IronPort AsyncOS 6.4. RELEASE NOTES for IronPort Security Appliances

Transcription

1 IronPort AsyncOS 6.4 RELEASE NOTES for IronPort Security Appliances

2 COPYRIGHT Copyright 2008 by IronPort Systems, Inc. All rights reserved. Part Number: Revision Date: August 18, 2008 The IronPort logo, IronPort Systems, Messaging Gateway, Virtual Gateway, SenderBase, Mail Flow Monitor, Virus Outbreak Filters, Context Adaptive Scanning Engine (CASE), IronPort Anti-Spam, and AsyncOS are all trademarks or registered trademarks of IronPort Systems, Inc. Brightmail, the Brightmail logo, BLOC, BrightSig, and Probe Network are trademarks or registered trademarks of Symantec Incorporated. McAfee and VirusScan are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. Copyright 2007 McAfee, Inc. All rights reserved. Used with permission. All other trademarks, service marks, trade names, or company names referenced herein are used for identification only and are the property of their respective owners. This publication and the information contained herein is furnished AS IS and is subject to change without notice. Publication of this document should not be construed as a commitment by IronPort Systems, Inc. IronPort Systems, Inc., assumes no responsibility or liability for any errors or inaccuracies, makes no warranty of any kind with respect to this publication, and expressly disclaims any and all warranties of merchantability, fitness for particular purposes and non-infringement of third-party rights. Some software included within IronPort AsyncOS is distributed under the terms, notices, and conditions of software license agreements of FreeBSD, Inc., Stichting Mathematisch Centrum, Corporation for National Research Initiatives, Inc., and other third party contributors, and all such terms and conditions are incorporated in IronPort license agreements. The full text of these agreements can be found here: Portions of the software within IronPort AsyncOS is based upon the RRDtool with the express written consent of Tobi Oetiker. Portions of this document are reproduced with permission of Dell Computer Corporation. Portions of this document are reproduced with permission of McAfee, Inc. Portions of this document are reproduced with permission of Symantec Incorporated. Portions of this document are reproduced with permission of Sophos Plc. Brightmail Anti-Spam is protected under U.S. Patent No. 6,052,709. IRONPORT SYSTEMS, INC. IronPort Systems, Inc. 950 Elm Ave. San Bruno, CA CONTACTING IRONPORT CUSTOMER SUPPORT If you have purchased support directly from IronPort Systems, you can request support by phone, , or online 24 hours a day, 7 days a week. During office hours (24 hours per day, Monday through Friday, excluding U.S. holidays), an engineer will contact you within an hour of your request. To report a critical issue that requires urgent assistance outside of our office hours, contact IronPort using the following information. U.S. toll-free: 1 (877) 641-IRON (4766) International: Support Portal: If you have purchased support through a reseller or other entity, contact the supplier for support of your IronPort products.

3 IronPort AsyncOS 6.4 For Security Appliances Release Notes These release notes contain information critical to upgrading and running AsyncOS 6.4, including hardware-specific information and known issues. What s New in This Release on page 2 New and Enhanced: LDAP Queries on page 2 Enhanced: Message Tracking on page 2 Enhanced: Increased Reporting Data Retention on page 2 Fixed Issues on page 4 Qualified Upgrade Paths on page 7 Upgrade Instructions on page 7 Preupgrade Notes on page 7 Upgrading to the AsyncOS 6.4 Release on page 9 Performance Advisory on page 9 Known Issues on page 11 Reporting Issues on page 11 LDAP Issues on page 11 IronPort Spam Quarantine Issues on page 12 Message and Content Filters Issues on page 12 Configuration File Issues on page 12 DKIM and Domainkeys Signing Issues on page 13 Other Known Issues on page 13 Contacting IronPort Customer Support on page 14 IRONPORT ASYNCOS 6.4 FOR SECURITY APPLIANCES RELEASE NOTES 1

4 IRONPORT ASYNCOS 6.4 FOR RELEASE NOTES WHAT S NEW IN THIS RELEASE This section describes the new enhancements added in this release of IronPort AsyncOS 6.4 for Security. New and Enhanced: LDAP Queries AsyncOS 6.4 features the following enhancements to LDAP queries: Testing LDAP servers. You can now test the connection to the LDAP servers that you have configured from the Add (or Edit) LDAP Server Profile page or using the test subcommand of the ldapconfig command in the CLI. If you specified multiple LDAP hosts in the profile, AsyncOS will test each host server and display individual results. IronPort Spam Quarantine queries. You can now configure and test queries for spam quarantine end-user authentication and alias consolidation from the Add/Edit LDAP Server Profile page. These queries can also be tested using the ldaptest command in the CLI. Enhanced: Message Tracking AsyncOS 6.4 includes the following enhancements to the Message Tracking search page: You can now search messages that are currently in the spam quarantine. When specifying the date and time range for the query, you can select the following options: Last Day. Use this option to search for messages within the past 24 hours. Last 7 Days. Use this option to search for messages within the past full 7 days, plus the time that has passed today. Custom Range. Use this option to search for messages within the time range specified in the Message Received fields. This option is selected by default. Note that if you select the current date and 23:59 as the end date and time, the query returns all data for the current date. You can export message tracking search results to CSV format or PDF. If you enter any advanced search criteria and collapse the Advanced section of the Message Tracking page, the advanced search parameters are displayed to the right of the link for the Advanced section after you perform a tracking query. Enhanced: Increased Reporting Data Retention Previously, the Security appliance would store up to 24 hours worth of reporting data in the /var/log/godspeed/reporting/outgoing_queue directory if the Security Management appliance was unreachable. After 24 hours, the Security appliance started to overwrite the oldest reporting data. This issue has been addressed. You can now specify the number of hours to store reporting and tracking data on the Security appliance if the Security Management appliance is not collecting data. 2

5 To specify how long to store centralized reporting data, use the reportingconfig -> mailsetup -> storage command on the Security appliance. By default, the appliance will store data for up to 24 hours before it begins to overwrite the oldest data. To specify the number of files of tracking data to store, use the trackingconfig -> storage command on the Security appliance. By default, the appliance will store up to 60 files, or 3 hours worth of tracking data before it begins to overwrite the oldest data. IRONPORT ASYNCOS 6.4 FOR SECURITY APPLIANCES RELEASE NOTES 3

6 IRONPORT ASYNCOS 6.4 FOR RELEASE NOTES FIXED ISSUES The following issues have been fixed in the AsyncOS 6.4 release. Fixed: Message Tracking Does Not Return Results Due to Corrupted File Fixed an issue where a message tracking query cannot be completed because a corrupted file is found by the query. The following error message appears: The Message Tracker service is currently unreachable. Please contact your authorized IronPort support provider. The Message Tracker restarts, but the error occurs again if the query is repeated. This issue has been addressed. Now, when the Message Tracker encounters a corrupted file, the corrupted file is removed from the database and the Message Tracker restarts. AsyncOS displays a message saying that the tracking database is momentarily unavailable and asks you to retry your search query in a few minutes. This process is repeated until no more corrupted files are found are by query and the search results are returned. [Defect ID: 39951] Fixed: Message Tracking Does Not Strip Whitespace from Search Strings Message Tracking does not strip whitespace from search strings. Instead, it treats them literally. As a result, subject query results may seem incorrect. To work around this, remove or add a whitespace at the beginning of your search string to test both cases. This issue has been resolved. [Defect ID: 36710] Fixed: Message Tracking Page Incorrectly Displays Subject Lines with HTML Tags Previously, the Message Tracking page incorrectly displayed subject lines containing HTML tags. This issue has been resolved. [Defect ID: 36752] Fixed: Search Results Message in UI Sometimes Indicates an Incorrect Number of Search Results Previously, the message that appeared along with search results sometimes indicated an incorrect number of search results. For example, you might have seen the message Displaying 1-20 of 1000 items even if search results contained more than 1000 items. This issue has been resolved. [Defect ID: 37114] Fixed: Error Message Appears If You Include Double Quotation Marks in the Subject or Message ID Header When Running Tracking Queries Previously, when you ran tracking queries, an error message appeared if you included double quotation marks in the Subject or Message ID Header field. This issue has been resolved. [Defect ID: 37432] Fixed: Vulnerability in SNMPv3 Fixed a security vulnerability found in the implementation of Simple Network Management Protocol version 3 (SNMPv3) used in AsyncOS. This vulnerability could allow specially crafted SNMPv3 packets to bypass the authentication check. [Defect ID: 42301] 4

7 Fixed: Message Tracking Query Times Out Even When There is No Time Limit Previously, message tracking queries timed out when querying a large database even when the time limit is set to No Time Limit. After 5 minutes, AsyncOS displayed a message saying that the query has timed out and asked the user to retry the search with more specific information. This issue has been resolved. [Defect ID: 42760] Fixed: Mail for Accepted Recipients Rejected if LDAP is Unreachable Previously, if you created a Recipient Access Table to accept mails for a certain domain and configured an acceptance query to accept mail when the LDAP server is unreachable, the appliance rejected any s sent to recipients at the accepted domain if the LDAP server is unreachable. This issue has been resolved. Now, the appliance accepts s sent to recipients at the accepted domain. [Defect ID: 40164] Fixed: Messages with Footers Sent Multiple Times Previously, when the IronPort appliance added a footer to an outgoing HTML message, the message may be sent to the recipient multiple times. This occurred because the IronPort appliance failed to escape leading dots as required by the SMTP protocol, resulting in a partial message being sent. In some cases, the appliance failed to see the response from the remote server and resent the message. This issue has been resolved. The appliance correctly escapes dots when it adds a footer and outgoing messages are not truncated. [Defect ID: 41255] Fixed: LDAP Routing Query Loop Detection Prevents Duplicates from Being Rewritten Previously, the method that AsyncOS used to prevent a routing query from looping also prevented duplicated addresses in a routing query response from being rewritten. A mailing list alias may contain duplicate addresses for a single owner. This issue has been resolved. [Defect ID: 41972] Fixed: SMTP Authentication Allows Empty Passwords When Using Anonymous LDAP Bind Authentication Previously, if SMTP authentication on an IronPort Security appliance was configured to use LDAP bind, an LDAP server would authenticate a client using an existing user account with an empty password if the LDAP server allowed anonymous binding. This issue has been resolved. Now, SMTP authentication returns an authentication failure if a client uses an empty password. [Defect ID: 43274] Fixed: LDAP Test Connections Continue After Not Receiving a Response Previously, if an LDAP server test is run for an LDAP query, the appliance continued trying to connect to the LDAP server if it did not receive a response. The connection attempts for the LDAP test continued even after the profile for the LDAP server was deleted from the appliance. This issue has been resolved. Now, if there is no response from the LDAP server, the LDAP test connection closes after the query timed out. Connections to the LDAP server are also closed when the LDAP server profile is deleted. [Defect ID: 41271] IRONPORT ASYNCOS 6.4 FOR SECURITY APPLIANCES RELEASE NOTES 5

8 IRONPORT ASYNCOS 6.4 FOR RELEASE NOTES Fixed: Messages Bounced After Not Receiving Reply from Cisco Registered Envelope Service Previously, if the IronPort Security appliance tried to encrypt a message that required storing an encryption key on the Cisco Registered Envelope Service, the appliance bounced the message if it did not receive a response from the Cisco Registered Envelope Service. This issue has been resolved. Now, the IronPort Security appliance receives an error message if a response is not received from the Cisco Registered Envelope Service and the appliance tries encrypting the message again. If it still fails to store the encryption key after retrying, the message is bounced with a more specific error message that indicates the nature of the problem. [Defect ID: 37904] 6

9 QUALIFIED UPGRADE PATHS Version is the AsyncOS 6.4 release of the IronPort AsyncOS for Security operating system. The qualified upgrade paths to this release are: From: Version To: Version From: Version To: Version From: Version To: Version From: Version To: Version From: Version To: Version From: Version To: Version From: Version To: Version From: Version To: Version From: Version To: Version From: Version To: Version From: Version To: Version From: Version To: Version UPGRADE INSTRUCTIONS Preupgrade Notes Important Notes Please be aware of the following upgrade impacts: SPF/SIDF Verification For SPF/SIDF verification, the spf-passed rule is no longer available in content filters. To maintain backwards compatibility, the spf-passed content filter rule will be accepted from XML configuration files but it will be converted to the spf-status rule with corresponding arguments. spf-passed will be changed to spf-status == "Pass" and NOT spf-passed to spf-status!= "Pass". You can, however, still use the spf-passed message filter. DKIM Authentication For DKIM Authentication, IronPort currently supports version 8 of the Draft Specification of `Authentication-Results: header. Configuration Files IronPort does not generally support the backward compatibility of configuration files with previous major releases. Minor release support is provided. Configuration files from previous IRONPORT ASYNCOS 6.4 FOR SECURITY APPLIANCES RELEASE NOTES 7

10 IRONPORT ASYNCOS 6.4 FOR RELEASE NOTES versions may work with later releases; however, they may require modification to load. Check with IronPort Customer Support if you have any questions about configuration file support. Custom Notification Templates If you previously used a custom notification template, headers were included by default. When you upgrade to AsyncOS version 5.0 or later, notification templates do not include headers by default. To include headers, you can add the $allheaders message filter action variable. [Defect ID: 27710] Message Filter Syntax In a previous release, you may have used a message filter similar to the following to search for empty or non-existent subject headers: blankspam: if ((subject == "^$") AND (header("to") == "^$")) AND (body-size < 3072) { insert-header("x-spam", "$FilterName"); quarantine("policy"); } In a previous release, this filter treated a non-existent header as if it were an empty header. In version 5.0 and later, the condition (header("to") == "^$")) only returns true if the header exists and is empty. For more information, see the IronPort AsyncOS Advanced User Guide. [Defect ID: 29225] Received Headers When you configure AsyncOS to use received headers, you can specify that the header reflects one of the following hostnames: The hostname of the Virtual Gateway used for delivering the message The hostname of the interface the message is received on You specify the hostname from the CLI command listenerconfig-> setup. You cannot configure the hostname from the GUI. In AsyncOS version 5.0 and later, if you configure the received header to display the hostname of the interface the message is received on, a strip-header filter action configured to strip received headers will strip the received header inserted by AsyncOS. [Defect IDs: 16254, 25816] Feature Keys In AsyncOS version 5.0 and later, the AsyncOS appliance checks for and applies feature keys at one minute intervals. Therefore, when you add a feature key, it may take up to a minute to view the changes. [Defect ID: 29160] 8

11 Virus Logs In previous releases, virus-positive messages were logged as information: Mon Jul 31 17:53: Info: sophos antivirus - MID Result 'VIRAL'('ENCRYPTED',) In AsyncOS version 5.0 and later, virus logs are logged as warnings: Thu Sep 28 16:32: Warning: sophos antivirus - MID 3 - Result 'VIRAL'('UNSCANNABLE',) [Defect ID: 26317] Configuring the Update Server on Version 5.1 or Later In AsyncOS version 5.1 or later, you can use McAfee anti-virus scanning as well as Sophos anti-virus scanning. The McAfee engine retrieve update information from a different server than the other scanning blades. You may need to create firewall rules to allow update traffic for this service. To configure the firewall, allow updates from update-manifests.ironport.com on port 443. Upgrading to the AsyncOS 6.4 Release For the 6.4 release, please use the following instructions to upgrade your AsyncOS appliance. 1. Save the XML configuration file off the IronPort appliance. 2. If you are using the Safelist/Blocklist feature, export the Safelist/Blocklist database off the IronPort appliance. 3. Suspend all listeners. 4. Wait for the queue to empty. 5. From the System Administration tab, select the System Upgrade page. 6. Click the Available Upgrades button. The page refreshes with a list of available AsyncOS upgrade versions. 7. Click the Begin Upgrade button and your upgrade will begin. Answer the questions as they appear. 8. When the upgrade is complete, click the Reboot Now button to reboot your IronPort appliance. 9. Resume all listeners. Performance Advisory DomainKeys - DomainKeys signing outgoing can cause a decrease in the message throughput capacity. Using smaller signing keys (512 byte or 768 byte) can mitigate this. IRONPORT ASYNCOS 6.4 FOR SECURITY APPLIANCES RELEASE NOTES 9

12 IRONPORT ASYNCOS 6.4 FOR RELEASE NOTES SBNP - SenderBase Network Participation now uses the Context Adaptive Scanning Engine (CASE) to collect data to power IronPort Information Services. In some configurations customers may experience a moderate performance decline. Virus Outbreak Filters - Virus Outbreak Filters now uses the Context Adaptive Scanning Engine to determine the threat level of a message and scores messages based on a combination of Adaptive Rules and Outbreak Rules. In some configurations, you may experience a moderate performance decline. IronPort Spam Quarantine - Enabling the IronPort Spam Quarantine on-box for a C-Series or X-Series appliance causes a minimal reduction in system throughput for nominally loaded appliances. For appliances that are running near or at peak throughput, the additional load from an active quarantine may cause a throughput reduction of 10-20%. If your system is at or near capacity, and you desire to use the IronPort Spam Quarantine, consider migrating to a larger C-Series appliance or an M-Series appliance. Note If you change your anti-spam policy from dropping spam to quarantining it (either on-box or off-box), then your system load will increase due to the need to scan additional spam messages for virus and content security. For assistance in properly sizing your installation please contact your authorized IronPort support provider. 10

13 KNOWN ISSUES The following list describes known issues in this release of AsyncOS for Security. Note For information about known issues found in prior releases, see the IronPort AsyncOS 6.4 Security Appliances Known Issues posted on the Support Portal. You can access the support portal at: Reporting Issues Reporting Graphs and PDFs Do Not Support Double Byte Characters When you generate reports or PDFs of reports using double byte characters, the characters do no display properly. This issues manifests itself only in cases where you create a system resource and name it with double-byte characters. For example, if you have a content filter named "déjà-vu" and it was one of the top 10 content filters referenced in the report, the PDF version would have the "é" and the "à" characters rendered incorrectly. [Defect ID: 27275] Exported IP Address Search Results for Incoming Mail Shows Last Sender Group Twice When exporting IP address search results from the Incoming Mail page to a CVS report, the report displays the Last Sender Group twice. [Defect ID: 43218] Report Titles Display Incorrectly When Using Multibyte Characters Entering Multibyte characters in Report title results in unreadable characters. Report titles are converted to character entity references. [Defect ID: 33729] Non-ASCII Characters Appear as Encoded Plain Text in the Processing Details Section of the Message Details Page Non-ASCII characters appear as encoded plain text in the Processing Details section of the Message Details page. However, the characters appear correctly at the top of the page. [Defect ID: 37156] LDAP Issues LDAP SMTP Authentication Test Returns a Pass if Password is Incorrect The LDAP SMTP authentication test returns a result of Success if the user enters an incorrect password for an existing LDAP user account. [Defect ID: 42980] IronPort Spam Quarantine Authentication Fails for Queries Configured to Use LDAP Referrals in Active Directory When you use an LDAP referral for an Active Directory server, the IronPort Spam Quarantine authentication query fails to bind the password, and the query fails. This issue only occurs when performing authentication queries using LDAP referrals in Active Directory. [Defect ID: 42011] IRONPORT ASYNCOS 6.4 FOR SECURITY APPLIANCES RELEASE NOTES 11

14 IRONPORT ASYNCOS 6.4 FOR RELEASE NOTES Alias Consolidation Is Supported Only for Configurations Where LDAP or None Is Being Used for Authentication Currently, alias consolidation will run only when end user authentication is configured with LDAP or None. It will not run when end user authentication is configured with IMAP/ POP. [Defect ID: 43314] LDAP Server DNS Resolution Is Refreshed After TTL Expires The system does not recognize any IP address changes for LDAP servers until the DNS is refreshed after TTL expires. Flushing the cache does not work. Workaround: Update the hostname with the new IP address in your LDAP server profile setting. [Defect ID: 43209] IronPort Spam Quarantine Issues Messages with No Subject Sometimes Cannot Be Quarantined If the anti-spam mail policy is configured to not add text to the subject of a spam-positive message, messages with no subject fail to be quarantined and stall notifications. [Defect ID: 40500] Message and Content Filters Issues Editing Content Dictionaries Containing Non-ASCII Characters Sometimes Causes an App Fault Sometimes an app fault occurs if you attempt to edit a content dictionary that contains non- ASCII text. [Defect ID: 43287] Configuration File Issues Configuration File with Errors Causes Application Error If a configuration file containing errors in the sslconfig section is loaded to AsyncOS, an application error may occur, causing AsyncOS operating system to restart repeatedly. To work around this issue, remove the error from the configuration file and reload it. [Defect ID: 39142] Saveconfig on Security Management Appliances Does Not Preserve the SSH Port Used by Centralized Services Saving a configuration file on Security Management appliances does not preserve the SSH port used by centralized services. Therefore, if Security and Security Management appliances use a nondefault SSH port to transfer files, then loading the configuration file causes the Security Management appliance to use the default port (22). Workaround: 1. Log in to the Security Management appliance CLI as admin. 2. Run the applianceconfig > port command. 3. Type the number of the port you want to use to transfer files between the Security Management and Security appliances. 4. Commit your changes. 12

15 [Defect ID: 43642] DKIM and Domainkeys Signing Issues Missing DKIM or Domain Keys Profile Event Always Displays Unknown Value The missing DKIM or Domain Keys profile event (MAIL.DK.SIGN.MSG_NO_PROFILE) always displays an [unknown] value instead of the correct sender on Message Details page. [Defect ID: 38758] Other Known Issues HELO Test Does Not Take Place When Using SIDF Compatible Conformance When enabling SPF/SIDF authentication for a mail flow policy, the user can select the HELO test option for the SIDF Compatible conformance level. This test is not run because at this level SPF/SIDF authentication treats SPF v1.0 records as spf2.0. The IronPort Security appliance skips the HELO test even if it is configured to run it. To run the HELO test, select the SPF conformance level. [Defect ID: 43661] QMQP Listener Will Not Accept and Deliver Messages Longer Than 8158 Bytes On IronPort appliances running AsyncOS 6.1 or later, an application fault occurs if a QMQP listener receives a message that ends with <CR><LF>. The QMQP listener will also not accept and deliver messages with a netstring longer than 8158 bytes. [Defect ID: 41103] Next Delivery Time Displays Incorrectly For Virtual Gateways When using virtual gateways, the Next Delivery time may display N/A instead of the actual time that the next delivery will attempt. This display does not interfere with the delivery attempts. [Defect ID: 37245] Cannot Use the Add Row Button to Add Multiple Destination Hosts on the Add SMTP Route Page On the Add SMTP Route page, if you use the Add Row button to add multiple destination hosts for a receiving domain, the additional hosts will not appear in the SMTP routes list. Workaround: Instead of adding more rows, enter a comma-separated list of all destination hosts in one row. [Defect ID: 42031] IRONPORT ASYNCOS 6.4 FOR SECURITY APPLIANCES RELEASE NOTES 13

16 IRONPORT ASYNCOS 6.4 FOR RELEASE NOTES CONTACTING IRONPORT CUSTOMER SUPPORT You can request our support by phone, , or online 24 hours a day, 7 days a week. During customer support hours (24 hours per day, Monday through Friday excluding U.S. holidays), an engineer will contact you within an hour of your request. To report a critical issue that requires urgent assistance outside of our office hours, please contact IronPort using one of the following methods: U.S. toll-free: 1(877) International: Support Portal: 14