Symantec Messaging Gateway 10.5.2 Release Notes

Symantec Messaging
Gateway 10.5.2 Release

Notes
powered by Brightmail
Symantec Messaging
Gateway 10.5.2 Release
Notes
This document includes the following topics:
About Symantec Messaging Gateway 10.5.2
What's new
Documentation
Support policy
Supported platforms
Unsupported platforms
Supported web browsers
Supported paths to version 10.5.2
Unsupported paths to version 10.5.2
Important information about installation in virtual environments
Important information before you update to version 10.5.2
Resolved issues
Known issues
Symantec Messaging Gateway 10.5.2 Release Notes


Copyright 2014 Symantec Corporation. All rights reserved.
Symantec Messaging Gateway 10.5.2 is the upgrade to previous versions of
Symantec Messaging Gateway. All functionality of Symantec Messaging Gateway
10.5.1 is maintained unless otherwise noted.
Note: You must be at Symantec Messaging Gateway 10.5.1 in order to update to
Symantec Messaging Gateway 10.5.2. You can only update to version 10.5.1 from
version 10.0.3 or later.
What's new
This release of Symantec Messaging Gateway fixes known defects and addresses
known vulnerabilities, and also includes the following new and enhanced features:
Fixes to HTTP proxy settings: previous releases did not allow certain special
characters in usernames or passwords. This issue is now resolved.
Custom rule submission: this release includes several improvements to the

process of submitting messages for custom rules.
Corrections for Content Filtering reports: previously some of the pre-generated

Content Filtering policies did not appear in the Content Filtering reports. This
issue is now resolved.
Longer keys for self-signed certificates: self-signed certificates now use keys
that are 4096 bits in length. You can now generate authority-signed certificate
requests with both 2048-bit and 4096-bit keys.
Local Good and Bad Sender improvements: under certain circumstances, when
Local Good or Bad Sender IP addresses were entered with overlapping ranges,
rules would fail to load. This issue is now resolved.
Time/NTP server implementation: Symantec Messaging Gateway 10.5.2 includes

several improvements to Time/NTP server configuration, including the ability to
deploy up to five NTP servers instead of three.
Documentation
You can access English documentation at the following website:
http://www.symantec.com/business/support/index?page=content&key=53991&channel=
DOCUMENTATION&sort=recent

Support policy
The site provides best practices, troubleshooting information, and other resources
for Symantec Messaging Gateway.
Check the following website for any issues that are found after these release notes
were finalized:
http://www.symantec.com/docs/TECH215638
To access the software update description from the Control Center, click
Administration > Hosts > Version. On the Updates tab, click View Description.
To view the Symantec support policy for Symantec Messaging Gateway, see the
following links:
http://go.symantec.com/security_appliance_support
http://go.symantec.com/appliance_hw_support
To read the translated 10.5 documentation, copy and paste any of the following
URLs into a web browser, and then click the Documentation link:
Chinese (Simplified)
http://www.symantec.com/business/support/index?page=landing&key=53991&locale=zh_CN
Chinese (Traditional)
http://www.symantec.com/business/support/index?page=landing&key=53991&locale=zh_TW
Japanese
http://www.symantec.com/business/support/index?page=landing&key=53991&locale=ja_JP
Korean
http://www.symantec.com/business/support/index?page=landing&key=53991&locale=ko_KR
You can access English documentation at the following website:
http://www.symantec.com/business/support/index?page=content&key=53991&channel=
DOCUMENTATION&sort=recent
The site provides best practices, troubleshooting information, and other resources
for Symantec Messaging Gateway.
Support policy
Symantec provides standard support for only the most current build of the licensed
software.
For more information about Symantec's support policies, on the Internet, go to the
following URL:
http://go.symantec.com/security_appliance_support

Supported platforms
Supported platforms
You can update to Symantec Messaging Gateway 10.5.2 on any of the following
platforms:
All supported hardware versions: 8380, 8360, and 8340 purchased after
November 2008
VMware ESXi/vSphere 5.0/5.1/5.5
Microsoft Hyper-V: Windows Server 2008 and Hyper-V Server 2008, Windows
Server 2012 and Hyper-V Server 2012
For more information about Symantec Messaging Gateway hardware testing

support, on the Internet, go to the following URL:
Unsupported platforms
Unsupported platforms are as follows:
Any virtual platform not listed
Hardware platforms 8220, 8240, 8260, 8320, and 8340 (PowerEdge 860 version)
purchased on or before November 2008 are unsupported, as are hardware
platforms 8360 (PowerEdge 1950 version) and 8380 (PowerEdge 2950 version)
purchased on or before March 2009.
For more information about Symantec Messaging Gateway hardware testing
support, on the Internet, go to the following URL:
To determine what hardware version you have, at the command line type the
following:
show --info
Supported web browsers

You can access the Symantec Messaging Gateway Control Center on any of the
following supported web browsers:
Internet Explorer 10 or later
Firefox 26 or later
Chrome 23 or later


You can update to Symantec Messaging Gateway 10.5.2 by using any of the
following methods:
Software update from version 10.5.1 on supported hardware or in supported

virtual environments
OSRestore from ISO on supported hardware or in supported virtual environments
VMware installation with OVF file
Unsupported paths to version 10.5.2

You cannot update to Symantec Messaging Gateway 10.5.2 by using any of the
following methods:
Versions other than 10.5.1
Direct upgrade from beta versions
Important information about installation in virtual

environments
Symantec Messaging Gateway 10.5 supports two virtual environments: VMware
and Microsoft Hyper-V.
To install on VMware
There are two methods for installing on supported VMware platforms:
ISO file
You can load the ISO file into a preconfigured virtual machine.
You can use the ISO file on VMware ESXi/vSphere 5.0/5.1/5.5.
OVF template
You can also load the OVF, which includes the virtual machine
configuration.
You can use the OVF for VMware ESXi/vSphere 5.0/5.1/5.5.
To install on Hyper-V
There is one method for installing on supported Hyper-V platforms:

Important information before you update to version 10.5.2
ISO file
You can load the ISO file into a preconfigured virtual machine.
You can use the ISO file on Windows Server 2008 and Hyper-V Server
2008, Windows Server 2012 and Hyper-V Server 2012.
See the Symantec Messaging Gateway 10.5 Installation Guide for instructions and
system requirements.
Note: To update to Symantec Messaging Gateway 10.5 in a virtual environment,
you must verify that your virtual environment can support 64-bit virtualization. When
Intel Virtualization Technology (also known as Intel-VT) is enabled in the BIOS, it
allows the CPU to support multiple operating systems, including 64-bit architecture.
On many Intel processors this setting may be disabled in the BIOS and must be
enabled prior to installing Symantec Messaging Gateway 10.5. AMD processors
that support 64-bit architecture usually have this setting enabled by default. See
KB 1003945 from VMware for more information:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US
&cmd=displayKC&externalId=1003945
Important information before you update to version

10.5.2
This topic contains the migration information that you should read before you update
to version 10.5.2. You must update to Symantec Messaging Gateway 10.5.2 from
Symantec Messaging Gateway 10.5.1.
Note: The software update process can take several hours. During this process,
mail throughput is unaffected. However, the mail that is intended for quarantine
remains in the delivery queue until migration is complete.
Table 1-1 describes suggested best practices you should consider when you upgrade
from any version.
Table 1-1
Best practices for all upgrades
Item
Description
Perform a backup.
Symantec strongly recommends that you take a full system backup before you run the
software update and store it off-box.

Resolved issues
Table 1-1
Best practices for all upgrades (continued)
Item
Description
Do not restart.
The software update process may take several hours to complete. If you restart before
the process is complete, data corruption is likely to occur. If data corruption occurs, the
appliance must be reinstalled with a factory image.
Delete log messages.
If your site policies let you, delete all Scanner and DDS log messages.
Stop mail flow to Scanners

To reduce Scanner update time and complexity, you should stop mail flow to Scanners
and flush queues before you and drain all queues.
update.
To halt incoming messages, click Administration > Hosts > Configuration, and edit
a Scanner. On the Services tab, click Do not accept incoming messages and click
Save. Allow some time for messages to drain from your queues. To check the queues,
click Status > SMTP > Message Queues. Flush the messages that are left in the
queues.
Update Control Center first.
Symantec strongly recommends that you update your Control Center before you update
your Scanners. If you do not update the Control Center first, Symantec recommends
that you use the command line interface to update remote Scanners. It is crucial that
the time frame in which you update your Scanners to 10.5 is kept as short as possible:
the Control Center is unable to propagate configuration changes to Scanners that are
on different versions. Configurations in which the Control Center and Scanners run
different versions for an extended period are unsupported.
Perform software update at

off-peak hours.
When you update the Control Center, the Control Center appliance is offline and
unusable. Scanners cannot deliver messages to quarantine on the Control Center
during the software update, so messages build up in a queue. Running software update
on a Control Center appliance can take quite some time. Plan to update the Control
Center appliance during off-peak hours.
When you migrate a Scanner, it goes offline. Scanner resources are unavailable during
the migration process. Software update of a Scanner takes less time than the software
update of the Control Center.
Resolved issues
This section describes the issues that are resolved in 10.5.2.

Resolved issues
Table 1-2
Resolved issues
Issue
Description and knowledge base article link (if

applicable)
Fastpass was being granted for a Bad Fastpass was being granted for a Bad Sender IP (if
Sender IP.
that IP is sending non-spam emails and Action for
Local Bad Sender IP was to Modify the subject
line).
See the associated knowledge base article for
details:
Under some circumstances, queries
submitted from the Submission Detail
page returned the following errors:
The service is not available
since there was a server
error to process the
request. Please contact your
system administrator. ERROR
- The UI and/or log errors
should indicate that the
server returned an HTTP 500
Internal Server Error (which
is not common) and that the
admin should correct the
search string and retry or
try another search string.
These errors no longer occur. The Control Center

displays the expected results. See the associated
knowledge base article for details:
Message Audit Log text read Bypass See the associated knowledge base article for
details:
all content filtering
policies even if only specific
policies were being bypassed.
Control Center Message Audit Logs Rejected SMTP AUTH events are now displayed as
did not display rejected SMTP AUTH expected in the Control Center. See the associated
events.
Error returned while enabling HTTP:
-ne: unary operator
expected.
This issue has been resolved. See the associated


Resolved issues
Table 1-2
Resolved issues (continued)
Issue

applicable)
Some Subject entries were improperly Message Audit Log records now display as expected.
displayed in the Message Audit Log See the associated knowledge base article for
when they contained DBCS or
details:
HI-ASCII characters.
Three lines reading Configuration
file /etc/yum/pluginconf.
d/filename not found appear
near the top of the output for many
command line update commands, as
well as in the update.log file.
The group of errors may appear multiple times in the

output. These errors may safely be ignored.
After you performed an Update

Download from the command line,
the Control Center's Versions >
Update page did not display
Available for Download for that
version instead of Downloaded.
This was a reporting error. The software had been

downloaded (which could be confirmed by viewing
the update.log file). A second download attempt
had no effect. The software from the first download
was still stored on disk, and was available for
installation.

information:

information:
This issue is also discussed in the following
knowledge base article:
IP Reputation Lookup did not indicate This issue has been resolved. See the associated
that an IP was marked as a Directory knowledge base article for details:
Harvest Attack source.
Appliance failed to generate a backup This behavior was the result of an issue with that
on remote FTP server with
specific FTP server. The behavior is as designed.
anonymous user.
details:
10

Resolved issues
Table 1-2
Issue

applicable)
Exporting a diagnostic package via

When a diagnostic package is exported to a
FTP to an unreachable host produces unreachable FTP server, the following error is now
a confusing error.
displayed: FTP: Can't connect to
10.217.32.1 ERROR: Unable to send to
the specified URL. Please verify the
URL address and credentials are
correct.
details:
End-user quarantine time zone
Time zone now displayed correctly as Singapore.
displayed as Malaysia, though it had See the associated knowledge base article for
been set to Singapore.
details:
Overlapping network blocks in Local
Bad Sender IPs caused a hang in
certain situations.

Some default Content Filtering policies This issue has been resolved. See the associated
were not displayed in Content Filtering knowledge base article for details:
reports.
Javascript error observed during
update in Internet Explorer 8.
Internet Explorer 8 is not supported. See the

associated knowledge base article for details:
Customer-specific Spam Submissions This issue has been resolved. See the associated
registration failed with some proxy
servers.
On the Control Center's Status >
Hosts > Hardware Status >
Localhost page, drop-down menus
for Administrator logout and Online
Help were not displayed.
11

Resolved issues
Table 1-2
Issue

applicable)
The option to create 1024-bit

The default key length for self-signed certificates has
certificate signing requests has been been changed from 1024 bits to 2048 bits. TLS
removed from the user interface.
certificates with a key length of 1024 bits are no
longer considered secure. Symantec Messaging
Gateway now offers 2048- and 4096-bit keys. See
the associated knowledge base article for details:
A new action added to the Bounce
Attack Validation default spam policy details:
was not applied until the MTA was
restarted.
When attempting to sort columns on
the Submission Details page, users
may encounter an application error.

details:
Proxy functionality failed when

passwords contained special
characters.

Under some circumstances, the

Control Center lost contact with the
Scanner(s) after the agent-config
-a command was entered.
Missing Message ID in Audit Log if
original message didn't have Message knowledge base article for details:
ID.
Scheduled task failure alerts sent
repeatedly after software update.

Error seen during boot:

/etc/rc3.d/S99mta: unary
operator expected.

12

Resolved issues
Table 1-2
Issue

applicable)
Potential Distributed Reflection Denial See the associated knowledge base article for
of Service vulnerability in NTP on IPv6 details:
interface as described in
CVE-2013-5211.
Mail Transfer Agent crashed while
trying to deliver to a domain with
hundreds of MX records pointing to
non-operational hosts.

The error Validation of stats This issue has been resolved. See the associated
file engine_stats.*.xml
failed appeared in the conduit log
when language blocking was enabled.
The file domains.db accumulated
errors over time and could not be
reset. This caused the following errors
to appear when restarting the MTA:
Datasource: failed to
prepare. Datasource query
failed for domain.com.
The solution to this condition is to restart the MTA

service. The errors can be safely ignored. See the
Searching Message Audit Logs by

Message Audit Log searches now match the entire
subject from the Control Center
string, so that searching works as expected. See the
accepted only the first word as a
search term in a phrase with spaces.
Recipient validation fails if local part If you include quotation marks in the local part of an
of address contains quotation marks. email addressallowed under RFC, but generally
only used to escape special characters in the local
part (such as '<' spaces, etc.)then recipient
validation fails. Symantec has determined that the
handling of this condition conforms to accepted
standards.
13

Known issues
Table 1-2
Issue

applicable)
Customer-Specific Spam Rules: input Submit Message page does not provide validation
validation not present on Submit
on some types of files, which can result in invalid
Message page.
submissions.
details:
When large numbers of emails are
This was a result of using Internet Explorer 8, which
released from spam quarantine, the is no longer supported. See the associated
Control Center sometimes logs users knowledge base article for details:
out.
Submission detail report doesn't
provide an annotation when a
duplicate signature is found for a
message.
If a message that is submitted as a false positive or

a false negative hits a duplicate rule, it gets displayed
in the Control Center with GUMID and Rule ID
without any hyperlink to lead to an associated ruleID
or informational message.
In the Control Center, on the

Administration > Host Version >
Updates page, the status displayed
for a specific host may not accurately
reflect the actual status of the host or
of the update process.
There are several update issues that all involve

differences between the true status of the update
and its status as displayed in the Control Center.
Viewing the update.log from the Command Line
Interface (CLI) will always provide accurate
information.
details:
Known issues
This section describes the known issues in version 10.5.2.
14

Known issues
Table 1-3
Known issues
Issue
Description
Content Filtering policy does not

detect images within RTF
attachments.
Embedded images are not being correctly extracted

from RTF file attachments, which prevents Content
Filtering policies intended to detect images from
firing.
details:
Messages with lines over 998

characters long cannot be submitted
for Customer-Specific Spam Rules via
the Control Center.
Non-RFC5322-compliant messages cannot be

submitted for Customer-Specific Spam Rules even
though the messages are delivered to user inboxes
without issue.
The Control Center allows active

sessions for administrators with
deleted accounts.
Once logged in, administrators continue with the

same rights until they log outtheir permissions are
cached. Also, administrators with full rights to the
Control Center can delete their own accounts without
receiving a warning.
details:
Split ZIP file detection is not

consistent.
Given a ZIP file split into several parts and sent one
part per message, Symantec Messaging Gateway
does not detect all ZIP file parts in a consistent
manner, though it does so for other compressed files
(such as RAR files) that are similarly divided. Not all
such messages are considered unscannable, as
would be expected.
The online Help regarding the status See the associated knowledge base article for
of the Scanners in the Host
details:
Attributes section on the Host Status
page does not match the Symantec
Messaging Gateway user interface.
15

Known issues
Table 1-3
Known issues (continued)
Issue
Description
Replies to messages sent via the

When using both Symantec Content Encryption (CE)
Symantec Content Encryption service and Symantec Bounce Attack Validation (BATV),
always fail bounce attack validation. replies to encrypted messages sent from the content
encryption web portal are flagged as invalid bounce
messages and rejected.
Language identification does not run Language identification scanning does not occur if
for messages over 100 KB, regardless a message as a whole is over 100 KB. The overall
of the message body size.
message size is considered, rather than the message
body. For example, if a message that contains only
a paragraph of Chinese text also includes a 100+KB
GIF file, then language identification does not occur.
When Disarm removes Flash from
PowerPoint, Flash is not replaced with
a white image in a multilevel
embedded attachment.
When Disarm is set to remove Flash content from

Microsoft PowerPoint documents, Flash content that
is contained in a multilevel embedded attachment is
not replaced with a white image, as expected.
Instead, the first image in the Flash content is
displayed.
details:
Stopping and starting the Brightmail

engine (or MTA) from the Control
Center does not restart Disarm.
There is no way to stop or start the Disarm service

from the Control Center. Stopping or starting Disarm
can only be done from the Command Line Interface,
using the service mta commands.
details:
The Symantec Messaging Gateway See the associated knowledge base article for
details:
Installation Guide incorrectly states
that inbound local delivery is limited
to three servers, while the Symantec
Messaging Gateway Administration
Guide states (correctly) that local
delivery is unlimited.
16

Known issues
Table 1-3
Issue
Description
The Message Audit Log shows

delivery status as "Processing Status" details:
for messages that were deleted due
to a verdict of
virus/worm/unscannable; status is
never updated.
In the Control Center, on the
Administration > Host Version >
Updates page, the status displayed
for a specific host may not accurately
reflect the actual status of the host or
of the update process.
There are several update issues that all involve

differences between the true status of the update
and its status as displayed in the Control Center.
Viewing the update.log from the Command Line
Interface (CLI) will always provide accurate
information.
details:
In the Control Center online Help and

in the Symantec Messaging Gateway
Administration Guide, the list of MUAs
supported is incorrect.
The topic "About using SMTP authentication" lists

the MUA versions that Symantec Messaging
Gateway has been tested against. This list should
include Microsoft Outlook 2010, but it should not
include Thunderbird 2 Mail.app (for MacOS).
details:
Selecting "Enable HTML text

scanning" in a Content Filter rule only details:
applies to the message body, not to
the message's attachments.
When you enable Sender ID/SPF, the See the associated knowledge base article for
checking of SPF TXT records returned details:
by DNS is case-sensitive for keywords
such as "a", "mx", and "ip".
17

Known issues
Table 1-3
Issue
Description
Errors are displayed in the MTA Log

(maillog).
The errors heartbeat_init ->

gimli_heartbeat_attach and
heartbeat_init ->Default appear at startup,
and can be safely ignored.
details:
Unsaved changes to quarantine

settings are lost when you edit the
notification template.

details:
Error messages can be displayed in

Disarm logs.
Disarm logs can display the error

CReconstructor::LogStats: cannot create
directory for '$filename' with
error:File exists. This error can be safely
ignored.

details:
Release and view links are not visible See the associated knowledge base article for
when spam summary messages are details:
viewed as text-only.
The cc-config entry in the
Command Line Reference and man
page does not include information
about the limit-tlsv1.1 option.

details:
TLS to FIPS-enabled DLP Prevent

Server Version 12 fails negotiation.
With any TLS for DLP setting enabled in a

FIPS-enabled appliance, messages sent to DLP in
Reflect mode get stuck in the Delivery queue with
TLS negotiation failed.

details:
18

Known issues
Table 1-3
Issue
Description
If both inbound and outbound mail is If inbound and outbound mail is received on different
received on the same IP address and interfaces or ports, this problem will not occur.
port, mail from an IP address with a
broken PTR record will be deferred.
details:
Unchecking "Enable scanning of
non-plain text attachments for words details:
in dictionaries" also prevents scanning
of plain text attachments.
Documentation incorrectly states that The uncompressed size of attachments is always
file attachment size limits considers used when testing file size.
only the compressed size of
compressed attachments.
details:
A Microsoft Office 2007-formatted
document may unexpectedly trigger
a Content policy based on the
attachment size.

details:
Symantec Messaging Gateway may

be unable to deliver mail if TLS
delivery is being attempted and the
receiving MTA has a
strict-implementation lf TLSv1.

details:
Symantec Messaging Gateway may See the associated knowledge base article for
fail to process certain messages with details:
badly formatted MIME attachment
headers.
Selecting the timezone "(GMT-04:00) See the associated knowledge base article for
Atlantic Time (Canada)" results in
details:
timezone being set to "(GMT-05:00)
Eastern Time (US & Canada)".
Microsoft Office 2007 documents with See the associated knowledge base article for
files embedded using the 'Link to file' details:
option are considered unscannable
due to limits exceeded.
19

Symantec Messaging Gateway 10.5.2 Release Notes

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Symantec Messaging Gateway 10.5.2 Release Notes

Uploaded by

Copyright:

Available Formats

Symantec Messaging

Gateway 10.5.2 Release

About Symantec Messaging Gateway 10.5.2

Supported web browsers

Supported paths to version 10.5.2

Unsupported paths to version 10.5.2

Important information about installation in virtual environments

Important information before you update to version 10.5.2