You are on page 1of 18

Symantec Messaging Gateway 9.5.

4 Release Notes
powered by Brightmail

Symantec Messaging Gateway 9.5.4 Release Notes


This document includes the following topics:
n n n n n n n n n n n

About Symantec Messaging Gateway 9.5.4 Documentation Supported platforms Supported Web browsers Supported paths to version 9.5.4 Unsupported paths to version 9.5.4 Important information about installation on VMware Special instructions for users who upgrade from 9.5.0-19 Important information before you update to version 9.5.4 Known issues Resolved issues

About Symantec Messaging Gateway 9.5.4


Copyright 2012 Symantec Corporation. All rights reserved.

Symantec Messaging Gateway 9.5.4 Release Notes Documentation

Symantec Messaging Gateway 9.5.4 is the upgrade to previous versions of Symantec Messaging Gateway, formerly Symantec Brightmail Gateway. All functionality of Symantec Messaging Gateway 9.5.4 is maintained unless otherwise noted.

Documentation
You can access English documentation at the following Web site: www.symantec.com/business/support/index?page=content&key=53991& channel=DOCUMENTATION The site provides best practices, troubleshooting information, and other resources for Symantec Messaging Gateway. Check the following Web site for any issues that are found after these release notes were finalized: http://www.symantec.com/docs/TECH185792 To access the software update description from the Control Center, click Administration > Hosts > Version. On the Updates tab, click View Description. To view the Symantec support policy for Symantec Messaging Gateway, see the following links: http://go.symantec.com/security_appliance_support http://go.symantec.com/appliance_hw_support To read the translated 9.5 documentation, copy and paste any of the following URLs into a Web browser, and then click the Documentation link: Chinese (Simplified) http://www.symantec.com/business/support/index?page=landing&key=53991&locale=zh_CN Chinese (Traditional) http://www.symantec.com/business/support/index?page=landing&key=53991&locale=zh_TW Japanese http://www.symantec.com/business/support/index?page=landing&key=53991&locale=ja_JP Korean http://www.symantec.com/business/support/index?page=landing&key=53991&locale=ko_KR

Symantec Messaging Gateway 9.5.4 Release Notes Supported platforms

Supported platforms
You can update to Symantec Messaging Gateway 9.5.4 on any of the following platforms:
n

All supported hardware versions For more information about Symantec Messaging Gateway hardware testing support, on the Internet, go to the following URL: http://www.symantec.com/docs/TECH186269 To determine what hardware version you have, at the command line type the following:
show -i

n n

VMware ESX or ESXi 3.5 - 4.1 vSphere 4.1/4.0

Supported Web browsers


You can access the Symantec Messaging Gateway Control Center on any of the following supported Web browsers:
n n

Internet Explorer 8/7 Firefox 3.5.x - 7

Supported paths to version 9.5.4


You can update to Symantec Messaging Gateway 9.5.4 by using any of the following methods:
n n n

Software update from version 8.0.3 or later OSrestore from ISO on supported hardware or in supported virtual environment VMware installation with OVF file See Important information about installation on VMware on page 6.

Unsupported paths to version 9.5.4


You cannot update to Symantec Messaging Gateway 9.5.4 by using any of the following methods:
n n

Software update from versions earlier than 8.0.3 Direct upgrade from beta versions

Symantec Messaging Gateway 9.5.4 Release Notes Important information about installation on VMware

Important information about installation on VMware


You can install Symantec Messaging Gateway 9.5.4 on supported VMware platforms by loading either of the following:
ISO file You can load the ISO file into a preconfigured virtual machine. You can use the ISO file on VMware ESX or ESXi 3.5 - 4.1 or vSphere 4.1/4.0. OVF template You can also load the OVF, which includes the virtual machine configuration. You can use the OVF for VMware ESX or ESXi 3.5 - 4.1 or vSphere 4.1/4.0.

See the Symantec Messaging Gateway 9.5 Installation Guide for instructions. If you use the BusLogic controller when you upgrade to 9.5.4 with VMware ESX or VMware ESXi 4.1/4.0/3.5, you must change the SCSI Controller Type in your virtual machine settings before the upgrade as follows:
n

When you upgrade through VMware ESX 3.5, you must switch the SCSI Controller Type in your virtual machine settings to "LSI controller". When you upgrade through VMware ESX 4.1/4.0, you must switch the SCSI Controller Type in your virtual machine settings to "LSI SAS".

For more information, on the Internet, go to the following URL: http://www.symantec.com/docs/TECH168754

Special instructions for users who upgrade from 9.5.0-19


Symantec recommends that you upgrade your Control Center before you upgrade your Scanners. If you do not upgrade the Control Center first, you must use the command line interface to upgrade remote Scanners.

Important information before you update to version 9.5.4


This topic contains the migration information that you should read before you update to version 9.5.4. You must update to Symantec Messaging Gateway 9.5.4 from Symantec Brightmail Gateway 8.0.3 or later.

Symantec Messaging Gateway 9.5.4 Release Notes Important information before you update to version 9.5.4

Note: If your Control Center and Scanners do not run version 8.0.3 or later, you must update them to 8.0.3 before you update to version 9.5.4. After you update the Control Center and Scanners to version 8.0.3, ensure that the Control Center can communicate with all Scanners. If the communication is successful, proceed to update the Control Center and Scanners to version 9.5.4. For more information, on the Internet, go to the following URL: http://www.symantec.com/docs/TECH186744

Note: The software update process can take several hours. During this process, mail throughput is unaffected. However, the mail that is intended for quarantine remains in the delivery queue until migration is complete. Table 1-1 describes suggested best practices and important considerations you should consider for all upgrades. Table 1-1 Item
Do not restart.

Best practices for all upgrades Description


The software update process may take several hours to complete. If you restart before the process is complete, data corruption is likely. If data corruption occurs, the appliance must be reinstalled with a factory image. If your site policies let you, delete all Scanner and LDAP log messages. Symantec recommends that you take a full system backup before you run the software update and store it off-box.

Delete log messages.

Perform a backup.

Stop mail flow to Scanners To reduce Scanner update time and complexity you should and flush queues before you stop mail flow to Scanners and drain all queues. update. To halt incoming messages, click Administration > Hosts > Configuration, edit a Scanner. On the Services tab, click Do not accept incoming messages and click Save. Allow some time for messages to drain from your queues. To check the queues, click Status > SMTP > Message Queues. Flush the messages that are left in the queues.

Symantec Messaging Gateway 9.5.4 Release Notes Important information before you update to version 9.5.4

Table 1-1 Item

Best practices for all upgrades (continued) Description


Each appliance must be updated individually. As a best practice, Symantec recommends that you update all Scanners before updating the Control Center. You do not have to update all of your Scanners at the same time. You can update some Scanners to version 9.5.4 and leave some with the older version. That way some Scanners continue to protect your site while you update others. However, if the Control Center and Scanner versions are different, the Control Center cannot make configuration changes to the Scanner.

Update Scanners first.

Note: If you upgrade from version 9.5.0-19, upgrade the


Control Center first. Perform software update at off-peak hours. When you update the Control Center, the Control Center appliance is offline and unusable. Scanners cannot deliver messages to quarantine on the Control Center during the software update, so messages build up in a queue. Running software update on a Control Center appliance can take quite some time. Plan to update the Control Center appliance during off-peak hours. When you migrate a Scanner, it goes offline. Scanner resources are unavailable during the migration process. Software update of a Scanner takes less time than the software update of the Control Center.

Table 1-2 describes suggested best practices and important considerations you should consider before you update from version 8.0 3. Table 1-2 Item
Stop mail flow to shared Control Center/Scanner systems if using content incidents.

Version 8.0.3 Specific Migration Guidance Description


Stop mail flow to all-in-one Control Center and Scanner systems before you update. If you fail to stop the mail flow, any new incidents that are created on a combined Control Center and Scanner during the migration process are stored in the default incident folder. This behavior is limited to only the new incidents that are created during the Control Center migration. All previously created incidents are migrated to the correct folders. After you update to version 9.5.4, new incidents are sent to the correct folder.

Symantec Messaging Gateway 9.5.4 Release Notes Important information before you update to version 9.5.4

Table 1-2 Item

Version 8.0.3 Specific Migration Guidance (continued) Description


Changes have been made in how content incidents are stored. As a result, the migration of content incidents can take a significant amount of time. In particular, the amount of time can be large if your Control Center has a large number of incidents in the folders. To minimize update time, delete unnecessary incidents before you update the Control Center to version 9.5.4 from version 8.0.3. This situation is not applicable if you already run 9.0.x. For more information about how to delete items in content incident folders, on the Internet, go to the following URL: http://www.symantec.com/docs/HOWTO53781

Reduce content incident folder size.

Change in crash alert In previous releases, crash alert notifications were sent from mail notifications. process-cleanup@<appliance hostname>. In versions 9.0.x, the envelope sender of a crash alert is the same address as the envelope recipient. Reduce Spam Quarantine size. Versions before 9.0 used a database for Spam Quarantine messages. In 9.x, Spam Quarantine messages are stored in the file system to make the message store more robust and scalable. Migration of Spam Quarantine messages to the file system can take a significant amount of time depending on the number of messages to be migrated. Migration can take several hours if your Spam Quarantine contains a large number of messages. To minimize the migration time, reduce the number of messages in Spam Quarantine before you update the Control Center to version 9.5.4 from version 8.0.3. Use the Spam Quarantine Expunger to reduce the number of Spam Quarantine messages. This situation is not applicable if you already run 9.0.x. For more information about how to configure the Spam Quarantine Expunger, on the Internet, go to the following URL: http://www.symantec.com/docs/HOWTO53927 Domino-specific If you use one or more Domino LDAP Sync sources with one or directory integration more alias domain values, add those values as Symantec Messaging considerations. Gateway domain aliases before you update to version 9.0.x. Once you have updated, you can optionally modify the resulting data directory service recipient validation and address resolution query filters to include (mail=%u@<domain>) and (uid=%u@<domain>) clauses as necessary if you do not want to use domain aliases on the Symantec Messaging Gateway host.

10

Symantec Messaging Gateway 9.5.4 Release Notes Important information before you update to version 9.5.4

Table 1-2 Item


Directory data considerations.

Version 8.0.3 Specific Migration Guidance (continued) Description


The following are issues you should consider before you update: For some installations, you may need to add access to LDAP ports for 9.0.x. The Control Center and Scanners that use any LDAP features must be able to connect directly to the LDAP servers. LDAP features include authentication, routing, recipient validation, and address resolution (previously known as synchronization). Your Control Center and Scanners may already meet this requirement. This access change is a new requirement if your environment matches both of the following criteria: n You have a distributed deployment with at least one separate Scanner. n The deployment uses one or more LDAP sources with the Synchronization usage enabled. If your environment matches these criteria, use the ldapsearch command to check connectivity on each host before you update to version 9.0.x. For information about how to use ldapsearch, on the Internet go to the following URL: http://www.symantec.com/docs/TECH95775 n In versions 9.0.x, any recipient address that includes a domain alias is considered valid if all of the following conditions are true: n You have one or more domains configured as an alias in Protocols > SMTP > Aliases. n You have Protocols > SMTP > Invalid Recipients set to either Drop or Reject. If both of the conditions are true, no call is made to the LDAP server to determine whether the recipient is valid or not.
n

Symantec Messaging Gateway 9.5.4 Release Notes Important information before you update to version 9.5.4

11

Table 1-2 Item

Version 8.0.3 Specific Migration Guidance (continued) Description

Directory integration The following are issues you should consider before you update: considerations. n The new directory data service caches the query results to reduce the load that is placed on the directory servers and to improve Scanner performance. The cache builds over time. After you update from version 8.0.3 to version 9.5.4 there may be an initial slow down of mail throughput under a heavy load. The slow down can occur in the first few minutes as the cache builds. n The LDAP query filter formats in 9.0.x have been standardized to use the %s, %u, and %d tokens. These tokens were previously used only for the recipient validation and routing query filters. If authentication, synchronization, or both are enabled in 8.0.3, the query filters are modified to use the standard tokens after you update to version 9.5.4. If you previously modified any of the default query filters, confirm the functionality of the authentication and address resolution functions in 9.5.4. Use the new Test Query option in the Control Center. n In Symantec Brightmail Gateway 8.0.3 and earlier releases, only LDAP groups were displayed on the Administration > Users > Policy Groups page. In 9.0.x, both LDAP groups and distribution lists appear for a newly added LDAP source. You can view both groups and distribution lists after you update your deployment. n The LDAP recipient validation function is now used to check incoming messages for both Reject invalid recipients and Drop invalid recipients. If you have an 8.0.3 deployment and use LDAP synchronization with Protocols > SMTP > Invalid Recipients set to Drop invalid recipients, the LDAP source is migrated to a source with both recipient validation and address resolution functions enabled after you update to 9.0.x. Additionally, if you have any enabled recipient validation sources in your 8.0.3 deployment, they are used for Drop invalid recipients upon update to 9.0.x.

12

Symantec Messaging Gateway 9.5.4 Release Notes Important information before you update to version 9.5.4

Table 1-2 Item

Version 8.0.3 Specific Migration Guidance (continued) Description

New content folders The following are considerations you should know before you are created when you update: update from version n After you update a Control Center to version 9.0.x from 8.0.3, 8.0.3. it displays twice the number of content incident folders than you previously had configured. To facilitate the new incident Expunger, 9.0.x requires Informational Incidents and Quarantine Incidents (hold for review) to be stored in separate folders. Folders that contain mixed incidents are separated in the migration process. After migration, new incident folders are created for the quarantine incidents. All policies are migrated to save quarantine incidents to the new folders. You do not have to adjust your policy configuration after migration. n In 9.0.x the content folders can contain either informational incidents or quarantine incidents but not both. As a result, new behavior has been introduced. If a message violates multiple content filtering polices, then an incident is created for the higher precedence policy in the designated folder. Subsequent content filtering policy violations are recorded as informational incidents in the default information incidents folder. This situation is not applicable if you are already running 9.0.x. URI reporting is This release can detect and record Uniform Resource Identifiers enabled after update. (URI) that occur in email messages to improve URI-based filters. Symantec Messaging Gateway sends Symantec Security Response every URI in the messages that Symantec Messaging Gateway scans for spam (inbound and outbound scanning). Symantec uses this information to develop new URI-based filters. You receive these updated filters through the Conduit. This feature is enabled by default. If you want to change this setting, go to the Email tab of the Spam > Settings > Scan Settings page. Check or uncheck Report URIs to Symantec Security Response, and then click Save.

Symantec Messaging Gateway 9.5.4 Release Notes Known issues

13

Table 1-2 Item


User preferences considerations.

Version 8.0.3 Specific Migration Guidance (continued) Description


The following are considerations you should know before you update: Versions of Brightmail Gateway before 9.0 used the LDAP synchronization schedule time to replicate user preferences to the Scanners. In 9.0.x, LDAP synchronization has been deprecated and user preferences replication happens on the default schedule of once per day at midnight. You can change the schedule or replicate user preferences manually on the Users tab of the Administration > Settings > Control Center page. n If the following conditions occur, it is recommended that you upgrade the Control Center first. If not, end user preferences are not in effect until you update the Control Center and perform a replication: n You have a distributed deployment
n n

End user preferences are enabled

To reenable end user preferences, update the Control Center and ensure that user preferences are replicated. n User preferences are not replicated to remote Scanners during the migration process. To ensure that user preferences are applied, you must replicate them manually after you update the Control Center and all Scanners. Otherwise user preferences are replicated at the default time of midnight. Navigate to the Users tab of the Administration > Settings > Control Center page and click Replicate Now once all systems are upgraded. n The user preference replication alert is enabled by default after you update to version 9.0.x. Symantec Brightmail Gateway sends an alert to administrators configured to receive alerts when user preferences replication finds an error. You can disable this alert on the DDS tab on the Administration > Settings > Alerts page.

Known issues
Table 1-3 describes the known issues in version 9.5.4.

14

Symantec Messaging Gateway 9.5.4 Release Notes Known issues

Table 1-3 Issue

Known issues Description

Error messages are When you upgrade from a release before 9.5.3, you may observe a generated when you number of benign error messages during the upgrade process. The upgrade. errors are reflected to the console and the update.log. http://www.symantec.com/docs/TECH173852 Error messages are generated when you configure your NTP server information. When you configure your NTP server information during installation or when you modify it post-installation, you may observe an error message in your message log. The message indicates that the requested IPv6 address cannot be assigned. You can ignore this message. http://www.symantec.com/docs/TECH186256 Control Center After an ISO install of versions 9.5.2 - 9.5.4, the Control Center listens for HTTP listens for HTTP traffic on port 41080. To stop this behavior, type traffic on port 41080 the following at the command line: on install. cc-config http --off. This issue does not apply if you have upgraded from releases before 9.5.2. http://www.symantec.com/docs/TECH186845 SSLv3 connections are not supported when FIPS mode is enabled. The Require TLS encryption option for SMTP authorization does not work as expected when FIPS mode is enabled. When you run in normal, non-FIPS mode, Symantec Messaging Gateway accepts both TLS and SSLv3.0 connections. When FIPS mode is enabled, even if the Require TLS encryption option is disabled, the connections that use SSLv3.0 and earlier are not supported. For more information, see the Symantec Messaging Gateway FIPS 140-2 level 1 Deployment Guide. http://www.symantec.com/docs/TECH186251 Error message appears when update check command is issued. When you upgrade from a release before 9.5.2 and run the update check command, you may receive a message that some packages cannot be installed. You can ignore this message. http://www.symantec.com/docs/TECH169454

Symantec Messaging Gateway 9.5.4 Release Notes Known issues

15

Table 1-3 Issue

Known issues (continued) Description

Errors in logs during During an update, errors may appear despite a successful upgrade update. as follows: Errors appear in the MySQL error log for a successful update. You can disregard these errors. n You may find some unexpected messages that are related to module-loading failure in the conduit log. You can ignore these messages.
n

9.5.2 included changes to the appliance platform, which includes the operating system and database versions. http://www.symantec.com/docs/TECH169981 Possible errors during bootstrap process. /data/logs/boot.log may not appear upon fresh install. As a result, you may see some related errors during the bootstrap process, including a red [FAILED] status from "Adjusting Symantec Messaging Gateway services." You can ignore these errors. http://www.symantec.com/docs/TECH186249 FIPS mode not automatically enabled upon OS restore. Your FIPS state is not saved as part of a backup. If you perform an OS restore on a Symantec Messaging Gateway 9.5.2 host or later with FIPS mode on, manually turn on the FIPS mode after the restore completes. http://www.symantec.com/docs/TECH186248 Download may take longer than for past updates. When you upgrade from versions before 9.5.2, the download portion of the update process can take substantially longer than past updates. This situation is due to the large size of the download package. http://www.symantec.com/docs/TECH186191 MTA takes several minutes to start on a FIPS-enabled appliance that is configured with SMTP authentication and Accept TLS. The following actions take significantly longer with FIPS mode turned on than they do with FIPS mode turned off:
n n

Restarting the Message Transfer Agent (MTA) service Any configuration change that implicitly restarts the MTA service

The host may appear to be hung for several minutes, but it is not. As a best practice, enable FIPS mode as the final step in your setup process before you deploy the host in a production environment. http://www.symantec.com/docs/TECH186189

16

Symantec Messaging Gateway 9.5.4 Release Notes Resolved issues

Table 1-3 Issue

Known issues (continued) Description


If you use the delete ddsconfig command to remove the ddsconfig.xml file from the disk, the DDS configuration remains in the database. The DDS configurations on the Control Center remain unchanged. To delete data sources in the Control Center, perform the following tasks: 1. In the Control Center, click Administration > Directory Integration. 2. On the Directory Integration Settings page, select the data source or sources you want to remove, and click Delete. http://www.symantec.com/docs/TECH186188

delete ddsconfig does not remove directory data sources from the Control Center.

Unable to load cache data from /data/dds/dds-cache.ser in dds.log during upgrade from 9.0 to 9.5.4. Virtual machine kernel panics after update to 9.5.2.

When you upgrade from a version before 9.5.2, Symantec Messaging Gateway is unable to load the cache data from /data/dds/dds-cache in dds.log. The DDS cache is rebuilt as messages are processed after upgrade. http://www.symantec.com/docs/TECH186186 After you update the Symantec Messaging Gateway virtual appliance to 9.5.2, the virtual machine (VM) fails to restart. The VMware console indicates that VMware is unable to restart due to a kernel panic. http://www.symantec.com/docs/TECH168754

The Russia time zone Russia no longer changes for Daylight Savings Time. The correct is incorrect. time should be GMT +4 rather than GMT +3. http://www.symantec.com/docs/TECH173452

Resolved issues
Table 1-4 describes the issues that are resolved in 9.5.4.

Symantec Messaging Gateway 9.5.4 Release Notes Resolved issues

17

Table 1-4 Issue

Resolved issues Description

Symantec Messaging Gateway does Symantec Messaging Gateway now catches Office not catch password protected Word 2007 password-protected files as 2007 file. 'Password-protected files ' in content filtering. http://www.symantec.com/docs/TECH186184 sshd-config -v2 command is not Setting the ssh protocol to version 2 persists following system restart and no longer needs to be persistent after restart it changes reset. itself back to version 1. Messages that have been received but not scanned have no clickable link on MAL display screen. UPS alert that power has been restored is not always sent. Host names with IP-like strings generating false positives. The ability to see the status of messages just received in the audit log was added. http://www.symantec.com/docs/TECH186181 UPS alerts are now consistently sent. http://www.symantec.com/docs/TECH186180 Host names with IP-like strings are now properly processed by the Scanners. http://www.symantec.com/docs/TECH162696 Leading hash tag or pound symbol A leading hash tag or pound symbol (#) in TLS (#) in TLS certificate-signing request certificate parameters no longer results in an error. generates an application error. http://www.symantec.com/docs/TECH167286 File names are not recorded in log When an attachment cannot be scanned, Symantec statements when decomposition is Messaging Gateway now logs the file name in the aborted due to exceeding maximum Brightmail Engine log. values. http://www.symantec.com/docs/TECH186178

18

Symantec Messaging Gateway 9.5.4 Release Notes Resolved issues