO file

You can also load the OVF, which includes the virtual machineconfiguration.

You can use the OVF for VMware ESX or ESXi 3.5 - 4.1 or vSphere4.1/4.0.

OVF template

See the Symantec Messaging Gateway 9.5 Installation Guide for instructions.

If you use the BusLogic controller when you upgrade to 9.5.4 with VMware ESXor VMware ESXi 4.1/4.0/3.5, you must change the SCSI Controller Type in yourvirtual machine settings before the upgrade as follows:

n When you upgrade through VMware ESX 3.5, you must switch the SCSIController Type in your virtual machine settings to "LSI controller".

n When you upgrade through VMware ESX 4.1/4.0, you must switch the SCSIController Type in your virtual machine settings to "LSI SAS".

For more information, on the Internet, go to the following URL:


Special instructions for users who upgrade from9.5.0-19

Symantec recommends that you upgrade your Control Center before you upgradeyour Scanners. If you do not upgrade the Control Center first, you must use thecommand line interface to upgrade remote Scanners.

Important information before you update to version9.5.4

This topic contains the migration information that you should read before youupdate to version 9.5.4. You must update to Symantec Messaging Gateway 9.5.4from Symantec Brightmail Gateway 8.0.3 or later.

Symantec Messaging Gateway 9.5.4 Release NotesImportant information about installation on VMware

6

http://www.symantec.com/docs/TECh168754

Note: If your Control Center and Scanners do not run version 8.0.3 or later, youmust update them to 8.0.3 before you update to version 9.5.4. After you updatethe Control Center and Scanners to version 8.0.3, ensure that the Control Centercan communicate with all Scanners. If the communication is successful, proceedto update the Control Center and Scanners to version 9.5.4.

For more information, on the Internet, go to the following URL:http://www.symantec.com/docs/TECH186744

Note: The software update process can take several hours. During this process,mail throughput is unaffected. However, the mail that is intended for quarantineremains in the delivery queue until migration is complete.

Table 1-1 describes suggested best practices and important considerations youshould consider for all upgrades.

Table 1-1 Best practices for all upgrades

DescriptionItem

The software update process may take several hours tocomplete. If you restart before the process is complete, datacorruption is likely. If data corruption occurs, the appliancemust be reinstalled with a factory image.

Do not restart.

If your site policies let you, delete all Scanner and LDAP logmessages.

Delete log messages.

Symantec recommends that you take a full system backupbefore you run the software update and store it off-box.

Perform a backup.

To reduce Scanner update time and complexity you shouldstop mail flow to Scanners and drain all queues.

To halt incoming messages, click Administration > Hosts> Configuration, edit a Scanner. On the Services tab, clickDo not accept incoming messages and click Save. Allowsome time formessages to drain fromyour queues. To checkthe queues, click Status > SMTP > Message Queues. Flushthe messages that are left in the queues.

Stop mail flow to Scannersand flush queues before youupdate.

7Symantec Messaging Gateway 9.5.4 Release NotesImportant information before you update to version 9.5.4


Table 1-1 Best practices for all upgrades (continued)

DescriptionItem

Each appliance must be updated individually. As a bestpractice, Symantec recommends that you update allScanners before updating the Control Center. You do nothave to update all of your Scanners at the same time. Youcan update some Scanners to version 9.5.4 and leave somewith the older version. That way some Scanners continueto protect your sitewhile youupdate others.However, if theControl Center and Scanner versions are different, theControl Center cannot make configuration changes to theScanner.

Note: If you upgrade from version 9.5.0-19, upgrade theControl Center first.

Update Scanners first.

When you update the Control Center, the Control Centerappliance is offline and unusable. Scanners cannot delivermessages to quarantine on the Control Center during thesoftware update, so messages build up in a queue. Runningsoftwareupdate onaControl Center appliance can takequitesome time. Plan to update the Control Center applianceduring off-peak hours.

When you migrate a Scanner, it goes offline. Scannerresources are unavailable during the migration process.Software update of a Scanner takes less time than thesoftware update of the Control Center.

Perform software update atoff-peak hours.

Table 1-2 describes suggested best practices and important considerations youshould consider before you update from version 8.0 3.

Table 1-2 Version 8.0.3 Specific Migration Guidance

DescriptionItem

Stop mail flow to all-in-one Control Center and Scanner systemsbefore you update. If you fail to stop the mail flow, any newincidents that are created on a combined Control Center andScanner during the migration process are stored in the defaultincident folder. This behavior is limited to only the new incidentsthat are createdduring theControl Centermigration.All previouslycreated incidents are migrated to the correct folders. After youupdate to version 9.5.4, new incidents are sent to the correct folder.

Stop mail flow toshared ControlCenter/Scannersystems if usingcontent incidents.

Symantec Messaging Gateway 9.5.4 Release NotesImportant information before you update to version 9.5.4

8

Table 1-2 Version 8.0.3 Specific Migration Guidance (continued)

DescriptionItem

Changes have been made in how content incidents are stored. Asa result, the migration of content incidents can take a significantamount of time. In particular, the amount of time can be large ifyour Control Center has a large number of incidents in the folders.Tominimize update time, delete unnecessary incidents before youupdate the Control Center to version 9.5.4 fromversion 8.0.3. Thissituation is not applicable if you already run 9.0.x.

Formore information about how todelete items in content incidentfolders, on the Internet, go to the following URL:

http://www.symantec.com/docs/HOWTO53781

Reduce contentincident folder size.

In previous releases, crash alert notifications were sent fromprocess-cleanup@<appliance hostname>. In versions 9.0.x, theenvelope sender of a crash alert is the sameaddress as the enveloperecipient.

Change in crash alertmail notifications.

Versions before 9.0usedadatabase for SpamQuarantinemessages.In 9.x, Spam Quarantine messages are stored in the file system tomake the message store more robust and scalable. Migration ofSpamQuarantinemessages to the file systemcan take a significantamount of time depending on the number of messages to bemigrated. Migration can take several hours if your SpamQuarantine contains a large number ofmessages. Tominimize themigration time, reduce thenumberofmessages inSpamQuarantinebefore you update the Control Center to version 9.5.4 fromversion8.0.3. Use the Spam Quarantine Expunger to reduce the numberof Spam Quarantine messages. This situation is not applicable ifyou already run 9.0.x.

Formore information abouthow to configure theSpamQuarantineExpunger, on the Internet, go to the following URL:


Reduce SpamQuarantine size.

If you use one or more Domino LDAP Sync sources with one ormore alias domain values, add those values as SymantecMessagingGateway domain aliases before you update to version 9.0.x. Onceyou have updated, you can optionally modify the resulting datadirectory service recipient validation and address resolution queryfilters to include (mail=%u@<domain>) and (uid=%u@<domain>)clauses as necessary if you do not want to use domain aliases onthe Symantec Messaging Gateway host.

Domino-specificdirectory integrationconsiderations.





DescriptionItem

The following are issues you should consider before you update:

n For some installations, you may need to add access to LDAPports for 9.0.x. The Control Center and Scanners that use anyLDAP features must be able to connect directly to the LDAPservers. LDAP features include authentication, routing,recipient validation, and address resolution (previously knownas synchronization). Your Control Center and Scanners mayalready meet this requirement. This access change is a newrequirement if your environmentmatches both of the followingcriteria:n Youhave adistributeddeploymentwith at least one separate

Scanner.n The deployment uses one or more LDAP sources with the

Synchronization usage enabled.If your environment matches these criteria, use theldapsearch command to check connectivity on each hostbefore you update to version 9.0.x.For information about how touseldapsearch, on the Internetgo to the following URL:http://www.symantec.com/docs/TECH95775

n In versions 9.0.x, any recipient address that includes a domainalias is considered valid if all of the following conditions aretrue:n You have one or more domains configured as an alias in

Protocols > SMTP > Aliases.n You have Protocols > SMTP > Invalid Recipients set to

either Drop or Reject.If both of the conditions are true, no call is made to the LDAPserver to determine whether the recipient is valid or not.

Directory dataconsiderations.


10



DescriptionItem

The following are issues you should consider before you update:

n The new directory data service caches the query results toreduce the load that is placed on the directory servers and toimprove Scanner performance. The cache builds over time.After you update from version 8.0.3 to version 9.5.4 there maybe an initial slow down of mail throughput under a heavy load.The slow down can occur in the first few minutes as the cachebuilds.

n The LDAP query filter formats in 9.0.x have been standardizedtouse the%s,%u, and%d tokens. These tokenswere previouslyused only for the recipient validation and routing query filters.If authentication, synchronization, or both are enabled in 8.0.3,the query filters are modified to use the standard tokens afteryou update to version 9.5.4. If you previously modified any ofthe default query filters, confirm the functionality of theauthentication and address resolution functions in 9.5.4. Usethe new Test Query option in the Control Center.

n In Symantec Brightmail Gateway 8.0.3 and earlier releases,only LDAP groups were displayed on the Administration >Users > Policy Groups page. In 9.0.x, both LDAP groups anddistribution lists appear for a newly added LDAP source. Youcan view both groups and distribution lists after you updateyour deployment.

n The LDAP recipient validation function is now used to checkincomingmessages for bothRejectinvalidrecipients andDropinvalid recipients. If you have an 8.0.3 deployment and useLDAP synchronization with Protocols > SMTP > InvalidRecipients set to Drop invalid recipients, the LDAP source ismigrated to a sourcewith both recipient validation and addressresolution functions enabled after you update to 9.0.x.Additionally, if you have any enabled recipient validationsources in your8.0.3 deployment, they areused forDropinvalidrecipients upon update to 9.0.x.

Directory integrationconsiderations.



DescriptionItem

The following are considerations you should know before youupdate:

n After you update a Control Center to version 9.0.x from 8.0.3,it displays twice the number of content incident folders thanyou previously had configured.To facilitate the new incident Expunger, 9.0.x requiresInformational Incidents and Quarantine Incidents (hold forreview) to be stored in separate folders. Folders that containmixed incidents are separated in the migration process. Aftermigration, new incident folders are created for the quarantineincidents. All policies aremigrated to save quarantine incidentsto the new folders. You do not have to adjust your policyconfiguration after migration.

n In 9.0.x the content folders can contain either informationalincidents or quarantine incidents but not both. As a result, newbehavior has been introduced. If a message violates multiplecontent filtering polices, then an incident is created for thehigher precedence policy in the designated folder. Subsequentcontent filteringpolicy violations are recorded as informationalincidents in the default information incidents folder.

This situation is not applicable if you are already running 9.0.x.

New content foldersare created when youupdate from version8.0.3.

This release can detect and record Uniform Resource Identifiers(URI) that occur in email messages to improve URI-based filters.SymantecMessagingGateway sends Symantec Security Responseevery URI in the messages that Symantec Messaging Gatewayscans for spam (inbound and outbound scanning). Symantec usesthis information to develop new URI-based filters. You receivethese updated filters through the Conduit. This feature is enabledby default. If you want to change this setting, go to the Email tabof the Spam > Settings > Scan Settings page. Check or uncheckReportURIstoSymantecSecurityResponse, and then clickSave.

URI reporting isenabled after update.


12


DescriptionItem

The following are considerations you should know before youupdate:

n Versions of Brightmail Gateway before 9.0 used the LDAPsynchronization schedule time to replicate user preferences tothe Scanners. In 9.0.x, LDAP synchronization has beendeprecated and user preferences replication happens on thedefault schedule of once per day at midnight. You can changethe schedule or replicate user preferences manually on theUsers tab of the Administration > Settings > Control Centerpage.

n If the following conditions occur, it is recommended that youupgrade the Control Center first. If not, end user preferencesare not in effect until you update the Control Center andperform a replication:n You have a distributed deploymentn End user preferences are enabledTo reenable end user preferences, update the Control Centerand ensure that user preferences are replicated.

n User preferences are not replicated to remote Scanners duringthe migration process. To ensure that user preferences areapplied, you must replicate them manually after you updatetheControl Center andall Scanners.Otherwiseuser preferencesare replicated at the default time of midnight. Navigate to theUsers tab of the Administration > Settings > Control Centerpage and click Replicate Now once all systems are upgraded.

n The user preference replication alert is enabled by default afteryou update to version 9.0.x. Symantec Brightmail Gatewaysends an alert to administrators configured to receive alertswhen user preferences replication finds an error. You candisable this alert on the DDS tab on the Administration >Settings > Alerts page.

User preferencesconsiderations.

Known issuesTable 1-3 describes the known issues in version 9.5.4.

13Symantec Messaging Gateway 9.5.4 Release NotesKnown issues

Table 1-3 Known issues

DescriptionIssue

When you upgrade from a release before 9.5.3, you may observe anumber of benign error messages during the upgrade process. Theerrors are reflected to the console and the update.log.


Error messages aregenerated when youupgrade.

WhenyouconfigureyourNTPserver informationduring installationor when you modify it post-installation, you may observe an errormessage in your message log. The message indicates that therequested IPv6 address cannot be assigned. You can ignore thismessage.


Error messages aregenerated when youconfigure your NTPserver information.

After an ISO install of versions 9.5.2 - 9.5.4, the Control Centerlistens for HTTP traffic on port 41080. To stop this behavior, typethe following at the command line:

cc-config http --off.

This issue does not apply if youhave upgraded from releases before9.5.2.


Control Centerlistens for HTTPtraffic on port 41080on install.

The Require TLS encryption option for SMTP authorization doesnot work as expected when FIPS mode is enabled. When you run innormal, non-FIPSmode, SymantecMessagingGatewayaccepts bothTLS and SSLv3.0 connections. When FIPS mode is enabled, even ifthe Require TLS encryption option is disabled, the connectionsthat use SSLv3.0 and earlier are not supported.

For more information, see the Symantec Messaging Gateway FIPS140-2 level 1 Deployment Guide.


SSLv3 connectionsare not supportedwhen FIPS mode isenabled.

When you upgrade from a release before 9.5.2 and run the updatecheck command, you may receive a message that some packagescannot be installed. You can ignore this message.


Error messageappears whenupdate checkcommand is issued.

Symantec Messaging Gateway 9.5.4 Release NotesKnown issues

14





http://www.symantec.com/business/support/index?page=content&id=TECH169454

Table 1-3 Known issues (continued)

DescriptionIssue

During an update, errors may appear despite a successful upgradeas follows:

n Errors appear in the MySQL error log for a successful update.You can disregard these errors.

n You may find some unexpected messages that are related tomodule-loading failure in the conduit log. You can ignore thesemessages.

9.5.2 included changes to the appliance platform, which includesthe operating system and database versions.


Errors in logs duringupdate.

/data/logs/boot.log may not appear upon fresh install. As a result,you may see some related errors during the bootstrap process,including a red [FAILED] status from "Adjusting SymantecMessaging Gateway services." You can ignore these errors.


Possible errorsduring bootstrapprocess.

Your FIPS state is not saved as part of a backup. If you perform anOS restore on a Symantec Messaging Gateway 9.5.2 host or laterwithFIPSmodeon,manually turnon theFIPSmodeafter the restorecompletes.


FIPS mode notautomaticallyenabled upon OSrestore.

Whenyouupgrade fromversions before 9.5.2, the downloadportionof the update process can take substantially longer than pastupdates. This situation is due to the large size of the downloadpackage.


Download may takelonger than for pastupdates.

The following actions take significantly longer with FIPS modeturned on than they do with FIPS mode turned off:

n Restarting the Message Transfer Agent (MTA) servicen Any configuration change that implicitly restarts the MTA

service

The host may appear to be hung for several minutes, but it is not.As a best practice, enable FIPS mode as the final step in your setupprocess before you deploy the host in a production environment.


MTA takes severalminutes to start on aFIPS-enabledappliance that isconfigured withSMTPauthenticationand Accept TLS.

15Symantec Messaging Gateway 9.5.4 Release NotesKnown issues






Table 1-3 Known issues (continued)

DescriptionIssue

If you use the delete ddsconfig command to remove theddsconfig.xml file from the disk, the DDS configuration remains inthe database. TheDDS configurations on the Control Center remainunchanged.

To delete data sources in the Control Center, perform the followingtasks:

1. In the Control Center, click Administration > DirectoryIntegration.

2. On theDirectoryIntegrationSettingspage, select the data sourceor sources you want to remove, and click Delete.


delete ddsconfigdoes not removedirectory datasources from theControl Center.

Whenyouupgrade fromaversionbefore 9.5.2, SymantecMessagingGateway is unable to load the cache data from /data/dds/dds-cachein dds.log. TheDDS cache is rebuilt asmessages are processed afterupgrade.


Unable to load cachedata from/data/dds/dds-cache.serin dds.log duringupgrade from 9.0 to9.5.4.

After youupdate theSymantecMessagingGatewayvirtual applianceto 9.5.2, the virtual machine (VM) fails to restart. The VMwareconsole indicates that VMware is unable to restart due to a kernelpanic.


Virtual machinekernel panics afterupdate to 9.5.2.

Russia no longer changes for Daylight Savings Time. The correcttime should be GMT +4 rather than GMT +3.


TheRussia timezoneis incorrect.

Resolved issuesTable 1-4 describes the issues that are resolved in 9.5.4.

Symantec Messaging Gateway 9.5.4 Release NotesResolved issues

16



http://www.symantec.com/docs/TECh168754


Table 1-4 Resolved issues

DescriptionIssue

Symantec Messaging Gateway now catches Office2007 password-protected files as'Password-protected files ' in content filtering.


Symantec Messaging Gateway doesnot catch password protected Word2007 file.

Setting the ssh protocol to version 2 persistsfollowing system restart and no longer needs to bereset.

sshd-config -v2 command isnotpersistent after restart it changesitself back to version 1.

The ability to see the status ofmessages just receivedin the audit log was added.


Messages that have been receivedbut not scanned have no clickablelink on MAL display screen.

UPS alerts are now consistently sent.


UPS alert that power has beenrestored is not always sent.

Host names with IP-like strings are now properlyprocessed by the Scanners.


Host names with IP-like stringsgenerating false positives.

A leading hash tag or pound symbol (#) in TLScertificate parameters no longer results in an error.


Leading hash tag or pound symbol(#) in TLS certificate-signing requestgenerates an application error.

When an attachment cannot be scanned, SymantecMessaging Gateway now logs the file name in theBrightmail Engine log.


File names are not recorded in logstatements when decomposition isaborted due to exceeding maximumvalues.

17Symantec Messaging Gateway 9.5.4 Release NotesResolved issues







Symantec Messaging Gateway 9.5.4 Release NotesResolved issues

18

Documents

Symantec Messaging Gateway 9.5.4 Release Notes