symantec messaging gateway 10.5.2 release notes

SymantecMessagingGateway 10.5.2 ReleaseNotes

powered by Brightmail

Symantec MessagingGateway 10.5.2 ReleaseNotes

This document includes the following topics:

About Symantec Messaging Gateway 10.5.2

What's new

Documentation

Support policy

Supported platforms

Unsupported platforms

Supported web browsers

Supported paths to version 10.5.2

Unsupported paths to version 10.5.2

Important information about installation in virtual environments

Important information before you update to version 10.5.2

Resolved issues

Known issues

About Symantec Messaging Gateway 10.5.2Copyright 2014 Symantec Corporation. All rights reserved.

Symantec Messaging Gateway 10.5.2 is the upgrade to previous versions ofSymantec Messaging Gateway. All functionality of Symantec Messaging Gateway10.5.1 is maintained unless otherwise noted.

Note: You must be at Symantec Messaging Gateway 10.5.1 in order to update toSymantec Messaging Gateway 10.5.2. You can only update to version 10.5.1 fromversion 10.0.3 or later.

What's newThis release of Symantec Messaging Gateway fixes known defects and addressesknown vulnerabilities, and also includes the following new and enhanced features:

Fixes to HTTP proxy settings: previous releases did not allow certain specialcharacters in usernames or passwords. This issue is now resolved.

Custom rule submission: this release includes several improvements to theprocess of submitting messages for custom rules.

Corrections for Content Filtering reports: previously some of the pre-generatedContent Filtering policies did not appear in the Content Filtering reports. Thisissue is now resolved.

Longer keys for self-signed certificates: self-signed certificates now use keysthat are 4096 bits in length. You can now generate authority-signed certificaterequests with both 2048-bit and 4096-bit keys.

Local Good and Bad Sender improvements: under certain circumstances, whenLocal Good or Bad Sender IP addresses were entered with overlapping ranges,rules would fail to load. This issue is now resolved.

Time/NTP server implementation: SymantecMessagingGateway 10.5.2 includesseveral improvements to Time/NTP server configuration, including the ability todeploy up to five NTP servers instead of three.

DocumentationYou can access English documentation at the following website:

http://www.symantec.com/business/support/index?page=content&key=53991&channel=DOCUMENTATION&sort=recent

3Symantec Messaging Gateway 10.5.2 Release NotesAbout Symantec Messaging Gateway 10.5.2

The site provides best practices, troubleshooting information, and other resourcesfor Symantec Messaging Gateway.

Check the following website for any issues that are found after these release noteswere finalized:

http://www.symantec.com/docs/TECH215638

To access the software update description from the Control Center, clickAdministration > Hosts > Version. On the Updates tab, click View Description.

To view the Symantec support policy for Symantec Messaging Gateway, see thefollowing links:

http://go.symantec.com/security_appliance_support

http://go.symantec.com/appliance_hw_support

To read the translated 10.5 documentation, copy and paste any of the followingURLs into a web browser, and then click the Documentation link:

Chinese (Simplified)

http://www.symantec.com/business/support/index?page=landing&key=53991&locale=zh_CN

Chinese (Traditional)

http://www.symantec.com/business/support/index?page=landing&key=53991&locale=zh_TW

Japanese

http://www.symantec.com/business/support/index?page=landing&key=53991&locale=ja_JP

Korean

http://www.symantec.com/business/support/index?page=landing&key=53991&locale=ko_KR

You can access English documentation at the following website:

http://www.symantec.com/business/support/index?page=content&key=53991&channel=DOCUMENTATION&sort=recent

The site provides best practices, troubleshooting information, and other resourcesfor Symantec Messaging Gateway.

Support policySymantec provides standard support for only the most current build of the licensedsoftware.

For more information about Symantec's support policies, on the Internet, go to thefollowing URL:

http://go.symantec.com/security_appliance_support

4Symantec Messaging Gateway 10.5.2 Release NotesSupport policy

Supported platformsYou can update to Symantec Messaging Gateway 10.5.2 on any of the followingplatforms:

All supported hardware versions: 8380, 8360, and 8340 purchased afterNovember 2008

VMware ESXi/vSphere 5.0/5.1/5.5

Microsoft Hyper-V: Windows Server 2008 and Hyper-V Server 2008, WindowsServer 2012 and Hyper-V Server 2012

For more information about Symantec Messaging Gateway hardware testingsupport, on the Internet, go to the following URL:http://www.symantec.com/docs/TECH123135

Unsupported platformsUnsupported platforms are as follows:

Any virtual platform not listed

Hardware platforms 8220, 8240, 8260, 8320, and 8340 (PowerEdge 860 version)purchased on or before November 2008 are unsupported, as are hardwareplatforms 8360 (PowerEdge 1950 version) and 8380 (PowerEdge 2950 version)purchased on or before March 2009.For more information about Symantec Messaging Gateway hardware testingsupport, on the Internet, go to the following URL:http://www.symantec.com/docs/TECH186269To determine what hardware version you have, at the command line type thefollowing:show --info

Supported web browsersYou can access the Symantec Messaging Gateway Control Center on any of thefollowing supported web browsers:

Internet Explorer 10 or later

Firefox 26 or later

Chrome 23 or later

5Symantec Messaging Gateway 10.5.2 Release NotesSupported platforms

Supported paths to version 10.5.2You can update to Symantec Messaging Gateway 10.5.2 by using any of thefollowing methods:

Software update from version 10.5.1 on supported hardware or in supportedvirtual environments

OSRestore from ISO on supported hardware or in supported virtual environments

VMware installation with OVF file

Unsupported paths to version 10.5.2You cannot update to Symantec Messaging Gateway 10.5.2 by using any of thefollowing methods:

Versions other than 10.5.1

Direct upgrade from beta versions

Important information about installation in virtualenvironments

Symantec Messaging Gateway 10.5 supports two virtual environments: VMwareand Microsoft Hyper-V.

To install on VMwareThere are two methods for installing on supported VMware platforms:

You can load the ISO file into a preconfigured virtual machine.

You can use the ISO file on VMware ESXi/vSphere 5.0/5.1/5.5.

ISO file

You can also load the OVF, which includes the virtual machineconfiguration.

You can use the OVF for VMware ESXi/vSphere 5.0/5.1/5.5.

OVF template

To install on Hyper-VThere is one method for installing on supported Hyper-V platforms:

6Symantec Messaging Gateway 10.5.2 Release NotesSupported paths to version 10.5.2

You can load the ISO file into a preconfigured virtual machine.

You can use the ISO file on Windows Server 2008 and Hyper-V Server2008, Windows Server 2012 and Hyper-V Server 2012.

ISO file

See the Symantec Messaging Gateway 10.5 Installation Guide for instructions andsystem requirements.

Note: To update to Symantec Messaging Gateway 10.5 in a virtual environment,you must verify that your virtual environment can support 64-bit virtualization. WhenIntel Virtualization Technology (also known as Intel-VT) is enabled in the BIOS, itallows the CPU to support multiple operating systems, including 64-bit architecture.On many Intel processors this setting may be disabled in the BIOS and must beenabled prior to installing Symantec Messaging Gateway 10.5. AMD processorsthat support 64-bit architecture usually have this setting enabled by default. SeeKB 1003945 from VMware for more information:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003945

Important information before you update to version10.5.2

This topic contains the migration information that you should read before you updateto version 10.5.2. You must update to Symantec Messaging Gateway 10.5.2 fromSymantec Messaging Gateway 10.5.1.

Note: The software update process can take several hours. During this process,mail throughput is unaffected. However, the mail that is intended for quarantineremains in the delivery queue until migration is complete.

Table 1-1 describes suggested best practices you should consider when you upgradefrom any version.

Table 1-1 Best practices for all upgrades

DescriptionItem

Symantec strongly recommends that you take a full system backup before you run thesoftware update and store it off-box.

Perform a backup.

7Symantec Messaging Gateway 10.5.2 Release NotesImportant information before you update to version 10.5.2

Table 1-1 Best practices for all upgrades (continued)

DescriptionItem

The software update process may take several hours to complete. If you restart beforethe process is complete, data corruption is likely to occur. If data corruption occurs, theappliance must be reinstalled with a factory image.

Do not restart.

If your site policies let you, delete all Scanner and DDS log messages.Delete log messages.

To reduce Scanner update time and complexity, you should stop mail flow to Scannersand drain all queues.

To halt incoming messages, click Administration > Hosts > Configuration, and edita Scanner. On the Services tab, click Do not accept incoming messages and clickSave. Allow some time for messages to drain from your queues. To check the queues,click Status > SMTP > Message Queues. Flush the messages that are left in thequeues.

Stop mail flow to Scannersand flush queues before youupdate.

Symantec strongly recommends that you update your Control Center before you updateyour Scanners. If you do not update the Control Center first, Symantec recommendsthat you use the command line interface to update remote Scanners. It is crucial thatthe time frame in which you update your Scanners to 10.5 is kept as short as possible:the Control Center is unable to propagate configuration changes to Scanners that areon different versions. Configurations in which the Control Center and Scanners rundifferent versions for an extended period are unsupported.

Update Control Center first.

When you update the Control Center, the Control Center appliance is offline andunusable. Scanners cannot deliver messages to quarantine on the Control Centerduring the software update, so messages build up in a queue. Running software updateon a Control Center appliance can take quite some time. Plan to update the ControlCenter appliance during off-peak hours.

When you migrate a Scanner, it goes offline. Scanner resources are unavailable duringthe migration process. Software update of a Scanner takes less time than the softwareupdate of the Control Center.

Perform software update atoff-peak hours.

Resolved issuesThis section describes the issues that are resolved in 10.5.2.

8Symantec Messaging Gateway 10.5.2 Release NotesResolved issues

Table 1-2 Resolved issues

Description and knowledge base article link (ifapplicable)

Issue

Fastpass was being granted for a Bad Sender IP (ifthat IP is sending non-spam emails and Action forLocal Bad Sender IP was to Modify the subjectline).

See the associated knowledge base article fordetails:


Fastpass was being granted for a BadSender IP.

These errors no longer occur. The Control Centerdisplays the expected results. See the associatedknowledge base article for details:


Under some circumstances, queriessubmitted from the Submission Detailpage returned the following errors:The service is not available

since there was a server

error to process the

request. Please contact your

system administrator. ERROR

- The UI and/or log errors

should indicate that the

server returned an HTTP 500

Internal Server Error (which

is not common) and that the

admin should correct the

search string and retry or

try another search string.



Message Audit Log text read Bypassall content filtering

policies even if only specificpolicies were being bypassed.

Rejected SMTP AUTH events are now displayed asexpected in the Control Center. See the associatedknowledge base article for details:


Control Center Message Audit Logsdid not display rejected SMTP AUTHevents.

This issue has been resolved. See the associatedknowledge base article for details:


Error returned while enabling HTTP:-ne: unary operator

expected.


Table 1-2 Resolved issues (continued)


Issue

Message Audit Log records now display as expected.See the associated knowledge base article fordetails:


Some Subject entries were improperlydisplayed in the Message Audit Logwhen they contained DBCS orHI-ASCII characters.

The group of errors may appear multiple times in theoutput. These errors may safely be ignored.

See the associated knowledge base article forinformation:


Three lines reading Configurationfile /etc/yum/pluginconf.

d/filename not found appearnear the top of the output for manycommand line update commands, aswell as in the update.log file.

This was a reporting error. The software had beendownloaded (which could be confirmed by viewingthe update.log file). A second download attempthad no effect. The software from the first downloadwas still stored on disk, and was available forinstallation.

See the associated knowledge base article forinformation:


This issue is also discussed in the followingknowledge base article:


After you performed an UpdateDownload from the command line,the Control Center's Versions >Update page did not displayAvailable for Download for thatversion instead of Downloaded.



IP Reputation Lookup did not indicatethat an IP was marked as a DirectoryHarvest Attack source.

This behavior was the result of an issue with thatspecific FTP server. The behavior is as designed.See the associated knowledge base article fordetails:


Appliance failed to generate a backupon remote FTP server withanonymous user.




Issue

When a diagnostic package is exported to aunreachable FTP server, the following error is nowdisplayed: FTP: Can't connect to10.217.32.1 ERROR: Unable to send to

the specified URL. Please verify the

URL address and credentials are

correct.



Exporting a diagnostic package viaFTP to an unreachable host producesa confusing error.

Time zone now displayed correctly as Singapore.See the associated knowledge base article fordetails:


End-user quarantine time zonedisplayed as Malaysia, though it hadbeen set to Singapore.



Overlapping network blocks in LocalBad Sender IPs caused a hang incertain situations.



Some default Content Filtering policieswere not displayed in Content Filteringreports.

Internet Explorer 8 is not supported. See theassociated knowledge base article for details:


Javascript error observed duringupdate in Internet Explorer 8.



Customer-specific SpamSubmissionsregistration failed with some proxyservers.



On the Control Center's Status >Hosts > Hardware Status >Localhost page, drop-down menusforAdministrator logout andOnlineHelp were not displayed.




Issue

The default key length for self-signed certificates hasbeen changed from 1024 bits to 2048 bits. TLScertificates with a key length of 1024 bits are nolonger considered secure. Symantec MessagingGateway now offers 2048- and 4096-bit keys. Seethe associated knowledge base article for details:


The option to create 1024-bitcertificate signing requests has beenremoved from the user interface.



A new action added to the BounceAttack Validation default spam policywas not applied until the MTA wasrestarted.



When attempting to sort columns onthe Submission Details page, usersmay encounter an application error.



Proxy functionality failed whenpasswords contained specialcharacters.



Under some circumstances, theControl Center lost contact with theScanner(s) after the agent-config-a command was entered.



Missing Message ID in Audit Log iforiginal message didn't haveMessageID.



Scheduled task failure alerts sentrepeatedly after software update.



Error seen during boot:/etc/rc3.d/S99mta: unary

operator expected.




Issue



Potential Distributed Reflection Denialof Service vulnerability in NTP on IPv6interface as described inCVE-2013-5211.



Mail Transfer Agent crashed whiletrying to deliver to a domain withhundreds of MX records pointing tonon-operational hosts.



The error Validation of statsfile engine_stats.*.xml

failed appeared in the conduit logwhen language blocking was enabled.

The solution to this condition is to restart the MTAservice. The errors can be safely ignored. See theassociated knowledge base article for details:


The file domains.db accumulatederrors over time and could not bereset. This caused the following errorsto appear when restarting the MTA:Datasource: failed to

prepare. Datasource query

failed for domain.com.

Message Audit Log searches now match the entirestring, so that searching works as expected. See theassociated knowledge base article for details:


Searching Message Audit Logs bysubject from the Control Centeraccepted only the first word as asearch term in a phrase with spaces.

If you include quotation marks in the local part of anemail addressallowed under RFC, but generallyonly used to escape special characters in the localpart (such as '



Issue

Submit Message page does not provide validationon some types of files, which can result in invalidsubmissions.



Customer-Specific SpamRules: inputvalidation not present on SubmitMessage page.

This was a result of using Internet Explorer 8, whichis no longer supported. See the associatedknowledge base article for details:


When large numbers of emails arereleased from spam quarantine, theControl Center sometimes logs usersout.

If a message that is submitted as a false positive ora false negative hits a duplicate rule, it gets displayedin the Control Center with GUMID and Rule IDwithout any hyperlink to lead to an associated ruleIDor informational message.

Submission detail report doesn'tprovide an annotation when aduplicate signature is found for amessage.

There are several update issues that all involvedifferences between the true status of the updateand its status as displayed in the Control Center.

Viewing the update.log from the Command LineInterface (CLI) will always provide accurateinformation.



In the Control Center, on theAdministration > Host Version >Updates page, the status displayedfor a specific host may not accuratelyreflect the actual status of the host orof the update process.

Known issuesThis section describes the known issues in version 10.5.2.

14Symantec Messaging Gateway 10.5.2 Release NotesKnown issues

Table 1-3 Known issues

DescriptionIssue

Embedded images are not being correctly extractedfrom RTF file attachments, which prevents ContentFiltering policies intended to detect images fromfiring.



Content Filtering policy does notdetect images within RTFattachments.

Non-RFC5322-compliant messages cannot besubmitted for Customer-Specific Spam Rules eventhough the messages are delivered to user inboxeswithout issue.


Messages with lines over 998characters long cannot be submittedfor Customer-Specific SpamRules viathe Control Center.

Once logged in, administrators continue with thesame rights until they log outtheir permissions arecached. Also, administrators with full rights to theControl Center can delete their own accounts withoutreceiving a warning.



The Control Center allows activesessions for administrators withdeleted accounts.

Given a ZIP file split into several parts and sent onepart per message, Symantec Messaging Gatewaydoes not detect all ZIP file parts in a consistentmanner, though it does so for other compressed files(such as RAR files) that are similarly divided. Not allsuch messages are considered unscannable, aswould be expected.


Split ZIP file detection is notconsistent.



The online Help regarding the statusof the Scanners in the HostAttributes section on theHost Statuspage does not match the SymantecMessaging Gateway user interface.


Table 1-3 Known issues (continued)

DescriptionIssue

When using both Symantec Content Encryption (CE)and Symantec Bounce Attack Validation (BATV),replies to encrypted messages sent from the contentencryption web portal are flagged as invalid bouncemessages and rejected.


Replies to messages sent via theSymantec Content Encryption servicealways fail bounce attack validation.

Language identification scanning does not occur ifa message as a whole is over 100 KB. The overallmessage size is considered, rather than themessagebody. For example, if a message that contains onlya paragraph of Chinese text also includes a 100+KBGIF file, then language identification does not occur.


Language identification does not runfor messages over 100 KB, regardlessof the message body size.

When Disarm is set to remove Flash content fromMicrosoft PowerPoint documents, Flash content thatis contained in a multilevel embedded attachment isnot replaced with a white image, as expected.Instead, the first image in the Flash content isdisplayed.



When Disarm removes Flash fromPowerPoint, Flash is not replaced witha white image in a multilevelembedded attachment.

There is no way to stop or start the Disarm servicefrom the Control Center. Stopping or starting Disarmcan only be done from the Command Line Interface,using the service mta commands.



Stopping and starting the Brightmailengine (or MTA) from the ControlCenter does not restart Disarm.



The Symantec Messaging GatewayInstallation Guide incorrectly statesthat inbound local delivery is limitedto three servers, while the SymantecMessaging Gateway AdministrationGuide states (correctly) that localdelivery is unlimited.



DescriptionIssue



The Message Audit Log showsdelivery status as "Processing Status"for messages that were deleted dueto a verdict ofvirus/worm/unscannable; status isnever updated.

There are several update issues that all involvedifferences between the true status of the updateand its status as displayed in the Control Center.

Viewing the update.log from the Command LineInterface (CLI) will always provide accurateinformation.



In the Control Center, on theAdministration > Host Version >Updates page, the status displayedfor a specific host may not accuratelyreflect the actual status of the host orof the update process.

The topic "About using SMTP authentication" liststhe MUA versions that Symantec MessagingGateway has been tested against. This list shouldinclude Microsoft Outlook 2010, but it should notinclude Thunderbird 2 Mail.app (for MacOS).



In the Control Center online Help andin the Symantec Messaging GatewayAdministration Guide, the list of MUAssupported is incorrect.



Selecting "Enable HTML textscanning" in a Content Filter rule onlyapplies to the message body, not tothe message's attachments.



When you enableSender ID/SPF, thechecking of SPF TXT records returnedby DNS is case-sensitive for keywordssuch as "a", "mx", and "ip".



DescriptionIssue

The errors heartbeat_init ->gimli_heartbeat_attach andheartbeat_init ->Default appear at startup,and can be safely ignored.



Errors are displayed in the MTA Log(maillog).



Unsaved changes to quarantinesettings are lost when you edit thenotification template.

Disarm logs can display the errorCReconstructor::LogStats: cannot create

directory for '$filename' with

error:File exists. This error can be safelyignored.



Error messages can be displayed inDisarm logs.



Release and view links are not visiblewhen spam summary messages areviewed as text-only.



The cc-config entry in theCommand Line Reference and manpage does not include informationabout the limit-tlsv1.1 option.

With any TLS for DLP setting enabled in aFIPS-enabled appliance, messages sent to DLP inReflect mode get stuck in the Delivery queue withTLS negotiation failed.



TLS to FIPS-enabled DLP PreventServer Version 12 fails negotiation.



DescriptionIssue

If inbound and outboundmail is received on differentinterfaces or ports, this problem will not occur.



If both inbound and outbound mail isreceived on the same IP address andport, mail from an IP address with abroken PTR record will be deferred.



Unchecking "Enable scanning ofnon-plain text attachments for wordsin dictionaries" also prevents scanningof plain text attachments.

The uncompressed size of attachments is alwaysused when testing file size.



Documentation incorrectly states thatfile attachment size limits considersonly the compressed size ofcompressed attachments.



A Microsoft Office 2007-formatteddocument may unexpectedly triggera Content policy based on theattachment size.



Symantec Messaging Gateway maybe unable to deliver mail if TLSdelivery is being attempted and thereceiving MTA has astrict-implementation lf TLSv1.



Symantec Messaging Gateway mayfail to process certain messages withbadly formatted MIME attachmentheaders.



Selecting the timezone "(GMT-04:00)Atlantic Time (Canada)" results intimezone being set to "(GMT-05:00)Eastern Time (US & Canada)".



Microsoft Office 2007 documents withfiles embedded using the 'Link to file'option are considered unscannabledue to limits exceeded.


Symantec Messaging Gateway 10.5.2 Release NotesSymantec Messaging Gateway 10.5.2 Release NotesAbout Symantec Messaging Gateway 10.5.2What's newDocumentationSupport policySupported platformsUnsupported platformsSupported web browsersSupported paths to version 10.5.2Unsupported paths to version 10.5.2Important information about installation in virtual environmentsImportant information before you update to version 10.5.2Resolved issuesKnown issues

symantec messaging gateway 10.5.2 release notes

Documents