Академический Документы
Профессиональный Документы
Культура Документы
4 Release Notes
powered by Brightmail
About Symantec Messaging Gateway 9.5.4 Documentation Supported platforms Supported Web browsers Supported paths to version 9.5.4 Unsupported paths to version 9.5.4 Important information about installation on VMware Special instructions for users who upgrade from 9.5.0-19 Important information before you update to version 9.5.4 Known issues Resolved issues
Symantec Messaging Gateway 9.5.4 is the upgrade to previous versions of Symantec Messaging Gateway, formerly Symantec Brightmail Gateway. All functionality of Symantec Messaging Gateway 9.5.4 is maintained unless otherwise noted.
Documentation
You can access English documentation at the following Web site: www.symantec.com/business/support/index?page=content&key=53991& channel=DOCUMENTATION The site provides best practices, troubleshooting information, and other resources for Symantec Messaging Gateway. Check the following Web site for any issues that are found after these release notes were finalized: http://www.symantec.com/docs/TECH185792 To access the software update description from the Control Center, click Administration > Hosts > Version. On the Updates tab, click View Description. To view the Symantec support policy for Symantec Messaging Gateway, see the following links: http://go.symantec.com/security_appliance_support http://go.symantec.com/appliance_hw_support To read the translated 9.5 documentation, copy and paste any of the following URLs into a Web browser, and then click the Documentation link: Chinese (Simplified) http://www.symantec.com/business/support/index?page=landing&key=53991&locale=zh_CN Chinese (Traditional) http://www.symantec.com/business/support/index?page=landing&key=53991&locale=zh_TW Japanese http://www.symantec.com/business/support/index?page=landing&key=53991&locale=ja_JP Korean http://www.symantec.com/business/support/index?page=landing&key=53991&locale=ko_KR
Supported platforms
You can update to Symantec Messaging Gateway 9.5.4 on any of the following platforms:
n
All supported hardware versions For more information about Symantec Messaging Gateway hardware testing support, on the Internet, go to the following URL: http://www.symantec.com/docs/TECH186269 To determine what hardware version you have, at the command line type the following:
show -i
n n
Software update from version 8.0.3 or later OSrestore from ISO on supported hardware or in supported virtual environment VMware installation with OVF file See Important information about installation on VMware on page 6.
Software update from versions earlier than 8.0.3 Direct upgrade from beta versions
Symantec Messaging Gateway 9.5.4 Release Notes Important information about installation on VMware
See the Symantec Messaging Gateway 9.5 Installation Guide for instructions. If you use the BusLogic controller when you upgrade to 9.5.4 with VMware ESX or VMware ESXi 4.1/4.0/3.5, you must change the SCSI Controller Type in your virtual machine settings before the upgrade as follows:
n
When you upgrade through VMware ESX 3.5, you must switch the SCSI Controller Type in your virtual machine settings to "LSI controller". When you upgrade through VMware ESX 4.1/4.0, you must switch the SCSI Controller Type in your virtual machine settings to "LSI SAS".
Symantec Messaging Gateway 9.5.4 Release Notes Important information before you update to version 9.5.4
Note: If your Control Center and Scanners do not run version 8.0.3 or later, you must update them to 8.0.3 before you update to version 9.5.4. After you update the Control Center and Scanners to version 8.0.3, ensure that the Control Center can communicate with all Scanners. If the communication is successful, proceed to update the Control Center and Scanners to version 9.5.4. For more information, on the Internet, go to the following URL: http://www.symantec.com/docs/TECH186744
Note: The software update process can take several hours. During this process, mail throughput is unaffected. However, the mail that is intended for quarantine remains in the delivery queue until migration is complete. Table 1-1 describes suggested best practices and important considerations you should consider for all upgrades. Table 1-1 Item
Do not restart.
Perform a backup.
Stop mail flow to Scanners To reduce Scanner update time and complexity you should and flush queues before you stop mail flow to Scanners and drain all queues. update. To halt incoming messages, click Administration > Hosts > Configuration, edit a Scanner. On the Services tab, click Do not accept incoming messages and click Save. Allow some time for messages to drain from your queues. To check the queues, click Status > SMTP > Message Queues. Flush the messages that are left in the queues.
Symantec Messaging Gateway 9.5.4 Release Notes Important information before you update to version 9.5.4
Table 1-2 describes suggested best practices and important considerations you should consider before you update from version 8.0 3. Table 1-2 Item
Stop mail flow to shared Control Center/Scanner systems if using content incidents.
Symantec Messaging Gateway 9.5.4 Release Notes Important information before you update to version 9.5.4
Change in crash alert In previous releases, crash alert notifications were sent from mail notifications. process-cleanup@<appliance hostname>. In versions 9.0.x, the envelope sender of a crash alert is the same address as the envelope recipient. Reduce Spam Quarantine size. Versions before 9.0 used a database for Spam Quarantine messages. In 9.x, Spam Quarantine messages are stored in the file system to make the message store more robust and scalable. Migration of Spam Quarantine messages to the file system can take a significant amount of time depending on the number of messages to be migrated. Migration can take several hours if your Spam Quarantine contains a large number of messages. To minimize the migration time, reduce the number of messages in Spam Quarantine before you update the Control Center to version 9.5.4 from version 8.0.3. Use the Spam Quarantine Expunger to reduce the number of Spam Quarantine messages. This situation is not applicable if you already run 9.0.x. For more information about how to configure the Spam Quarantine Expunger, on the Internet, go to the following URL: http://www.symantec.com/docs/HOWTO53927 Domino-specific If you use one or more Domino LDAP Sync sources with one or directory integration more alias domain values, add those values as Symantec Messaging considerations. Gateway domain aliases before you update to version 9.0.x. Once you have updated, you can optionally modify the resulting data directory service recipient validation and address resolution query filters to include (mail=%u@<domain>) and (uid=%u@<domain>) clauses as necessary if you do not want to use domain aliases on the Symantec Messaging Gateway host.
10
Symantec Messaging Gateway 9.5.4 Release Notes Important information before you update to version 9.5.4
Symantec Messaging Gateway 9.5.4 Release Notes Important information before you update to version 9.5.4
11
Directory integration The following are issues you should consider before you update: considerations. n The new directory data service caches the query results to reduce the load that is placed on the directory servers and to improve Scanner performance. The cache builds over time. After you update from version 8.0.3 to version 9.5.4 there may be an initial slow down of mail throughput under a heavy load. The slow down can occur in the first few minutes as the cache builds. n The LDAP query filter formats in 9.0.x have been standardized to use the %s, %u, and %d tokens. These tokens were previously used only for the recipient validation and routing query filters. If authentication, synchronization, or both are enabled in 8.0.3, the query filters are modified to use the standard tokens after you update to version 9.5.4. If you previously modified any of the default query filters, confirm the functionality of the authentication and address resolution functions in 9.5.4. Use the new Test Query option in the Control Center. n In Symantec Brightmail Gateway 8.0.3 and earlier releases, only LDAP groups were displayed on the Administration > Users > Policy Groups page. In 9.0.x, both LDAP groups and distribution lists appear for a newly added LDAP source. You can view both groups and distribution lists after you update your deployment. n The LDAP recipient validation function is now used to check incoming messages for both Reject invalid recipients and Drop invalid recipients. If you have an 8.0.3 deployment and use LDAP synchronization with Protocols > SMTP > Invalid Recipients set to Drop invalid recipients, the LDAP source is migrated to a source with both recipient validation and address resolution functions enabled after you update to 9.0.x. Additionally, if you have any enabled recipient validation sources in your 8.0.3 deployment, they are used for Drop invalid recipients upon update to 9.0.x.
12
Symantec Messaging Gateway 9.5.4 Release Notes Important information before you update to version 9.5.4
New content folders The following are considerations you should know before you are created when you update: update from version n After you update a Control Center to version 9.0.x from 8.0.3, 8.0.3. it displays twice the number of content incident folders than you previously had configured. To facilitate the new incident Expunger, 9.0.x requires Informational Incidents and Quarantine Incidents (hold for review) to be stored in separate folders. Folders that contain mixed incidents are separated in the migration process. After migration, new incident folders are created for the quarantine incidents. All policies are migrated to save quarantine incidents to the new folders. You do not have to adjust your policy configuration after migration. n In 9.0.x the content folders can contain either informational incidents or quarantine incidents but not both. As a result, new behavior has been introduced. If a message violates multiple content filtering polices, then an incident is created for the higher precedence policy in the designated folder. Subsequent content filtering policy violations are recorded as informational incidents in the default information incidents folder. This situation is not applicable if you are already running 9.0.x. URI reporting is This release can detect and record Uniform Resource Identifiers enabled after update. (URI) that occur in email messages to improve URI-based filters. Symantec Messaging Gateway sends Symantec Security Response every URI in the messages that Symantec Messaging Gateway scans for spam (inbound and outbound scanning). Symantec uses this information to develop new URI-based filters. You receive these updated filters through the Conduit. This feature is enabled by default. If you want to change this setting, go to the Email tab of the Spam > Settings > Scan Settings page. Check or uncheck Report URIs to Symantec Security Response, and then click Save.
13
To reenable end user preferences, update the Control Center and ensure that user preferences are replicated. n User preferences are not replicated to remote Scanners during the migration process. To ensure that user preferences are applied, you must replicate them manually after you update the Control Center and all Scanners. Otherwise user preferences are replicated at the default time of midnight. Navigate to the Users tab of the Administration > Settings > Control Center page and click Replicate Now once all systems are upgraded. n The user preference replication alert is enabled by default after you update to version 9.0.x. Symantec Brightmail Gateway sends an alert to administrators configured to receive alerts when user preferences replication finds an error. You can disable this alert on the DDS tab on the Administration > Settings > Alerts page.
Known issues
Table 1-3 describes the known issues in version 9.5.4.
14
Error messages are When you upgrade from a release before 9.5.3, you may observe a generated when you number of benign error messages during the upgrade process. The upgrade. errors are reflected to the console and the update.log. http://www.symantec.com/docs/TECH173852 Error messages are generated when you configure your NTP server information. When you configure your NTP server information during installation or when you modify it post-installation, you may observe an error message in your message log. The message indicates that the requested IPv6 address cannot be assigned. You can ignore this message. http://www.symantec.com/docs/TECH186256 Control Center After an ISO install of versions 9.5.2 - 9.5.4, the Control Center listens for HTTP listens for HTTP traffic on port 41080. To stop this behavior, type traffic on port 41080 the following at the command line: on install. cc-config http --off. This issue does not apply if you have upgraded from releases before 9.5.2. http://www.symantec.com/docs/TECH186845 SSLv3 connections are not supported when FIPS mode is enabled. The Require TLS encryption option for SMTP authorization does not work as expected when FIPS mode is enabled. When you run in normal, non-FIPS mode, Symantec Messaging Gateway accepts both TLS and SSLv3.0 connections. When FIPS mode is enabled, even if the Require TLS encryption option is disabled, the connections that use SSLv3.0 and earlier are not supported. For more information, see the Symantec Messaging Gateway FIPS 140-2 level 1 Deployment Guide. http://www.symantec.com/docs/TECH186251 Error message appears when update check command is issued. When you upgrade from a release before 9.5.2 and run the update check command, you may receive a message that some packages cannot be installed. You can ignore this message. http://www.symantec.com/docs/TECH169454
15
Errors in logs during During an update, errors may appear despite a successful upgrade update. as follows: Errors appear in the MySQL error log for a successful update. You can disregard these errors. n You may find some unexpected messages that are related to module-loading failure in the conduit log. You can ignore these messages.
n
9.5.2 included changes to the appliance platform, which includes the operating system and database versions. http://www.symantec.com/docs/TECH169981 Possible errors during bootstrap process. /data/logs/boot.log may not appear upon fresh install. As a result, you may see some related errors during the bootstrap process, including a red [FAILED] status from "Adjusting Symantec Messaging Gateway services." You can ignore these errors. http://www.symantec.com/docs/TECH186249 FIPS mode not automatically enabled upon OS restore. Your FIPS state is not saved as part of a backup. If you perform an OS restore on a Symantec Messaging Gateway 9.5.2 host or later with FIPS mode on, manually turn on the FIPS mode after the restore completes. http://www.symantec.com/docs/TECH186248 Download may take longer than for past updates. When you upgrade from versions before 9.5.2, the download portion of the update process can take substantially longer than past updates. This situation is due to the large size of the download package. http://www.symantec.com/docs/TECH186191 MTA takes several minutes to start on a FIPS-enabled appliance that is configured with SMTP authentication and Accept TLS. The following actions take significantly longer with FIPS mode turned on than they do with FIPS mode turned off:
n n
Restarting the Message Transfer Agent (MTA) service Any configuration change that implicitly restarts the MTA service
The host may appear to be hung for several minutes, but it is not. As a best practice, enable FIPS mode as the final step in your setup process before you deploy the host in a production environment. http://www.symantec.com/docs/TECH186189
16
delete ddsconfig does not remove directory data sources from the Control Center.
Unable to load cache data from /data/dds/dds-cache.ser in dds.log during upgrade from 9.0 to 9.5.4. Virtual machine kernel panics after update to 9.5.2.
When you upgrade from a version before 9.5.2, Symantec Messaging Gateway is unable to load the cache data from /data/dds/dds-cache in dds.log. The DDS cache is rebuilt as messages are processed after upgrade. http://www.symantec.com/docs/TECH186186 After you update the Symantec Messaging Gateway virtual appliance to 9.5.2, the virtual machine (VM) fails to restart. The VMware console indicates that VMware is unable to restart due to a kernel panic. http://www.symantec.com/docs/TECH168754
The Russia time zone Russia no longer changes for Daylight Savings Time. The correct is incorrect. time should be GMT +4 rather than GMT +3. http://www.symantec.com/docs/TECH173452
Resolved issues
Table 1-4 describes the issues that are resolved in 9.5.4.
17
Symantec Messaging Gateway does Symantec Messaging Gateway now catches Office not catch password protected Word 2007 password-protected files as 2007 file. 'Password-protected files ' in content filtering. http://www.symantec.com/docs/TECH186184 sshd-config -v2 command is not Setting the ssh protocol to version 2 persists following system restart and no longer needs to be persistent after restart it changes reset. itself back to version 1. Messages that have been received but not scanned have no clickable link on MAL display screen. UPS alert that power has been restored is not always sent. Host names with IP-like strings generating false positives. The ability to see the status of messages just received in the audit log was added. http://www.symantec.com/docs/TECH186181 UPS alerts are now consistently sent. http://www.symantec.com/docs/TECH186180 Host names with IP-like strings are now properly processed by the Scanners. http://www.symantec.com/docs/TECH162696 Leading hash tag or pound symbol A leading hash tag or pound symbol (#) in TLS (#) in TLS certificate-signing request certificate parameters no longer results in an error. generates an application error. http://www.symantec.com/docs/TECH167286 File names are not recorded in log When an attachment cannot be scanned, Symantec statements when decomposition is Messaging Gateway now logs the file name in the aborted due to exceeding maximum Brightmail Engine log. values. http://www.symantec.com/docs/TECH186178
18