Transcription

Symantec Messaging Gateway 10.7.5 Release Notes

Symantec Messaging Gateway 10.7.5 Release NotesTable of ContentsSymantec Messaging Gateway 10.7.5 Release Notes.3About Symantec Messaging Gateway 10.7.5. 3What's new in SMG 10.7.5. 3Documentation.3Support policy. 4Supported platforms. 4Unsupported platforms.4Supported web browsers. 5Supported paths to version 10.7.5.5Unsupported paths to version 10.7.5. 5Important information about installation in virtual environments. 5Important information before you update to version 10.7.5.6After 10.7.5 installation.8Resolved issues in 10.7.5. 8Known issues in 10.7.5. 11Where to get more information. 152

Symantec Messaging Gateway 10.7.5 Release NotesSymantec Messaging Gateway 10.7.5 Release NotesAbout Symantec Messaging Gateway 10.7.5Copyright 2021 Broadcom. All rights reserved.Document publication date: 10/27/2021Symantec Messaging Gateway SMG 10.7.5 is the update to previous versions of SMG. All functionality of SMG 10.6.xand 10.7.x is maintained unless otherwise noted.NOTE: You must be at SMG 10.6.6 or later to update to SMG 10.7.5.What's new in SMG 10.7.5This release (10.7.5) introduces support for the deployment of Symantec Messaging Gateway on Linux KVM platforms.This release also introduces WebPulse integration for URL category filtering. Administrators can now create contentfiltering policies to detect and manage spam and other unwanted content based on the URLs contained in mail headersand body content, leveraging Broadcom's best-of-breed URL categorization service.IMPORTANT: Communication with the WebPulse service requires that the Symantec Messaging Gateway can reachseveral domains on ports 80 (HTTP) and 443 (HTTPS). Ensure that your network security infrastructure permits accessfrom your SMG appliance(s) to the following URLs for HTTP and HTTPS traffic: coat.comsubscription.es.bluecoat.comURLsIf your organization uses SMG in a closed network environment, remove the check next to Enable Relationship-basedAI for File specific detections on the Malware Email Scan Settings page. Failure to do this will result in delays andinstability in your environment, as the appliance attempts to look up URLs as they’re detected.Release 10.7.5 also includes changes to the Modify Clickable URLs action in Content Filtering policies. These changesallow users to modify only the URLs that match certain criteria, such as Spam URLs, Malicious URLs, or UnknownURLs.This release also includes: The ability to undo URL modification for outbound messages using Content Filtering. A change in inbound mail processing that causes SMG to reject messages if the sender presents a client certificatethat cannot be validated. A fix for network access issues for the S450 hardware platform. Support for a large number of new file types for email content filtering policies. Support for VMware 7.0.DocumentationYou can access English documentation at the following way/10-7-5.htmlCheck the following website for any issues that are found after these release notes were article/1510633

Symantec Messaging Gateway 10.7.5 Release NotesTo access the software update description from the Control Center, click Administration Hosts Version. On theUpdates tab, click View Description.To view the Symantec support policy for SMG, see the following links:http://go.symantec.com/security appliance supporthttp://go.symantec.com/appliance hw supportTo read the translated documentation, go to 5.html and select the desired language from the dropdown list in the upper right cornerof the screen. SMG 10.7.5 supports French, Spanish and Japanese versions of the documentation and the product's userinterface locale.Support policySymantec provides standard support for only the most current build of the licensed software.To view the Symantec support policy for SMG, see the following links:http://go.symantec.com/security appliance supporthttp://go.symantec.com/appliance hw supportSupported platformsYou can update to SMG 10.7.5 on any of the following platforms: HARDWARE: All supported hardware versions: 8380/S450 and 8340 purchased after May 2016. For more information about SMG hardware testing support, go to the following URL:http://www.symantec.com/docs/TECH123135VMware: VMware ESXi/vSphere 6.5/6.7/7.0NOTEVMWare 6.0 is in EOL status, and as a result Symantec Messaging Gateway has dropped support for thatplatform as of the 10.7.4 release. Existing installations on VMWare 6.0 can upgrade to 10.7.5, but new VMsshould be created and run under 6.7. See this article for details: https://kb.vmware.com/s/article/66977.Customers using ESX 6.0 should note that SHA1 is no longer considered secure, and thus they must eitherconvert the OVA or do an ISO install.Support for VMware ESXi/vSphere 5.5 ended with SMG 10.6.6. Microsoft Hyper-V: Windows Server 2012 and Hyper-V Server 2012, and Windows Server 2016 and Hyper-V Server 2016.Linux Kernel Virtual Machine (KVM): The kernel component of KVM is included in mainline Linux as of 2.6.20. Theuser space component of KVM is included in mainline QEMU as of 1.3.Unsupported platformsUnsupported platforms are as follows: Any platform that is not listed in the Supported Platforms section of this document.Hardware platforms 8220, 8240, 8260, 8320 and 8360.Hardware platform 8340 purchased on or before August 2016.Hardware platform 8380 purchased on or before May 2016.Symantec does not test software releases on appliance models for which the hardware warranty period has expired.To determine what hardware version you have, at the command line type the following:4

Symantec Messaging Gateway 10.7.5 Release Notesshow --infoSupported web browsersYou can access the SMG Control Center on the following supported web browsers: Microsoft Internet Explorer 11 or later. Firefox 92 or later. Note that if you plan to use the Smart Card functionality introduced in version 10.7.3 with Firefox, you will need toobtain and install a plugin to support PIV. See Google Chrome 90 or later.Supported paths to version 10.7.5You can use any of the following methods to update to SMG 10.7.5: Software update from version 10.6.6 or later on supported hardware or in a supported virtual environment. OS Restore from ISO on supported hardware or in a supported virtual environment. VMware installation with OVA template.Note: Symantec provides an OVA template that can load an SMG virtual machine into VMware. This templateis designed for demonstration or testing purposes. You should use this template for deployment in a productionenvironment only if explicitly recommended. For any production environment, create a virtual machine in accordancewith best practices as outlined in the Symantec Messaging Gateway 10.7 Installation Guide, located here: -5/RelatedDocuments.html. Then install SMG using the ISO file.Unsupported paths to version 10.7.5You cannot update to SMG 10.7.5 from versions earlier than 10.6.6.Important information about installation in virtual environmentsSMG 10.7.5 supports three virtual environments: VMware, Microsoft Hyper-V, and Linux KVM.To install on VMwareTwo methods for installing on supported VMware platforms are:ISO fileYou can load the ISO file into a preconfigured virtual machine.You can use the ISO file on VMware ESXi/vSphere 6.5/6.7.*/7.0OVA fileYou can also load the OVA, which includes the virtual machine configuration.You can use the OVA for VMware ESXi/vSphere 6.5/6.7.*/7.0* VMWare 6.0 is in EOL status, and as a result Symantec Messaging Gateway dropped support for that platform as of10.7.4. Existing installations on VMWare 6.0 can upgrade to 10.7.5, but new VMs should be created and run under 6.7.To install on Hyper-VSymantec supports one method for installing on supported Hyper-V platforms:ISO fileYou can load the ISO file into a preconfigured virtual machine.You can use the ISO file on Windows Server 2012 and Hyper-V Server 2012, and Windows Server 2016and Hyper-V Server 2016.5

Symantec Messaging Gateway 10.7.5 Release NotesSee the Symantec Messaging Gateway 10.7 Installation Guide (located at -5/Related-Documents.html) for instructions andsystem requirements.To install on KVMSymantec supports one method for installing on KVM platforms:ISO fileYou can deploy an instance of Symantec Messaging Gateway from an ISO image on a computer runningLinux KVM.For an example installation of KVM on a system running the CentOS Linux distribution, see the SymantecMessaging Gateway 10.7 Installation Guide.See the Symantec Messaging Gateway 10.7 Installation Guide (located at -5/Related-Documents.html) for instructions andsystem requirements.Important information before you update to version 10.7.5This section describes the migration information that you should read before you update to version SMG 10.7.5.The best practices for all updates are listed in Best practices for all updates.You can only update to SMG 10.7.5 from SMG 10.6.6 or later.If you are updating from 10.6.6, you should enable the new Malware configuration options for better detection. Theseoptions use static and dynamic artificial intelligence and the relationship-based AI for file and mobile detections.NOTEAfter the upgrade to 10.7.5 completes, you might not automatically return to the login screen. Instead, thesystem might display a screen that offers the choices Advanced or Go Back. Reload the page in your browserto return to the login screen.If you are NOT using the policy sharing feature for email content filtering introduced in Symantec Messaging Gateway10.7.4, you may skip this section. If you ARE using policy sharing, you must ensure that all Control Center instances (bothCentral and Remote) are updated to the same product version.Assume the following current deployment:Cluster 1 CC1, which controls Scanner01C1 and Scanner02C1.Cluster 2 CC2, which controls Scanner01C2 and Scanner02C2.Cluster 3 CC3, which controls Scanner01C3 and Scanner02C3.Further, assume that CC1 is the central Control Center and CC2 and CC3 are the remote Control Centers.Given the above scenario, follow these steps:1.2.3.4.5.6.Update CC3.Update the Scanners attached to CC3 (Scanner01C3 and Scanner02C3).Update CC2.Update the Scanners attached to CC2 (Scanner01C2 and Scanner02C2).Update CC1 (the central Control Center for the cluster).Update the Scanners attached to CC1 (Scanner01C1 and Scanner02C1).The above steps are provided as an example of the recommended order in which to update your Scanners. You canupdate the Scanners in a different order (e.g. CC3 - CC2 - CC1, or CC2 - CC3 - CC1), as long as you update theControl Centers and the Scanners attached to them to the same update version.6

Symantec Messaging Gateway 10.7.5 Release NotesNOTEThe software update process can take several hours. During this process, mail throughput is unaffected.However, the mail that is intended for quarantine remains in the delivery queue until migration is complete.Table 1: Best practices for all updatesItemPerform a backup.DescriptionSymantec recommends that you take a full system backup before you run the software update andstore it off-box.Do not restart before the update The software update process may take several hours to complete. The system restarts automaticallyprocess is complete.when the update completes.Warning! If you restart before the process is complete, data corruption is likely to occur. If datacorruption occurs, the factory image must be reinstalled on the appliance.Delete log messages.If your site policies allow it, delete all scanner and DDS log messages before you update.Stop mail flow to scanners and To reduce scanner update time and complexity, stop mail flow to scanners and drain all queues.flush queues before you update. Then start the update. The goal is to process or deliver the messages in the queues, particularly thedelivery queue, before starting the update.To halt incoming messages, click Administration Hosts Configuration, and edit a scanner. Onthe Services tab, click Do not accept incoming messages and click Save. Repeat the processindividually for each scanner on the system. Allow some time for messages to drain from yourqueues. To check the queues, click Status SMTP Message Queues. Flush the messages thatare left in the queues.Update Control Center first.Symantec recommends that you perform the update in this order: Update the Control Center, flushthe queues on the scanners, and then update the scanners. If you choose to update the scanners first, Symantec recommends that you use the commandline interface to update remote scanners. After updating the Control Center, update your scanners as soon as possible. The ControlCenter can propagate configuration changes only to a scanner using the same version of thesoftware. Running different versions on the Control Center and scanners for more than 24 hoursis not advised. Making configuration changes when the Control Center and scanners are running differentversions is unsupported.Perform software update at offpeak hours.Plan to update the Control Center appliance and scanners during off-peak hours. This reduces theamount of mail that builds up in the queue.After you update the Control Center, wait a few minutes for queues to clear before updating thescanners. Software update of a scanner takes less time than the software update of the ControlCenter.Scanners cannot quarantine messages on the Control Center during the Control Center updateprocess. Messages may build up in a queue.When you update a scanner, it goes offline. Scanner resources are unavailable during the updateprocess.Check available space on the/ partition before you start theupdate process.When updating, the installation process does not pre-test the available space on the / partitionbefore starting the update. If the available space is insufficient, a partial installation of the newrelease can occur, leaving the system in an unsupported state. You should verify that at least 500MB of space is available before you begin the update. To find out how much space is available, usethe CLI command:monitor other free (output is not labeled; 500 MB is 500000 in this context).To free up space, use the CLI command:list --temp or list --top grep -v dataand then use the CLI command:delete file filename to delete unneeded files in /tmp and /var/tmp .7

Symantec Messaging Gateway 10.7.5 Release NotesItemDescriptionMonitor the update processcarefully.If you observe unexpected behavior during the software update process, or if the process fails orappears to terminate before completion, examine the Messaging Gateway log files to verify that theupdate succeeded and to determine whether further action is required.After 10.7.5 installationTo verify that your appliance is running SMG version 10.7.5, log into the command line and type the following command:show --versionPerform a LiveUpdate as soon as possible after the update completes. The virus definitions in the new version may be outof date.Resolved issues in 10.7.5This section describes the issues that are resolved in SMG 10.7.5.Table 2: Resolved issues in SMG 10.7.5IssueDescription and knowledge base article link (if applicable)When a Content Filtering policy to detect executablefiles was in place and an .exe file was compressedwithin an ISO file, Content Filtering could not detect the.exe .This issue has been partially resolved.Content Filtering can now detect .exe files compressed within most ISOfiles. Detection issues persist when the ISO file was compressed usingcertain less commonly used compression tools.See the associated knowledge base article for ticle?articleId 226215Messages were stuck in the Delivery queue dueto No valid hosts (unable to make anyconnections).This issue has been partially resolved.In previous releases, default MTA values were used for two settings that helpgovern the behavior when the MTA is unable to connect with two or more ofthe MX servers at the destination address. Because these values were toolow for some installations, SMG now sets them to a higher value.See the associated knowledge base article for ticle?articleId 225896Errors parsing a message or a DMARC record resulted This issue has been resolved.in a DMARC status of NONE, rather than an error status. See the associated knowledge base article for ticle?articleId 225877Content Filtering didn't detect a filename dictionaryentry that included a left square bracket.This issue has been resolved.See the associated knowledge base article for ticle?articleId 172158SMG was unable to use a wildcard (*) in the Local Bad This issue has been resolved.Sender Domains list. You could not use example*.com See the associated knowledge base article for details:to to block mail from example1.com, al/article?articleId 226216and so on.Although Unscannable/Malformed MIME andThis issue has been resolved.Unscannable/Mismatched filetype are no longerSee the associated knowledge base article for details:supported verdicts, the Control Center's Message Audit http://www.symantec.com/docs/TECH256796Log continued to show them as optional filter values forVerdict.Users could enable TLS without importing a certificate This issue has been resolved.if a Certificate Signing Request existed. However, theSee the associated knowledge base article for details:MTA would not start unless the certificate was imported. ticleId 1750648

Symantec Messaging Gateway 10.7.5 Release NotesIssueDescription and knowledge base article link (if applicable)If the username or password for LiveUpdate containsthe '/' character, LiveUpdate does not work.The LiveUpdate screen's User Name and Password fields did not preventusers from entering text that included this character, resulting in blockedaccess to the LiveUpdate or proxy server.This issue has been resolved.See the associated knowledge base article for ticle?176325In the Chrome browser, with FIPS enabled, a grayblank page was displayed during reboot afteran update. This issue was seen only in updates fromversion 10.6.6.This issue has been resolved for systems updating from version 10.7.0 andlater.See the associated knowledge base article for ticle?articleId 226217Symantec Messaging Gateway 10.7 detectedMicrosoft document file internals as various TrueTypeexecutables, differing in behavior from the default 10.6and earlier releases.This issue has been resolved. There is now a configuration option to allowusers to change this behavior.See the associated knowledge base article for ticle?articleId 175634The action Strip all attachments in Content Filteringpolicies did not always strip all attachments. In somecases attachments that were email messages, text orHTML files were not removed.This issue has been resolved.See the associated knowledge base article for ticle?articleId 189268Policy names that included "--" prevented theconversion of reports to PDF.If a report listed a policy name that contained "--", when you attempted tocreate a PDF, it failed and displayed an error.This issue has been resolved.See the associated knowledge base article for ticle?articleId 189998The Casoop service crashed on signal 11.This issue has been resolved.See the associated knowledge base article for ticle?articleId 225879The message displayed was incorrect when usersThis issue has been resolved.clicked the Apply button on the global attachment list or See the associated knowledge base article for details:on the global pattern le?articleId 225881Custom time range fields on Message Audit Logs weremisaligned in the Chrome browser.This issue has been resolved.See the associated knowledge base article for ticle?articleId 204565When a report was generated in Japanese, characters This issue has been resolved.inside the graph section of the report were displayed as See the associated knowledge base article for ernal/article?articleId 225882SNMP queries for MTA statistics failed. This issue wasresolved for some users in 10.7.4, but others werestill experiencing the issue. The issue has now beenresolved for all users.This issue has been resolved.See the associated knowledge base article for ticle?articleId 225883When generating a new Certificate Signing Request inSMG 10.7.4, after the CSR was generated, the CSRdata was not displayed in the text area of the ViewCertificate Signing Request page.This issue has been resolved.See the associated knowledge base article for ticle?articleId 205415Message Audit Logs did not display connecting IPaddresses, only logical IP addresses.This issue has been resolved.See the associated knowledge base article for ticle?articleId 222647Users were unable to start the MTA service afterThis issue has been resolved.updating to SMG 10.7.4.See the associated knowledge base article for details:This problem was limited to users who had selected the ticleId 205650Spanish locale for their servers.9

Symantec Messaging Gateway 10.7.5 Release NotesIssueIf a Content Filtering policy's name included doublequotes ("), then you could not click the Status link toview the status of the policy.Description and knowledge base article link (if applicable)This issue has been resolved.See the associated knowledge base article for ticle?articleId 225871A forward slash ("/") in a Content Filtering policy's regex This issue has been resolved.condition disabled all other policy conditions.See the associated knowledge base article for ticle?articleId 226044During peak times when a large number of quarantined This issue has been resolved.messages were released in a short time, the DLPSee the associated knowledge base article for details:FlexResponse API calls did not always receive a timely ticleId 226046response from the SMG Control Center, and quarantinereleases via the API were delayed.Annotations of messages with winmail.datattachments were not displayed.This issue has been resolved.See the associated knowledge base article for ticle?articleId 210140After update to SMG 10.7.4, an error prevented addinga static IPv6 route.This issue has been resolved.See the associated knowledge base article for ticle?articleId 226047MTA logs displayed the following warning messagemany times per minute:IP Freq module: Could not select() onMTA socket: socket fd(1133) is toFD SETSIZE(1024)This issue has been resolved.See the associated knowledge base article for ticle?articleId 210199The Notification mail to the recipients settingsent a notification to all recipients, including ControlCenter recipients. The notification message potentiallycontained the email addresses of all recipients of theoriginal message, including those who were BCC'ed.This issue has been resolved.SMG now hides the email address information on the notification message,unless the notification explicitly includes them.See the associated knowledge base article for ticle?articleId 226051The MTA did not always reject connections thatpresented invalid client certificates.This issue has been resolved.See the associated knowledge base article for ticle?articleId 226054The S450 hardware platform failed bootstrap with validnetwork information.This issue has been resolved.See the associated knowledge base article for ticle?articleId 224181In SMG 10.7.4, some links were not modified for Threat This issue has been resolved.Isolation.See the associated knowledge base article for ticle?articleId 214662Generated Disarm reports did not contain graphs.This issue has been resolved.See the associated knowledge base article for ticle?articleId 226064Emails in the bad message queue with no senderaddresses (e.g. bounce messages) could not bereleased.This issue has been resolved.See the associated knowledge base article for ticle?articleId 226065LiveUpdate proxy settings were no longer accessibleafter update to 10.7.4.This issue has been resolved.See the associated knowledge base article for ticle?articleId 224788Crashes could occur in the mail server or in the emaildecomposition service when a policy that used recordresources was present.This issue has been resolved.See the associated knowledge base article for ticle?articleId 22606710

Symantec Messaging Gateway 10.7.5 Release NotesIssueIn a Data Loss Prevention (DLP) and SMG integration,DLP email remediation sometimes failed.Description and knowledge base article link (if applicable)This issue has been resolved.See the associated knowledge base article for ticle?articleId 226069(Policy Sharing) Global policies weren't being retrieved This issue has been resolved.by a Remote Control Center running version 10.7.4See the associated knowledge base article for details:when it was added to a Control Center cluster running ticleId 225897version 10.7.5. Only global resources were published tothe remote Control Center; global policies weren't beingpublished.Known issues in 10.7.5This section describes the known issues in SMG 10.7.5.Table 3: Known issues in SMG 10.7.5IssueDescriptionThe Message Audit Log does not log the offending IPaddress for IP-related verdicts.See the associated knowledge base article for details:http://www.symantec.com/docs/TECH232769The Control Center allows active sessions foradministrators with deleted accounts.When administrators log on, their permissions are cached, and they continuewith the same rights until they log out. If a session is active, it can continueeven after the account was deleted.See the associated knowledge base article for details:http://www.symantec.com/docs/TECH208723The error "server refused the connection" appeared inthe catalina.out log file during update.See the associated knowle

If you are NOT using the policy sharing feature for email content filtering introduced in Symantec Messaging Gateway 10.7.4, you may skip this section. If you ARE using policy sharing, you must ensure that all Control Center instances (both Central and Remote) are updated to the same