IronPort AsyncOS 5.5 › newsletters › 2008-01-Tech › AsyncOS_5.5.1...IRONPORT ASYNCOS FOR EMAIL...

IronPort AsyncOS™ 5.5.1RELEASE NOTESfor IronPort® Email Security Appliances

COPYRIGHTCopyright © 2007 by IronPort Systems®, Inc. All rights reserved.Part Number: 423-0039Revision Date: November 6, 2007 The IronPort logo, IronPort Systems, Messaging Gateway, Virtual Gateway, SenderBase, Mail Flow Monitor, Virus Outbreak Filters, Context Adaptive Scanning Engine (CASE), IronPort Anti-Spam, and AsyncOS are all trademarks or registered trademarks of IronPort Systems, Inc. Brightmail, the Brightmail logo, BLOC, BrightSig, and Probe Network are trademarks or registered trademarks of Symantec Incorporated. McAfee and VirusScan are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. Copyright 2007 McAfee, Inc. All rights reserved. Used with permission. All other trademarks, service marks, trade names, or company names referenced herein are used for identification only and are the property of their respective owners.This publication and the information contained herein is furnished “AS IS” and is subject to change without notice. Publication of this document should not be construed as a commitment by IronPort Systems, Inc. IronPort Systems, Inc., assumes no responsibility or liability for any errors or inaccuracies, makes no warranty of any kind with respect to this publication, and expressly disclaims any and all warranties of merchantability, fitness for particular purposes and non-infringement of third-party rights.Some software included within IronPort AsyncOS is distributed under the terms, notices, and conditions of software license agreements of FreeBSD, Inc., Stichting Mathematisch Centrum, Corporation for National Research Initiatives, Inc., and other third party contributors, and all such terms and conditions are incorporated in IronPort license agreements. The full text of these agreements can be found here: https://support.ironport.com/3rdparty/AsyncOS_User_Guide-1-1.html.

Portions of the software within IronPort AsyncOS is based upon the RRDtool with the express written consent of Tobi Oetiker. Portions of this document are reproduced with permission of Dell Computer Corporation. Portions of this document are reproduced with permission of McAfee, Inc. Portions of this document are reproduced with permission of Symantec Incorporated.Brightmail Anti-Spam is protected under U.S. Patent No. 6,052,709.

IRONPORT SYSTEMS® INC.IronPort Systems, Inc.950 Elm AvenueSan Bruno, CA 94066

CONTACTING IRONPORT CUSTOMER SUPPORTIf you have purchased support directly from IronPort Systems, you can request our support by phone, email or online 24 hours a day, 7 days a week. During our office hours (24 hours per day, Monday through Friday excluding US holidays), one of our engineers will contact you within an hour of your request. To report a critical issue that requires urgent assistance outside of our office hours, please call us immediately at the numbers below.U.S. Toll-free:1 (877) 641-IRON (4766)International: www.ironport.com/support/contact_support.htmlSupport Portal: www.ironport.com/supportIf you have purchased support through a reseller or another entity, please contact them for support of your IronPort products.

I RONPOR T ASYNCOS FO R EMA I L SECUR I TY AP PL IANCES 5 .5 .1 RELE ASE NO TES 1

IronPort AsyncOS for Email Security Appliances 5.5.1 Release Notes

These release notes contain information critical to upgrading and running the latest version of AsyncOS for IronPort Email Security Appliances, including hardware-specific information and known issues.

• “What’s New in AsyncOS for Email Security Appliances 5.5.1” on page 4

• “Enhanced: Content Scanning” on page 4

• “Enhanced: Message Header Logging for IPMM Headers” on page 7

• “Enhanced: IronPort Spam Quarantine Unicode Conversion” on page 8

• “Enhanced: DKIM Authentification-Results Header” on page 8

• “Fixed: Virtual Gateway Delivery Sometimes Disrupted” on page 8

• “What’s New in AsyncOS for Email Security Appliances 5.5.0” on page 9

• “New Feature: Safelists and Blocklists” on page 9

• “New Feature: IronPort Encryption” on page 10

• “New Feature: DKIM Authentication” on page 10

• “New and Enhanced: LDAP Queries” on page 10

• “New and Enhanced: Content Scanning” on page 12

• “New Feature: AsyncOS Reversion” on page 14

• “New: findevent CLI Command” on page 15

• “Enhanced: Reporting” on page 16

• “Enhanced: IronPort Spam Quarantine Alias Consolidation” on page 18

• “Enhanced: Text Resources” on page 18

• “Enhanced: Content Filters” on page 18

• “Enhanced: cleansmtp CLI Command” on page 19

• “Enhanced: Graphical User Interface” on page 19

• “Enhanced: Content Dictionaries” on page 20

• “Enhanced: CLI grep Command” on page 20

2

IRONP ORT ASYN COS 5 . 5 . 1 F OR EMA IL SECUR ITY APPL IANCES R ELEASE NOTES

• “Enhanced: Bounce Delivery Status Notification” on page 21

• “Enhanced: Logging” on page 21

• “Modified: LDAP Server Connections” on page 21

• “Modified: SCP Port Configuration” on page 21

• “Fixed Issues” on page 22

• “Fixed Reporting Issues” on page 22

• “Fixed Alert Issues” on page 23

• “Fixed LDAP Issues” on page 24

• “Fixed IronPort Spam Quarantine Issues” on page 25

• “Fixed Message and Content Filter Issues” on page 26

• “Fixed Clustered Environment Issues” on page 28

• “Fixed Configuration File Issues” on page 28

• “Fixed Domain Keys Signing Issues” on page 29

• “Fixed Updater Issues” on page 30

• “Fixed Upgrade Issues” on page 30

• “Fixed: Antivirus Scanning Engines” on page 30

• “Other Fixed Issues” on page 30

• “Qualified Upgrade Paths” on page 34

• “Upgrade Instructions” on page 34

• “Pre-Upgrade Notes” on page 34

• “Configuring the Update Server on Version 5.1 or Later” on page 36

• “Replacing Mail Flow Monitor in AsyncOS Version 5.0 or Later” on page 37

• “Upgrading to the AsyncOS 5.5.1 Release” on page 37

• “Performance Advisory” on page 38

• “Known Issues” on page 39

• “Email Security Monitor and Reporting Issues” on page 40

• “Alert Issues” on page 41

• “LDAP Issues” on page 41

• “IronPort Spam Quarantine Issues” on page 42

• “Message and Content Filter Issues” on page 42

• “Clustered Environment Issues” on page 44

• “Online Help and Documentation Issues” on page 46

• “Configuration File Issues” on page 47

• “Upgrade Issues” on page 49

• “DKIM and Domainkeys Signing Issues” on page 49


• “Trace Feature Issues” on page 49

• “Localization Issues” on page 49

• “Email Encryption Issues” on page 49

• “Safelist/Blocklist Issues” on page 50

• “Other Known Issues” on page 50

• “Contacting IronPort Customer Support” on page 53

4


WHAT’S NEW IN ASYNCOS FOR EMAIL SECURITY APPLIANCES 5.5.1

This section describes new features and enhancements added to the AsyncOS for Email Security Appliances 5.5.1 release.

Enhanced: Content ScanningIn version 5.5.1, AsyncOS includes new filter conditions and filter actions. These new conditions and actions are available in the message filters and content filters. The examples below include directions for adding conditions and actions from the GUI for content filters and from the CLI for message filters. However, you can also create content filters via the CLI.

attachment-unprotected filter condition.

The attachment-unprotected filter condition returns true if the scanning engine detects an attachment that is unprotected. A file is considered unprotected if the scanning engine was able to read the attachment. A zip file is considered to be unprotected if any of its members is unprotected.

To Add the attachment-unprotected Filter Condition in the GUI (Content Filters):

1. From the GUI, you can add this condition to new content filters by clicking Mail Policies > Incoming Content Filters or Mail Policies > Outgoing Content Filters, and clicking Add Filter.

2. Enter a name and description for the content filter.

3. Click Add Condition.

4. Select Attachment Protection. The rule builder for the content filter dynamically refreshes with the list of available options.

5. Select One or More Attachments are NOT Protected.

6. Click OK.

The condition is now added to the content filter. You can save the filter or add other conditions or actions.

To Add the attachment-unprotected Filter Condition in the CLI (Message Filters):

From the CLI, you can add the attachment-unprotected filter condition using the following syntax:Code Example 1-1 attachment-unprotected filter example

AsyncOS 5.5 for IronPort C100Welcome to the IronPort C100 Messaging Gateway(tm) Applianceexample.com> filtersChoose the operation you want to perform:- NEW - Create a new filter.- IMPORT - Import a filter script from a file.[]> newEnter filter script. Enter '.' on its own line to end.


Note — The attachment-unprotected filter condition is not mutually exclusive of the attachment-protected filter condition. It is possible for both filter conditions to return true when scanning the same attachment. This can occur, for example, if a zip file contains both protected and unprotected members.

body-dictionary-match filter condition.

This new filter condition returns true if the dictionary term matches content in the body of the message only. The filter searches for terms within the MIME parts not considered to be an attachment. and it returns true if the user-defined threshold is met (the default threshold value is one).

To Add the body-dictionary-match Filter Condition in the GUI (Content Filters):



3. Click Add Condition.

4. Select Message Body.

5. Select Contains Term in Content Dictionary.

6. Choose the content dictionary to use from the drop-down list.

7. Click OK.

The condition is now added to the content filter. You can save the filter or add other conditions or actions.

To Add the body-dictionary-match Filter Condition in the CLI (Message Filters):

Use the following syntax to add the dictionary-match filter condition:

if (body-dictionary-match ('<dictionary_name>'))

The following example shows mail that is quarantined if terms in the email match the specified dictionary:

attachment_protected_quarantine:if attachment-unprotected{quarantine ('Policy');}.1 filters added.

Code Example 1-2 body-dictionary-match filter example

AsyncOS 5.5 for IronPort C100

Code Example 1-1 attachment-unprotected filter example

6


drop-attachments-where-dictionary-matches filter action.

This new filter action strips attachments based on matches to dictionary terms. If the terms in the MIME parts considered to be an attachment match a dictionary term (and the user-defined threshold is met), the attachment is strippped from the email.

To Add the drop-attachments-where-dictionary-matches Filter Action in the GUI (Content Filters):



3. Add any conditions that may apply.

4. Click Add Action.

5. Click Strip Attachment by Content.

6. Select Message Body.

7. Select Contains Term in Content Dictionary.

8. Choose the content dictionary to use from the drop-down list.

9. Click OK.

The action is now added to the content filter. You can save the filter or add other conditions or actions.

Welcome to the IronPort C100 Messaging Gateway(tm) Applianceexample.com> filtersChoose the operation you want to perform:- NEW - Create a new filter.- IMPORT - Import a filter script from a file.[]> newEnter filter script. Enter '.' on its own line to end.quarantine_secret_words:if (body-dictionary-match ('example_dictionary')){quarantine ('Policy');}.1 filters added.

Code Example 1-2 body-dictionary-match filter example


To Add the drop-attachments-where-dictionary-matches Filter Action in the CLI (Message Filters):

Enhanced: Message Header Logging for IPMM HeadersIn previous versions of AsyncOS for Email Security Appliances, it was not possible to log message headers for IPMM messages. Now you can log IPMM message headers via the logconfig -> logheaders CLI command.

To use this feature: from the logconfig CLI command, select LOGHEADERS, and choose to scan IPMM messages for existing headers:

Note that the headers are extracted before the variables are substituted. Therefore, instead of seeing the variable value in the logs, the variable displays in the logs. For instance, if you log the subject header, you might see the following entry in your logs:

Code Example 1-3 drop-attachments

AsyncOS 5.5 for IronPort C100Welcome to the IronPort C100 Messaging Gateway(tm) Applianceexample.com> filtersChoose the operation you want to perform:- NEW - Create a new filter.- IMPORT - Import a filter script from a file.[]> new

Enter filter script. Enter '.' on its own line to end.testme:if (true){drop-attachments-where-dictionary-match('dictionary_example');}.1 filters added.

Choose the operation you want to perform:- NEW - Create a new log.- EDIT - Modify a log subscription.- DELETE - Remove a log subscription.- SETUP - General settings.- LOGHEADERS - Configure headers to log.- HOSTKEYCONFIG - Configure SSH host keys.[]>logheadersPlease enter the list of headers you wish to record in the log files.Separate multiple headers with commas.[]> Message-IDInclude IPMM variables with headers? [N]> YShould IPMM messages be scanned for existing headers? [N]Y

8


Subject: &usersubject;

Note — This feature only applies to IPM messages with a single XPRT body part.

Enhanced: IronPort Spam Quarantine Unicode ConversionWhen the IronPort Spam Quarantine displays a message, it converts the message body to Unicode. If errors occurred when converting the message body to Unicode, sometimes messages were rendered unreadable. Now, instead of generating unreadable messages, the IronPort Spam Quarantine skips displaying unreadable characters. [Defect ID: 35757, 36909]

Enhanced: DKIM Authentification-Results HeaderFor DKIM Authentication, IronPort currently supports version 8 of the Draft Specification of “Authentication-Results:” header (draft-kucherawy-sender-auth-header). [Defect ID: 36848]

Fixed: Virtual Gateway Delivery Sometimes DisruptedFixed an issue in which Virtual gateway delivery to a host with invalid DNS entry sometimes disrupted the mailflow. [Defect ID: 37687}


WHAT’S NEW IN ASYNCOS FOR EMAIL SECURITY APPLIANCES 5.5.0

This section describes new features and enhancements added to the AsyncOS for Email Security Appliances 5.5.0 release.

New Feature: Safelists and BlocklistsThe 5.5 version of AsyncOS introduces end-user safelists and blocklists. You can enable end users to create safelists and blocklists to better control which emails are scanned by anti-spam scanning engines. Safelists allow a user to ensure that certain users or domains are never scanned with anti-spam scanning engines, while blocklists ensure that certain users or domains are rejected or quarantined. The safelists and blocklists settings are configured from the IronPort Spam Quarantine, so you must enable and configure the IronPort Spam Quarantine to use this feature. When you enable the safelist/blocklist feature, each end-user can maintain a safelist and blocklist for his or her email account.

Note — A safelist setting does not prevent the IronPort appliance from scanning an email for viruses or determining if the message meets the criteria for a content-related mail policy. Even if a message is part of a safelist, it may not be delivered to the end-user depending on other scanning settings.

Note about Synchronizing Safelist/Blocklist Settings

When an end user creates a safelist or blocklist, the setting is saved to a database. If the IronPort Spam Quarantine exists on an M-Series appliance, this database must be synchronized with a database on the C-Series appliance before the safelist/blocklist settings are applied to incoming mail. When the IronPort Spam Quarantine exists on a C-Series appliance, the database must be synchronized with a read-only database that is used when processing the mail queue. The amount of time it takes to automatically synchronize these databases depends on the model of the machine. The following table shows the default settings for updating safelists and blocklists:

Table 1-1 Synchronization of Safelist and Blocklist Settings

Appliance Synchronization Time

C10/C100/C150 10 minutes



X1000/X1050 60 minutes

M10/M600/M650 120 minutes

M1000/M1050 240 minutes

10


For information about configuring safelists and blocklists, see “Working with Safelists and Blocklists” in the “Quarantines” chapter of the IronPort AsyncOS User Guide.

New Feature: IronPort EncryptionThe 5.5 version of AsyncOS includes integrated email encryption. To use this feature, first create an Encryption Profile that specifies characteristics of the encrypted message and connectivity information for the key server. The key server may either be the Cisco Registered Envelope Service (managed service) or an IronPort Encryption Appliance (locally managed server). Next, use content and/or message filters to determine which messages to encrypt.

When outgoing messages that meet the filter condition are processed, the message is encrypted on the Email Security Appliance and the key used to encrypt the message is stored into the key server specified in the Encryption Profile.

After you configure encryption, send a test message through to ensure it is encrypted. You can tail the logs, or you can use the CLI findevent command to get a summary of the events after they have occurred (using the MID).

For updates to the IronPort Encryption appliance and updates to the Cisco Registered Envelope Service, please review the release notes for those products. Please note that AsyncOS version 5.5 is compatible with version 6.2.7.4 of the IronPort Encryption appliance.

For information about configuring IronPort encryption, see “IronPort Email Encryption” in the IronPort AsyncOS User Guide.

New Feature: DKIM AuthenticationThe 5.5 version of AsyncOS includes the ability to perform DKIM signing and verification. DomainKeys Identified Mail is a method for E-mail authentication in which a DKIM-Signature header is inserted in an email, and the verifying MTA validates the signature by retrieving a sender's public key through the DNS. To use DKIM with the Email Security Appliance, you create a domain key profile, a signing key, and enable DKIM signing or verification on the mail flow policy.

Note — If you send a test email to a reflector site, the IETF specification may differ from the one used by IronPort, and a failure may occur even when your configuration and settings are correct. If your test fails, verify the failure by testing against several different reflector sites.

For more information about DKIM authentication, see “DomainKeys and DKIM Authentication” in the IronPort AsyncOS User Guide.

New and Enhanced: LDAP QueriesAsyncOS version 5.5 includes the following enhancements to LDAP queries:

• Domain-based queries. Domain-based queries are LDAP queries grouped by type, associated with a domain, and assigned to a particular listener. You might want to use domain-based queries if you have different LDAP servers associated with different domains but you want to run queries for all your LDAP servers on the same listener.

I RONPOR T ASYNCO S F OR EMA I L SECUR ITY AP PL IANCES 5 .5 .1 RELE ASE N OTES 11

• Chain queries. A chain query is a series of LDAP queries that the IronPort appliance runs in succession. The IronPort appliance runs each query in the “chain” until the LDAP server returns a positive response (or the final query in the “chain” returns a negative response or fails). Chain queries can be useful if entries in your LDAP directory use different attributes to store similar (or the same) values. For example, you might have used the attributes maillocaladdress and mail to store user email addresses. To ensure that your queries run against both these attributes, you can use chain queries.

• Modified DHAP. In a previous release, DHAP counters were based solely on the rejections detected during LDAP acceptance queries. Now, the DHAP counters include both RAT rejections and LDAP acceptance query rejections. DHAP settings are now configured in the Mail Flow Policy rather than in the Listener settings.

• LDAP Referrals. The 5.5 version of AsyncOS supports LDAP referrals. When you use LDAP referrals, the original query gets referred to another LDAP server. For example, the following log shows a query that is referred from server openLDAP1 to server ldap_server2.com:

Tue Jun 26 13:19:54 2007 Debug: LDAP: (accept) Query ([email protected]) to server openLDAP1 (ldap_server1.com:389)

Tue Jun 26 13:19:54 2007: LDAP: Query ([email protected]) following continuation: ldap://ldap_server2.com/ou=test,ou=people,dc=com??sub

Tue Jun 26 13:19:54 2007: LDAP: (accept) Query ([email protected]) lookup success, returned 1 results

IMPORTANT: When you use LDAP referrals, you must have configured an LDAP server profile for each LDAP server you want to refer to. In the previous example, you would need to configure an LDAP server profile for openLDAP1 and ldap_server2.com.

• LDAP caches. In previous releases, LDAP cache settings were configured for each LDAP query. In AsyncOS 5.5, LDAP caches are now associated with the server profile, and cache settings are the same for all LDAP queries. When you upgrade from previous versions, the highest cache values from the previous configuration are used as the upgraded cache value. For example, if you set the maximum retained cache entries to a value of 1000 for the routing query, and a maximum retained cache entries to a value of 5000 for the Accept query, the upgraded value would be 5000 for all queries.

• Bypass LDAP Acceptance query. If you configure LDAP acceptance queries, you may wish to bypass the acceptance query for certain recipients. This feature can be useful if there are recipients for whom you receive email which you do not want to be delayed or queued during LDAP queries, such as [email protected]. You can configure bypassing LDAP acceptance via the GUI or from the CLI. To configure bypassing LDAP acceptance via the GUI, select Bypass LDAP Accept Queries for this Recipient when you add or edit the RAT entry. To configure bypassing LDAP acceptance queries via the CLI ,

12


answer yes to the following question when you enter recipients using the listenerconfig -> edit -> rcptaccess command:

Note — When you configure a RAT entry to bypass LDAP acceptance, be aware that the order of RAT entries affects how recipient addresses are matched. The RAT matches the recipient address with the first RAT entry that qualifies. For example, you have the following RAT entries: [email protected] and ironport.com. You configure the entry for [email protected] to bypass LDAP acceptance queries, and you configure the entry for ironport.com for ACCEPT. When you receive mail for [email protected], the LDAP acceptance bypass will occur only if the entry for [email protected] is before the entry for ironport.com. If the entry for ironport.com is before the [email protected] entry, the RAT matches the recipient address to this entry and applies the ACCEPT action.

For information about configuring new LDAP settings, see “LDAP Queries” in the IronPort AsyncOS Advanced User Guide.

New and Enhanced: Content ScanningIn version 5.5, AsyncOS includes the following enhancements to content scanning:

• Thresholds for Patterns in Content Scanning. When you add message or content filter rules that search for patterns in the message body or attachments, you can specify the minimum threshold for the number of times the pattern must be found in order to trigger the filter action. When AsyncOS scans the message, it totals the “score” for the number of matches it finds in the message and attachments. If the minimum threshold is not met, the regular expression does not evaluate to true. You can specify this threshold for the following filter rules:

• body-contains

• only-body-contains

• attachment-contains

• every-attachment-contains

• dictionary-match

• attachment-dictionary-match

You can also specify a threshold value for the drop-attachments-where-contains action.

• Weighted content dictionaries. For each term in a content dictionary, you specify a “weight,” so that certain terms can trigger filter conditions more easily. When AsyncOS scans messages for the content dictionary terms, it “scores” the message by multiplying the number of term instances by the weight of term. Two instances of a term with a weight of three would result in a score of six. AsyncOS then compares this score with a threshold

Would you like to bypass LDAP ACCEPT for this entry? [Y]> y


value associated with the content or message filter to determine if the message should trigger the filter action.

• Smart identifiers. When you use message rules that scan message content, you can use smart identifiers to detect certain patterns in the data. Smart identifiers can detect the following patterns in data:

• Credit card numbers

• U.S. Social Security numbers

• CUSIP (Committee on Uniform Security Identification Procedures) numbers

• ABA (American Banking Association) routing numbers

• Improved embedded object detection. In version 5.5, AsyncOS treats ordinary files as if they were containers, similar to zip files. The embedded objects are extracted and processed as independent files that are separately fingerprinted, sent to the Stellent scanning engine, and scanned for content matches. This change allows for the following improvement to embedded object detection:

• A zip file is now processed as if it were directly attached to the message; the member files will themselves be scanned, and the names can be matched using an attachment-filename filter rule.

• Scanning exclusion lists and depth limits are better supported.

• Detecting zip files in Word and Excel is supported.

• Detect password-protected attachments. A new message filter condition and content filter condition is included in the 5.5 release to detect password-protected files. The new message filter condition, attachment-protected, uses the following syntax:

• Matched Content Viewing. You can now view the content that triggered a message or content filter action using the matched content action variable or by viewing a quarantined message in the system quarantine. In the system quarantine, matched content appears highlighted, so you can easily view the content that triggered the filter action.

For information about configuring new content scanning functionality, see the following documentation:

• “Policy Enforcement” in the IronPort AsyncOS Advanced User Guide.

• “Content Dictionaries” in “Text Resources” in the IronPort AsyncOS User Guide.

• “Content Filters Overview” in “Email Security Manager” in the IronPort AsyncOS User Guide.

if attachment-protected { quarantine("Policy"); }

14


New Feature: AsyncOS ReversionThe 5.5 version of AsyncOS includes the ability to revert the AsyncOS version to a previous qualified build for emergency uses. The earliest AsyncOS version supported for this is AsyncOS 5.5.0; prior versions of AsyncOS are not supported.

WARNING: Using the revert command on an IronPort appliance is a very destructive action. This command destroys all configuration logs, databases and disrupts mail handling until reconfigured. Because this command destroys all configuration, it is absolutely required that you have physical local access to the IronPort appliance when you want to issue the revert command. Once the revert action is complete, you must use the console CLI or a network connection to the Management port on the default IP address of 192.168.42.42 to reconfigure the appliance.

To run the revert command, complete the following steps:

1. Save the configuration of your appliance (with passwords unmasked) off the IronPort appliance. To do this, you can email it to yourself or FTP the file. A simple way to do this is the mailconfig CLI command.

2. If you use the Safelist/Blocklist feature, export the Safelist/Blocklist database to another machine.

3. Wait for the mail queue to empty.

4. Log into the CLI of the appliance you want to revert.

When you run the revert command, several warning prompts are issued. Once these warning prompts are accepted, the revert action takes place immediately.

5. From the CLI, Issue the revert command and pay heed to the prompts.

Note — The reversion process is time-consuming. It may take fifteen to twenty minutes before reversion is complete and console access to the IronPort appliance is available again.

The following example shows the revert command:

mail.mydomain.com> revert

This command will reset the device to a different AsyncOS version.Resetting the device will destroy all configuration, logs, databases, and generally disrupt mail handling until reconfigured.

This command will reset the device to a different AsyncOS version.Resetting the device will destroy all configuration, logs, databases, and generally disrupt mail handling until reconfigured.

Resetting the device will cause an immediate reboot to take place.The device will then reboot, reinitialize itself, and finally rebootagain to the desired version.


6. Once the machine comes back up, use the serial console to configure an interface with an accessible IP address using the interfaceconfig command.

7. Enable FTP or HTTP on one of the configured interfaces.

8. Either FTP the XML configuration file you created, or paste it into the GUI interface.

9. If you use the Safelist/Blocklist feature, import and restore the Safelist/Blocklist database.

10. Commit your changes.

The reverted IronPort appliance should now run using the previous AsyncOS version.

New: findevent CLI CommandThe findevent CLI command simplifies the process of tracking messages within the system using the onbox mail log files. The findevent CLI command allows you to search through the mail logs for a particular message by searching for a message ID or a regular expression match against the subject header, envelope sender or envelope recipient. You can display results for the current log file, all the log files, or display log files by date. When you view log files by date, you can specify a date or a range of dates.

After you identify the message you want to view logs for, the findevent command displays the log information for that message ID including splintering information (split log messages, bounces and system generated messages). The following example shows the findevent CLI command tracking the receiving and delivery a message with “confidential” in the subject header:

Are you sure you want to continue? yes

Are you *really* sure you want to continue? yes Available version Install date ================= ============ Available version Install date1. 5.5.0-236 Tue Aug 28 11:03:44 PDT 20072. 5.5.0-330 Tue Aug 28 13:06:05 PDT 20073. 5.5.0-418 Wed Sep 5 11:17:08 PDT 2007

Please select an AsyncOS version: 2

You have selected "5.5.0-330".The system will now reboot to perform the revert operation.

example.com> findeventPlease choose which type of search you want to perform:1. Search by envelope FROM2. Search by Message ID3. Search by Subject

16


Enhanced: ReportingIn version 5.5, AsyncOS includes the following enhancements to reporting:

4. Search by envelope TO[1]> 3Enter the regular expression to search for.[]> confidentialCurrently configured logs:1. "mail_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP PollEnter the number of the log you wish to use for message tracking.[]> 1Please choose which set of logs to search:1. All available log files 2. Select log files by date list3. Current log file[3]> 3The following matching message IDs were found. Please choose one toshow additional log information:1. MID 4 (Tue Jul 31 17:37:35 2007) sales: confidential[1]> 1Tue Jul 31 17:37:32 2007 Info: New SMTP ICID 2 interface Data 1 (172.19.1.86) address 10.251.20.180 reverse dns host unknown verified noTue Jul 31 17:37:32 2007 Info: ICID 2 ACCEPT SG None match ALL SBRS NoneTue Jul 31 17:37:35 2007 Info: Start MID 4 ICID 2Tue Jul 31 17:37:35 2007 Info: MID 4 ICID 2 From: <[email protected]>Tue Jul 31 17:37:35 2007 Info: MID 4 ICID 2 RID 0 To: <[email protected]>Tue Jul 31 17:37:35 2007 Info: MID 4 Subject 'sales: confidential'Tue Jul 31 17:37:35 2007 Info: MID 4 ready 4086 bytes from <[email protected]>Tue Jul 31 17:37:35 2007 Info: MID 4 matched all recipients for per-recipient policy DEFAULT in the inbound tableTue Jul 31 17:37:35 2007 Info: ICID 2 closeTue Jul 31 17:37:37 2007 Info: MID 4 interim verdict using engine: CASE spam negativeTue Jul 31 17:37:37 2007 Info: MID 4 using engine: CASE spam negativeTue Jul 31 17:37:37 2007 Info: MID 4 interim AV verdict using Sophos CLEANTue Jul 31 17:37:37 2007 Info: MID 4 antivirus negativeTue Jul 31 17:37:37 2007 Info: MID 4 queued for deliveryTue Jul 31 17:37:37 2007 Info: Delivery start DCID 0 MID 4 to RID [0]Tue Jul 31 17:37:37 2007 Info: Message done DCID 0 MID 4 to RID [0]Tue Jul 31 17:37:37 2007 Info: MID 4 RID [0] Response '/null'Tue Jul 31 17:37:37 2007 Info: Message finished MID 4 done


• System Capacity Report. The system capacity report gives the administrator current and historical information about resource usage on the IronPort appliance. The report shows CPU usage broken down by feature or by total CPU usage. The system capacity report can be used to accomplish the following tasks:

• Determine when an Email Security Appliance is exceeding recommended capacity and additional boxes or system tuning are needed.

• Identify historical trends in system behavior which point to upcoming capacity issues.

• Identify which part of the system is using the most resources to assist with troubleshooting.

• Outgoing Destinations. The Outgoing Destinations page provides information about the domains your company sends mail to. This report can be useful in completing the following tasks:

• Determining which domains the IronPort appliance is sending mail to.

• Determining how much mail is sent to each domain.

• Determining how much of the sent mail is clean, spam, virus positive, or stopped by a content filter.

• Determining how many messages are delivered or bounced by the destination server.

• Outgoing Senders Report. The Outgoing Senders page provides information about the quantity and type of mail being sent from IP addresses and domains in your network. You can view the results by domain or IP address when you view this page. You might want to view the results by domain if you want to see what volume of mail is being sent by each domain; Or, you might want to view the results by IP address if you want see which IP addresses are sending the most virus messages or triggering content filters. This report can be useful for accomplishing the following tasks:

• Determining which IP addresses send the most virus or spam-positive email.

• Determining which domains send the most mail (for billing or planning purposes).

• Virus Types Report. This report tracks the viruses caught by the virus scanning engines running on the IronPort appliance. This displays a summary verdict of all scanning engines running on the IronPort appliance (if multiple virus scanning engines run on the machine). In addition, multiple scanning engines may use different nomenclature to describe the same virus. In this case, the same virus may appear in the report using both virus names.

Note — The Virus Types page may not display the same number of total viruses as the Overview page. This can occur when a message is both spam- and virus-positive. In this case, the spam counting takes precedence over virus counting in our reporting system to prevent double-counting.

18


For more information about new reporting functionality, see “Using the Email Security Monitor” in the IronPort AsyncOS User Guide.

Enhanced: IronPort Spam Quarantine Alias ConsolidationIn version 5.5, when the system is configured for LDAP authentication, you can now consolidate the emails sent to different aliases. This means that end-users can now receive consolidated spam notifications. This is useful if there are several email address aliases configured for a single user. In previous releases, such users received multiple spam notification for each alias email address.

Note — This feature does not apply to listserv entries.

For more information about configuring alias consolidation, see “Quarantines” in the IronPort AsyncOS User Guide.

Enhanced: Text ResourcesIn version 5.5, custom notifications have been expanded to include the following new and enhanced notifications:

• User-defined HTML Encryption Notification. You can create a custom HTML notification to send to users who receive encrypted email.

• User-defined Text Encryption Notification. You can create a custom text notification to send to users who receive encrypted email.

• User-defined Bounce Notification. You can create a custom bounce notification to send to users who receive bounced email.

• User-defined Delay Notification. You can create a custom delay notification to send to users whose email delivery is delayed.

• User-defined Anti-virus Container Notification. You can create a custom anti-virus notification to send to users when the antivirus notification contains the original message as an attachment.

• User-defined Anti-virus Text Notification. You can create a custom anti-virus notification to send to users when the antivirus notification is sent in place of the original message. This notification is used when it is unsafe or undesirable to send the original message.

For more information about creating custom notifications, see “Text Resources” in the IronPort AsyncOS User Guide.

Enhanced: Content FiltersThe 5.5 version of AsyncOS includes the following enhancements to content filters:

• Enhanced Rule Builder Interface. The content filters use a new rule builder interface that simplifies and streamlines the creation of content filters.


• Logging and Archiving. You can now log and archive content filter actions. The log action allows you to save a copy of the original message, including all message headers and recipients into an mbox-format file on the appliance. The system creates a log subscription with the specified filename for the action.

• New alt-src-host Action. The alt-src-host action changes the source host for the message to the source specified. The source host is the IP interface or group of IP interfaces that the messages should be delivered from.

• Support of Action Variables. The following content filter actions now support action variables:

• bcc()

• bcc-scan()

• notify()

• notify-copy()

For more information about content filters, see “Email Security Manager” in the IronPort AsyncOS User Guide.

Enhanced: cleansmtp CLI CommandChanges to the AsyncOS operating system have resulted in changes to the way SMTP traffic is handled. This change affects the cleansmtp command. You access the cleansmtp command via listenerconfig -> edit -> [listener#] -> setup -> cleansmtp -> 1

The cleansmtp CLI command now has the following options:

1. Clean data

2. Reject unclean data

3. Accept unclean data, but do not clean

By default, when you upgrade, the cleansmtp setting is configured to clean data (option 1). To accept unclean data, you can select option 3; however, for best performance, IronPort recommends you select option 1.

For more information about configuring listeners, see “Customizing Listeners” in the IronPort AsyncOS Advanced User Guide.

Enhanced: Graphical User InterfaceIn version 5.5, the GUI has been updated to use a drop-down menu rather than a sidebar menu, and the “Commit” button has been moved to the right-hand side of the screen and has more visible icons. In a previous release, the Support Request and Remote Access pages were located under the System Administration drop-down menu. These page can now be found under the “Help” menu.

Beginning with AsyncOS 5.5, the web-based UI incorporates libraries from the Yahoo! User Interface (YUI) Library, which is a set of utilities and controls, written in JavaScript, for building richly interactive web applications.

20


The YUI library supports the vast majority of browsers that are in general use. The YUI library also has a comprehensive, public approach to browser support and is committed to making sure that components work well in all of what are designated as "A-Grade" browsers. For more information on graded browser support, see:

http://developer.yahoo.com/yui/articles/gbs/

Enhanced: Content DictionariesContent dictionaries have been enhanced in the following ways:

• Smart identifiers. You can add smart identifiers to your content dictionaries. When you use message rules that scan message content, you can use smart identifiers to detect certain patterns in the data. Smart identifiers can detect the following patterns in data:

• Credit card numbers

• U.S. Social Security numbers

• CUSIP (Committee on Uniform Security Identification Procedures) numbers

• ABA (American Banking Association) routing numbers

• Weighted dictionary entries. For each term in a content dictionary, you specify a “weight,” so that certain terms can trigger filter conditions more easily. When AsyncOS scans messages for the content dictionary terms, it “scores” the message by multiplying the number of term instances by the weight of term. Two instances of a term with a weight of three would result in a score of six. AsyncOS then compares this score with a threshold value associated with the content or message filter to determine if the message should trigger the filter action.

• Expanded limits on number of entries. In previous releases, dictionary entries were limited to 1000 entries per dictionary. Now, dictionaries can have up to 5000 entries. [Defect ID: 32748]

IronPort recommends that you create separate entries for each dictionary term to improve performance and simplify GUI maintenance of your content dictionaries. If you used groups of regex entries, such as "(word1|word2|word3)", IronPort recommends you break these up into separate entries for better performance. If you do group terms, IronPort recommends you use non-capturing parentheses in the following format: “(?:term1|term2|term3)”.

For more information about content dictionaries, see “Text Resources” in the IronPort AsyncOS User Guide.

Enhanced: CLI grep CommandThe grep CLI command has been enhanced to support a “count” option. The count option displays the number of lines matching the regular expression in the log file. Use the following syntax:

grep -c <regular expression> <log name>


Enhanced: Bounce Delivery Status NotificationBy default, messages generated by the system use the Delivery Status Notification (DSN) format for both hard and soft bounces. In previous releases, if the message size was greater than 10k, the delivery status notification included the message headers only. Now, you can configure the size of the message to include in the DSN via the CLI bounceconfig command. This parameter is only configurable in the default bounceconfig profile, and applies to all bounce profiles once it is configured. To configure this value, enter the message size (in bytes) to include in the bounced notification message. If the message exceeds this size, the status notification includes the message headers only. [Defect ID: 399]

Enhanced: LoggingIn previous releases, status information was written to the mail log every minute. Now, the status_log entries are only recorded to the status_logs. [Defect ID: 33107]

Modified: LDAP Server ConnectionsIn previous releases, if you configured an LDAP Server profile for load balancing, and you configured a maximum number of simultaneous connections for all hosts, the number of connections you configured was load-balanced over all your LDAP servers. For example, if you configured the maximum number of simultaneous connections as 10, AsyncOS would distribute 10 connections over your LDAP servers. Now, the maximum number of simultaneous connections represents the number of simultaneous connections to a single server. So, if you configure the maximum number of simultaneous connections as 10, AsyncOS creates 10 connections to each LDAP server.

Modified: SCP Port ConfigurationIn previous releases, the SCP port number for SCP log push was not configurable. Now, you can configure the SCP port. [Defect ID: 32419]

Modified: Brazilian Daylight Savings Time SettingsIn 2007, Brazil Daylight Savings Time will start on Oct 14th and end on Feb 17th 2008. AsyncOS has been updated to use these settings. [Defect ID: 37176].

22


F IXED ISSUES

The following issues have been fixed in the AsyncOS for Email Security Appliances 5.5 release.

Fixed Reporting Issues

Fixed: Errors When Running Long Report Queries

Fixed an issue in which errors occurred when running long reports. Delayed logouts that occur during report processing now behave the same as other places in the GUI. "Info: Session lookup error due to delayed logout action” and the non-existent session is redirected to the login page. [Defect ID: 33199]

Fixed: IronPort Email Security Monitor Underreports Connection Rejections

Fixed an issue in which the IronPort Email Security Monitor underreported connection rejections when multiple connections rejects occur within a single minute for a single IP. [Defect ID: 32182]

Fixed: Anti-Virus Messages Not Included in Dropped Message Count

Fixed an issue in which the IronPort Email Security Monitor did not count messages dropped by anti-virus engines in the “dropped message” totals. This issue has been resolved. [Defect ID: 31989]

Fixed: Reports Output in PDF Format Generate an Application Error

When generating PDF output for a report, an application error occurred if special characters were included in the text. This issue has been addressed. [Defect ID: 31025]

Fixed: C300D/350D Appliance Displays Virus Outbreak Filters Report

In a previous release, C300D/350D appliances erroneously displayed a Virus Outbreak Filters report. The IronPort Appliance generated an application error if you attempted to open the report. [Defect ID: 29609]

Fixed: Virus Outbreak Reports

In a previous release, when you sorted the results of a Virus Outbreak report, the report sorted by string rather than by number, so the sort order appeared erroneous. For example, the report sorted as 100, 1000, 200 instead of 100, 200, 1000. [Defect ID: 29452]

Fixed: Generating Reports Using “Generate Now”

Fixed an issue in which if you selected “Generate Now” and the custom date range, the available data field only showed the available data from the login host. [Defect ID: 29329]

Fixed: Scheduled Report Messages

In a previous release, when the IronPort appliance generated scheduled reports, the report descriptions in the message did not contain detailed information about the reports. Because the messages contained minimal text, they were sometimes interpreted by scanning engines as spam. This issue has been resolved. [Defect ID: 29164]


Fixed: Queue Space Utilization UnderreportedIn a previous release, the IronPort appliance underreported the space utilized from Monitor > System Status > Gauges. If the message queues filled completely, an application error was generated because the IronPort appliance used the queue space gauge to determine when to start resource conservation. This issue has been resolved. [Defect ID: 28211]

Fixed: Scheduled Reports and System Time Changes

In a previous release, scheduled reports were not generated when the clock was moved forward in observation of daylight savings changes, and were generated twice when the clock went back to standard time if the report was scheduled to run during the hour that was skipped or added. This issue has been resolved. [Defect ID: 27757]

Fixed: Email Security Monitor Reporting and Outbound Mail

Fixed an issue in which Email Security Monitor did not record outbound threat messages separately. Spam-positive outbound mail was counted as clean, but virus-positive mail was not. [Defect ID: 27447]

Fixed Alert Issues

Fixed: Frequent SSL Alerts

Fixed an issue in which frequent SSL alerts were sent due to a problem handling an sslip.Error. AsyncOS sent errors similar to the following:

An application fault occurred: ('coroutine/coro_ssl.py _non_blocking_retry|98',

'sslip.Error', "(336151576, 'error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1

alert unknown ca')", '[imh/smtp_server.py main|561] [imh/smtp_server.py cmd_starttls|865]

[coroutine/coro_ssl.py ssl_accept|143] [coroutine/coro_ssl.py _non_blocking_retry|98]')

MID: 0

[Defect ID: 33779]

Fixed: M-Series System Alerts Not Routed as Expected

Fixed an issue in which system alert messages were not routed via the IP addresses entered. Instead, the alerts followed DNS or smtproutes. [Defect ID: 32574]

Fixed: Erroneous Alerts Sent When Reporting Disabled

Fixed an issue in which the AsyncOS appliance sent out the following erroneous alert when reporting was disabled and users attempted to view report pages:

Mon Nov 20 13:29:51 2006 Warning: Report Query Failed query_id: mga_overview_outgoing_message_deliverydata_source: SimpleTotalRDS

24


error: <type 'classobj'> ('command_manager/command_client.py call|242','exceptions.TypeError', 'unsubscriptable object', '[database/ReportCatalog.py

run_report_queries|224] [reportdatasource/CounterReportDataSource.py query|113][reportdatasource/CounterReportDataSource.py _run_api_query|188] [query/client.py time_merge_query|356] [query/client.py _call|212] [command_manager/command_client.py call|242]')

[Defect ID: 29605]

Fixed: Alerts and SMTP Routes

In a previous release, alerts sent from the appliance to addresses specified in the System Administration -> Alert page (or the alertconfig command) used an A-record lookup to route the alert instead of following SMTP routes. By contrast, SMTP routing performed an MX lookup on the SMTP target, and then performed an A-record lookup on the host. This issue has been resolved. [Defect IDs: 29132, 7969]

Fixed LDAP Issues

Fixed: Duplicate LDAP Query String

In previous release, if the same query string was used in different LDAP queries (for example, you used a (mail={a}) query for acceptance and routing), the queries returned incorrect results due to caching. This issue has been addressed. [Defect ID: 37249].

Fixed: Attribute with Duplicate Values Unsupported

In a previous release, if your LDAP database contained an attribute with duplicate values and these values had prefix such as SMTP and SIP, AsyncOS failed to add them to the IronPort Spam Quarantine safelist/blocklist. This issue has been resolved. [Defect ID: 37076]

Fixed: Invalid Recipients in LDAP Query Results in Erroneous 501 Error Code

In a previous release, invalid recipients in an LDAP query resulted in an erroneous 501 SMTP error (indicating syntax issues). This error code has been replaced with a 550 SMTP error for better accuracy. [Defect ID: 32969]

Fixed: LDAP Sievechar does not Handle empty User Gracefully

Fixed an issue in which the LDAP sievechar caused the LDAP query to fail with syntax error. [Defect ID: 32409]

Fixed: LDAP Accept Erroneously Displayed in Trace

Fixed an issue in which the trace command erroneously showed an LDAP accept query running on a relayed connection. [Defect ID: 31287]

Fixed: LDAP Connections Fail After Changing LDAP Settings

Fixed an issue in which changing LDAP settings, LDAP connections failed because the IronPort appliance retained some LDAP connections that use expired connection information. [Defect ID: 29935]


Fixed: Listeners Configured for Conversational LDAP Acceptance

In a previous release, a public listener configured for LDAP Accept dropped non-spam messages released from the IronPort Spam Quarantine. The LDAP acceptance query failed and the message was dropped. This issue has been resolved. [Defect ID: 29294]

Fixed: Policy Entries Not Matched When LDAP Routing Configured

Fixed an issue in which policy entries were not matched when LDAP routing was configured using mailRoutingAddress and mailhost in the LDAP query. [Defect ID: 12847]

Fixed: LDAP Group Query Failures

Fixed an issue in which an LDAP Group query failure was treated as a negative response. If an LDAP group query encountered a problem getting a response from the LDAP server, after a short delay it gave up and assumed the query response would have been negative. This means that a filter action could have been performed (or not performed) in error if the LDAP server experienced a delay in responding to a query. [Defect ID: 4343]

Fixed IronPort Spam Quarantine Issues

Fixed: IronPort Spam Quarantine GUI Shuts Down Unexpectedly When Using LDAP Authentication

In a previous release, the GUI for the IronPort Spam Quarantine sometimes shut down unexpectedly and returned an EOFError when the quarantine was configured for LDAP authentication. This issue has been addressed. [Defect ID: 37046]

Fixed: IronPort Spam Quarantine May Display Unreadable Characters

When the IronPort Spam Quarantine displays a message, it converts the message body to Unicode. If errors occured when converting the message body to Unicode, sometimes characters were rendered unreadable. This issue has been addressed. [Defect ID: 35757, 36909]

Fixed: Emails Over 500k Become Unreadable When Released from Spam Quarantine

Fixed an issue in which, when a message in the IronPort Spam Quarantine is over 500k, the top portion of the email was deleted, which removed formatting and headers. This caused the message to be unreadable after it is released from the quarantine. [Defect ID: 32991]

Fixed: Application Fault Occurs When Viewing Poorly Formatted HTML Messages

Fixed an issue in which, when attempting to open an email from the IronPort Spam Quarantine, application errors occurred when viewing HTML messages that were poorly formatted. [Defect ID: 32497]

Fixed: SGML Parse Error Application Error in the IronPort Spam Quarantine GUI

Fixed an issue in which an SGML parse application errors occurred in the IronPort Spam Quarantine GUI.

[Defect ID: 32277]

26


Fixed: Application Fault Occurs When Viewing Emails With High Bit Characters in Attachment Filenames

Fixed an issue in which when attempting to open an email with high bit characters in the attachment filename from the IronPort Spam Quarantine, the appliance displayed an application fault instead of the message body. [Defect ID: 32201]

Fixed: Message Body Display for Multi-part MIME Messages

In a previous release, when you opened a multi-part MIME message from the IronPort Spam quarantine, the message text may not always have displayed. [Defect ID: 31693]

Fixed: URL encoding for (+) Character Breaks URL Link in the IronPort Spam Quarantine Notification

Fixed an issue in which email addresses using the (+) character caused the URL link in the IronPort Spam Quarantine heading to break. [ Defect ID: 31305]

Fixed: IronPort Spam Quarantine Notifications Rendered Poorly in Outlook 2007

Fixed an issue in which IronPort Spam Quarantine notifications were rendered poorly in Outlook 2007. [Defect ID: 30638]

Fixed Width Table in the IronPort Spam Quarantine

The IronPort Spam Quarantine table was in a fixed-width format instead of being relative to the size of the browser window. When reducing the browser to a width smaller than the table, the table did not resize and line wrapping did not occur. [Defect ID: 30580]

Fixed: Text Attachments in the IronPort Spam Quarantine

In a previous release, if the message had an HTML main body and a text attachment, the text attachment was displayed as the main body in the IronPort Spam Quarantine. This issue has been resolved. [Defect ID: 29484]

Fixed: Message Display in IronPort Spam Quarantine

Fixed an issue with the message display in the IronPort Spam Quarantine. Plain text messages were not permitted to wrap in the table cell designated for the message. The message and headers were displayed in a font and size that were difficult to read. [Defect ID: 28713]

Fixed Message and Content Filter Issues

Fixed: Stellent Scanning Engine Does Not Scan Corrupted PDF Files

In a previous release, the Stellent scanning engine did not support scanning corrupted PDF files. Now, the Stellent scanning engine can scan certain types of corrupted PDF files. [Defect ID: 35513]

Fixed: Filters Incorrectly Identify Microsoft Project File Type

Fixed an issue in which filters configured to identify Microsoft Project Files (mpp files) were unable to identify the Microsoft Project file type. This issue has been addressed. [Defect ID: 33451]


Fixed: Message and Content Filters Not Working Under Trace

Fixed an issue in which message and content filters that test header values did not always not work correctly under trace. [Defect ID: 32972]

Fixed: Invalid Content Filters are Impossible to Detect

Fixed an issue in which content filters were not validated. [Defect ID: 32552]

Fixed: Word Boundaries in Content Dictionaries

Fixed an issue in which using the “Whole Word” (word boundary) setting in content dictionaries did not work as expected when dictionary entries started or ended with a non-word character. This issue has been addressed. [Defect ID: 32414]

Fixed: attachment-filetype == "mov" does not Detect All Formats of QuickTimeFile

Fixed an issue in which the attachment-filetype did not detect all formats of QuickTime files. [Defect ID: 32394]

Fixed: Notify Filter Action Generates UnicodeEncodeError and "Invalid Filter" Warning

Fixed an issue in which the notify filter action generated UnicodeEncodeError and invalid filter warnings. [Defect ID: 31400]

Fixed: Application Error Occurs While Specifying Incorrect Value for Remote IP Rule

Fixed an issue in which the IronPort appliance returned an application fault when specifying an incorrect value for the Remote-IP rule in a content filter. [Defect ID: 30972]

Fixed: Filetype Media Fails to Match on mp3 with Type MPEG ADTS, layer III

Fixed an issue in which mp3 with type MPEG ADTS, layer was not detected by content scanning. A new mp3 attachment file type was added to conditions in content filters. [Defect ID: 29801]

Fixed: Content Filter Conditions for Envelope Sender and Envelope Recipient Require All Test Conditions

Fixed an issue in which the following conditions were missing for Envelope Sender and Envelope Recipients:

• Contains

• Does not contain

• Equals

• Does not equal

• Begins with

• Does not begin with

• Ends with

• Does not end with

• Matches term in dictionary

[Defect ID: 23737]

28


Fixed: Circle '1' Character Not Matched by Content Dictionary or Filters

Fixed an issue in which circle '1' character was not matched by content dictionary or filters. [Defect ID: 12986]

Fixed: Inability to Reorder Content Filter Rules in GUI

Fixed an issue in which it was not possible to reorder content filter conditions in the GUI. [Defect ID: 8644]

Fixed Clustered Environment Issues

Fixed: Clustered Appliances Running AsyncOS 5.0 or Higher Lock Up

On clustered appliances running AsyncOS version 5.0 or higher, the appliance sometimes locked up. This occurred because the network stack got stuck waiting on a gateway route lock for which the gateway route was gone. This issue has been addressed. [Defect ID: 36666]

Fixed: Application Errors Occur When Configuring Reporting in a Cluster

When configuring reporting settings for a clustered environment, the IronPort Appliance sometimes generated an application error. Using the reportingconfig command to modify the counters level may also have caused and application error. To configure reporting settings, it may have been necessary to specify in reportingconfig to use the machine setting for all machines. [Defect IDs: 32242, 32264]

Fixed: “Last” CLI Command Fails in Cluster Mode

Fixed an issue in which the “last” command fails in cluster mode. [Defect ID: 4301]

Fixed Configuration File Issues

Fixed: Loadconfig Returns Error if SNMPconfig System Contact String Contains Angle Brackets

When running the SNMPconfig CLI command, entering angle brackets in the “System Contact string" setting, causes the loadconfig to fail. For example, the loadconfig CLI command will fail if you use the following syntax for the “System Contact string” setting:

John Smith, <[email protected]> 408-123-1234

Workaround: Remove the angle brackets from the entry.

Note — In addition, '&' is not allowed in the “System Contact string” setting.

[Defect ID: 33833]

Fixed: Loadconfig Fails When Destination Configuration Entry Starts with . (dot)

Fixed an error in which when a destination configuration entry started with a . (dot), the loadconfig command failed. [Defect ID: 33002]


Fixed: Content Filter Containing a Notify Action Become Invalid After Loading Configuration File

Fixed an issue that occurred when you load a configuration file containing a content filter with a notify action that does not use a notification template, the content filter (using the notify action) became invalid. [Defect ID: 32549]

Fixed: Loadconfig Fails When IronPort Anti-Spam is Enabled

Fixed an issue that occurred if you enabled IronPort Anti-Spam and ran the loadconfig command from the CLI, the IronPort appliance returned the following error:

Parse Error on element "case_region" line number 748 column 20: That value is not valid. Parsing failed. Aborting. <case_region></case_region>

[Defect ID: 32426]

Fixed: Unable to Load Configuration File After Adding Reporting Configuration

Fixed an issue in which the IronPort AsyncOS appliance displayed the following error after attempting to load a configuration file with reporting settings saved to it:

Configuration File was not loaded. Parse Error on element "periodic_report_rows" line number 1375 column 33: The value must be an integer.

[Defect ID: 32235]

Fixed: BCC Content Filters Do Not Accept Action Variables for To: or From: Headers

Fixed an issue in which the bcc: content filters did not accept action variables for To: and From: headers. [Defect ID: 20908]

Fixed Domain Keys Signing Issues

Fixed: Processing DKIM-signed Messages Optimized

In a previous build, when DKIM signing was enabled, some emails were very expensive to evaluate. The process for DKIM signing has been optimized to address this issue. [Defect ID: 37107]

Fixed: Application Error Occurs When Evaluating Message Filters or Antispam Rules

In a previous build, when Domain Key signing was enabled, the AsyncOS operating system sometimes returned application errors when evaluating message filters or antispam rules. [Defect IDs: 36809]

Fixed: Trace Command Not Working for Domainkey Signing

Fixed an issue in which the trace command sometimes does not correctly trace domainkey signing. [Defect ID: 33096]

30


Fixed Updater Issues

Fixed: Static Downloads Unavailable on M-Series

Fixed an issue in which, on the M-Series appliance, you could not reconfigure the device to use the static download service when checking for feature keys. [Defect ID: 31454]

Fixed: Updater Needs to Use HTTPS Proxy

Fixed an issue in which the updater used the http proxy instead of the https proxy. [Defect ID: 30928]

Fixed Upgrade Issues

Fixed: Traceback Error After Performing saveconfig or mailconfig After Upgrade

When you upgrade an IronPort appliance in which the log retrieval method is configured for SCP push, you may get a traceback error when performing saveconfig or mailconfig. This occurs because a port parameter is missing from the configuration file.

[Defect ID: 35043]

Fixed: Transient Network Errors During Upgrade May Result in Disconnection

When performing an upgrade, transient network errors may cause the IronPort Appliance to disconnect users from the CLI. If you are disconnected from the CLI during an upgrade, wait a short time, and attempt to run the upgrade again. [Defect ID: 32687]

Fixed: Antivirus Scanning Engines

Fixed: Sophos Header Files Need Updating

Fixed an issue in which new error code in the Sophos engine was not recognized by AsyncOS, which caused an excessive number of alerts. Now, this error code does not generate alerts. [Defect ID: 36518]

Fixed: McAfee Antivirus Scanning Engine Hangs

Fixed an issue in which the McAfee antivirus scanning engine was hanging. This caused the workqueue to pause on antivirus scanning and back up. This issue is now resolved. [Defect ID: 31718]

Other Fixed Issues

Fixed: Incoming Relays Cause Incorrect IP and Host in the Received Header

In a previous release, with the incoming relay feature enabled, when AsyncOS received a connection, the first email on that connection had the correct received header added; however, the second and any additional emails on the same ICID logged the IP and hostname of the previously injected email. As a result, all email other than the first one received on a relay connection displayed random IPs and hostnames in the received header, instead of the correct IP and


hostname. This issue has been addressed. [Defect ID: Fixed: Incoming Relays Cause Incorrect IP and Host in the Received Header

In a previous release, with the incoming relay feature enabled, when AsyncOS received a connection, the first email on that connection had the correct received header added; however, the second and any additional emails on the same ICID logged the IP and hostname of the previously injected email. As a result, all email other than the first one received on a relay connection displayed random IPs and hostnames in the received header, instead of the correct IP and hostname. This issue has been addressed. [Defect ID: 35215]

Fixed: Messages Truncated in the Work Queue if Headers Exceed the Header Line LImit

If a message that is close to the header line limit (default is 1000) is accepted, filters applied to the message may add headers, causing the header line limit to be exceeded. This results in messages in the work queue that may be truncated in the middle of a header, such as the following:

Header-1: value1<CRLF>

Header-2: value2<CRLF>

Heade

This can result in problems when processing the mail with the truncated header. This issue has been addressed. [Defect ID: 37207]

Fixed: AsyncOS Stamps One Received Header Per Recipient

In a previous release, when AsyncOS was configured to stamp the hostname of the Virtual Gateway used for delivering the message on the email, that email got one received header stamped on it for every recipient with a different domain. The extra received headers sometimes resulted in emails being discarded. This issue has been addressed. [Defect ID: 37197 ]

Fixed: Mail Handling Process Stops with Malformed Message

IronPort has become aware of a malformed message that can stop the mail handling process on an Email Security Appliances when a BCC() action is configured in a message or content filter. [Defect ID: 36212]

Fixed: DSN Bounce Messages are not RFC Compliant

Fixed an issue in which the "Reporting-MTA" field was not in the "per-message-fields" as specified in RFC 1894. The DSN bounce message is now RFC compliant. [Defect ID: 36231]

Fixed: SGML Parse Error Application Error in the IronPort Spam Quarantine GUI

Fixed an issue in which an SGML parse application errors occurred in the IronPort Spam Quarantine GUI. [Defect ID: 32277]

Fixed: TLS Certificate Verification Fails

Fixed an issue in which TLS certificate verification failed due to changes in the verification process. TLS certificate verification now checks the hostname of the receiving machine. [Defect ID: 36095]

32


Fixed: SNMP Hardware Monitoring Erroneously Displays CPU Temperature for C150 Appliances

In a previous release, the SNMP monitoring traps returned data for CPU temperature on C150 appliances although the C150 appliance did not provide temperature data. As a result, CPU temperature data for C150 appliances returned via the SNMP trap was inaccurate. This issue has been addressed. [Defect ID: 35398]

Fixed: New Zealand Daylight Savings Times Updated

The AsyncOS time zone data has been updated to address the newly implemented daylight savings time for New Zealand. New daylight saving will commence on Sunday 30 September 2007, and end on 6 April 2008. [Defect ID: 34977]

Fixed: Kernel Panic When Rebooting

On the 2950 platform, a kernel panic occurred sometimes after rebooting (or after rebooting on upgrades). This issue has been addressed. [Defect ID: 33165]

Fixed: IncomingRelay not Working for Messages Received on RELAY policy

Fixed an issue in which incoming relay only works for incoming mail (mail not on a RELAY policy). [Defect ID: 32786]

Fixed: Changing SBRS Setting with listenerconfig CLI Command Not Displayed in GUI

Fixed an issue in which SBRS settings changed through the listenerconfig CLI command were not reflected in the GUI. [Defect ID: 32727]

Fixed: Partitions Filling Up

Fixed an issue in which the /var/log/godspeed partition was filling up when certain logs did not get deleted. These logs now get deleted on startup. [Defect ID: 32382]

Fixed: Administrator Access to tcpdump CLI Command

Fixed an issue in which the CLI tcpdump command was accessible to users other than Administrators. [Defect ID: 31703]

Fixed: Foreign Character Footer Stamping Causes Messages to Be Unreadable

Fixed an issue in which foreign characters caused footer stamping to render messages unreadable. This issue has been addressed. [Defect ID: 30822]

Fixed: Raid Events Not Detected or Reported Via SNMP on C30/60 Appliances

Fixed an issue in which hard disk failures and raid events were not detected or reported when attempting to query disk removal, disk rebuild, and rebuild complete via SNMP on the C30/C60 appliance. This issue has been addressed. [Defect ID: 30606].

Fixed: Serial Console Unresponsive on C350/650 and M350/650 Login Screen

Fixed an issue in which logging onto the serial console on the C350/650 and M350/650 IronPort appliances might not have displayed a login prompt and might not have accepted keystrokes. This issue has been addressed. [Defect ID: 30590]


Fixed: SNMP raidTable Not Found After Upgrading a C350/650 or M350/650 Appliance

After upgrading a C350/650 or M350/650 appliance to AsyncOS version 5.0 or later, attempting to query the SNMP attributes for raidTable sometimes returned the following error:

SNMPv2-SMI::enterprises.15497.1.1.1.18 = No Such Object available on this agent at this OID

[Defect ID: 30476]

Fixed: MTU Settings Not Configurable

Fixed an issue in which MTU settings were not configurable.

Now, you can configure MTU settings from the CLI command etherconfig -> MTU - View and configure MTU

[Defect ID: 28306]

Fixed: MIME Parsing Too Rigid

Fixed an issue in which strict MIME parsing resulted in excessive bounces. [Defect ID: 12989]

Fixed: AsyncOS Locks Up When 3GB of Memory Allocated

Fixed an issue in which the AsyncOS appliance locked up when 3GB of memory was allocated and resident. [Defect ID: 19593]

Fixed: Failed Attempts to Connect to Remote Destinations Not Logged

In a previous release, failure to connect when attempting delivery to a remote destination was not logged. This was caused by a firewall or other network change or failure. This issue has been resolved. [Defect ID: 12113]

Fixed: Findevent CLI Command Does Not Track Some Message Rewrites

Fixed an issue in which the findevent CLI command did not track a new message ID for a message that was rewritten (for example, when you use the drop-attachments-by-size message filter) This issue has been addressed. [Defect ID: 35977]

34


QUALIFIED UPGRADE PATHS

Version 5-5-1-008 is the AsyncOS for Email Security Appliances 5.5.1 release of the IronPort AsyncOS operating system.

The qualified upgrade paths to this release are:

From: Version 5-1-0-320 To: Version 5-5-1-008











UPGRADE INSTRUCTIONS

Pre-Upgrade Notes

Important Notes

As a best practice, IronPort recommends preparing for an upgrade by taking the following steps:

1. Save the XML configuration file off box.

2. If you are using the Safelist/Blocklist feature, export the list off box.

3. Suspend the listeners.

4. Drain the mail queue and the delivery queue.

Please be aware of the following upgrade impacts:

• Upgrading to AsyncOS 5.0 or later from a previous release will erase your existing Mail Flow Monitor data. For information about how you can export and save your data before you upgrade, see “Replacing Mail Flow Monitor in AsyncOS Version 5.0 or Later” on page 37.

• Upgrading to AsyncOS 5.0 or later from a previous release will erase all scheduled and archived reports from your system.


Upgrading and the Mail Flow Central Product

1. AsyncOS 4.5.0 and later mail logs are not compatible with Mail Flow Central version 1.2. If you are interested in upgrading but use Mail Flow Central version 1.2, please contact Customer Support. You will need to upgrade your Mail Flow Central 1.2 installation prior to upgrading your IronPort appliance.

2. Mail Flow Central 1.3 does not currently support the new features available in the 4.6.0 release. Users who upgrade to AsyncOS 4.6 or newer may see the following:

• Messages sent to a quarantine may appear to be pending messages. [Defect ID: 21866]

• Messages release from IronPort Spam Quarantines are counted as outbound messages. In domain reports, the message appears as outbound in the total email volume section and in the outbound email by sending host section. [Defect ID: 21887]

3. When pre-4.6.0 data is included in a time range, an approximate value is calculated and displayed in the Attempted Messages column. This value is calculated based on pre-upgrade data. However, when the column is sorted, the sort order favors senders observed after the upgrade to 4.6. This issue does not appear when all data in the selected time range is collected after the upgrade to 4.6.

Configuration Files

IronPort does not generally support the backward compatibility of configuration files with previous major releases. Minor release support is provided. Configuration files from previous versions may work with later releases; however, they may require modification to load. Check with IronPort Customer Support if you have any questions about configuration file support.

Custom Notification Templates

If you previously used a custom notification template, headers were included by default. When you upgrade to AsyncOS version 5.0 or later, notification templates do not include headers by default. To include headers, you can add the $allheaders message filter action variable. [Defect ID: 27710]

Message Filter Syntax

In a previous release, you may have used a message filter similar to the following to search for empty or non-existent subject headers:

blankSpam:if ((subject == "^$") AND (header("To") == "^$")) AND (body-size < 3072){insert-header("X-Spam", "$FilterName"); quarantine("Policy");}

36


In a previous release, this filter treated a non-existent header as if it was an empty header. In version 5.0 and later, the condition (header("To") == "^$")) only returns true if the header exists and is empty.

For more information, see the IronPort AsyncOS Advanced User Guide.

[Defect ID: 29225]

Received Headers

When you configure the IronPort appliance to use received headers, you can specify that the header reflects one of the following hostnames:

• The hostname of the Virtual Gateway used for delivering the message

• The hostname of the interface the message is received on

You specify the hostname from the CLI command listenerconfig-> setup. You cannot configure the hostname from the GUI.

In AsyncOS version 5.0 and later, if you configure the received header to display the hostname of the interface the message is received on, a strip-header filter action configured to strip received headers will strip the received header inserted by the IronPort appliance. [Defect IDs: 16254, 25816]

Feature Keys

In AsyncOS version 5.0 and later, the AsyncOS appliance checks for and applies feature keys at one minute intervals. Therefore, when you add a feature key, it may take up to a minute to view the changes. [Defect ID: 29160]

Virus Logs

In previous releases, virus-positive messages were logged as information:

Mon Jul 31 17:53:29 2006 Info: sophos antivirus - MID 10143657 - Result 'VIRAL'('ENCRYPTED',)

In AsyncOS version 5.0 and later, virus logs are logged as warnings:

Thu Sep 28 16:32:46 2006 Warning: sophos antivirus - MID 3 - Result 'VIRAL'('UNSCANNABLE',)

[Defect ID: 26317]

Encryption

Please note that AsyncOS version 5.5.1 is compatible with version 6.2.7.4 of the IronPort Encryption appliance.

Configuring the Update Server on Version 5.1 or LaterIn AsyncOS version 5.1 or later, you can use McAfee anti-virus scanning as well as Sophos anti-virus scanning.


The McAfee engine retrieve update information from a different server than the other scanning blades. You may need to create firewall rules to allow update traffic for this service. To configure the firewall, allow updates from update-manifests.ironport.com on port 443.

Replacing Mail Flow Monitor in AsyncOS Version 5.0 or LaterWhen upgrading to AsyncOS version 5.0 or later, IronPort Mail Flow Monitor is replaced with IronPort Email Security Monitor. As a result, existing Mail Flow Monitor data is erased and the incoming and outgoing mail data is reset from the time the upgrade completes.

To save existing data, you can use the CLI exportmailflow command to export the data to a CSV file.

Note — You can save and archive the exported data, but you cannot reimport it into the Email Security Monitor.

The following example shows the exportmailflow command:

If you specify an IP address range, AsyncOS can retrieve the specific IP address range of the remote machine you want to save data from. This allows you to skip downloading the entire mailflow database.

When you run the CLI command, AsyncOS saves the CSV file to the root directory under the default name mailflow.csv.

To access this directory, FTP to the AsyncOS appliance and use the FTP get command to transfer the CSV files from the remote machine to your local machine.

Upgrading to the AsyncOS 5.5.1 ReleaseUse the following instructions to upgrade your AsyncOS appliance.

Welcome to the IronPort C60 Messaging Gateway(tm) Applianceexample.com> exportmailflow

Please enter report type (minute, hour, day).[hour]> minute

Please enter start time ([mm/dd[/yyyy]] HH:MM):[15:00]> 01/01/1950 12:00

Please enter end time ([mm/dd[/yyyy]] HH:MM):[17:00]> 01/01/2007 12:00

Do you want to specify an IP address range? [N]> n

Please enter output file name.[mailflow.csv]> mailflow.csv

38


1. Save the XML configuration file on another machine.

2. If you use the Safelist/Blocklist feature, export the Safelist/Blocklist database to another machine.

3. Suspend all listeners.

4. Drain the mail queue and the delivery queue.

5. Initiate the upgrade.

6. Reboot.

7. Resume all listeners.

8. From the System Administration tab, select the System Upgrade page.

9. Click the Available Upgrades... button. The page refreshes with a list of available AsyncOS upgrade versions.

10. Click the Begin Upgrade... button and your upgrade will begin. Answer the questions as they appear.

11. When the upgrade is complete, click the Reboot Now button to reboot your IronPort appliance.

Performance AdvisoryDomainKeys and DKIM Signing- DomainKeys and DKIM signing outgoing email can cause a decrease in the message throughput capacity. Using smaller signing keys (512 byte or 768 byte) can mitigate this.

SBNP - SenderBase Network Participation now uses the Context Adaptive Scanning Engine (CASE) to collect data to power IronPort Information Services. In some configurations customers may experience a moderate performance decline.

Virus Outbreak Filters - Virus Outbreak Filters now uses the Context Adaptive Scanning Engine to determine the threat level of a message and scores messages based on a combination of Adaptive Rules and Outbreak Rules. In some configurations, you may experience a moderate performance decline.

IronPort Spam Quarantine - Enabling the IronPort Spam Quarantine on-box for a C-Series or X-Series appliance causes a minimal reduction in system throughput for nominally loaded appliances. For appliances that are running near or at peak throughput, the additional load from an active quarantine may cause a throughput reduction of 10-20%. If your system is at or near capacity, and you desire to use the IronPort Spam Quarantine, consider migrating to a larger C-Series appliance or an M-Series appliance.

If you change your anti-spam policy from dropping spam to quarantining it (either on-box or off-box), then your system load will increase due to the need to scan additional spam messages for virus and content security. For assistance in properly sizing your installation please contact your authorized IronPort support provider.


Upgrading and the AsyncOS Reporting Feature

On AsyncOS version 5.0.0-241, IronPort disabled the following counters associated with a performance impact on the C10/100/30/300 appliances:

• On the Domain Details page > IP Addresses Table > “Stopped by Reputation Filtering” column.

• On the Network Owner Details page > Domains table > "Rejected Connections," “Stopped by Reputation Filtering,” and “Stopped by Recipient Throttling Connections Rejected” columns.

If you upgrade from version 5.0.0-241, these counters are no longer disabled. Now, when the appliance is under heavy load, an exact count of rejected connections is not maintained on a per-sender basis. Instead, rejected connection counts are maintained only for the most significant senders in each time interval. For more information, see “Using the Email Security Monitor” in the IronPort AsyncOS User Guide.

In addition, the following granularity has been removed from reporting:

• “Custom number of months” from Scheduled Reports > Add/Edit.

• “Custom time range (months)” from Archived Reports > Generate Report Now.

These metric were added in the AsyncOS 5.0 release, so you do not lose any functionality if you are upgrading from AsyncOS 4.7.x or earlier. If you used these reporting metrics in the AsyncOS 5.0 release, you will need to modify your reports.

If you upgrade from AsyncOS 4.7.x or earlier, and you configured a log called “reporting,” this conflicts with the default “reporting” log created by the 5.x AsyncOS appliance. This conflict generates an application error similar to the following:

Thu Apr 19 17:24:21 2007 ('godlib/dict_utils.py handle_duplicate|35',

'exceptions.ValueError', "Key 'reporting' is already registered.", '[hermes/hermes.py

run|110] [hermes/hermes.py _run1|350] [client/config.py init|105] [client/config.py

enable|123] [qlog/config_glue.py add_internal_subscription|324] [qlog/register.py

add_subscription|537] [godlib/dict_utils.py handle_duplicate|35]

To avoid this application error use the Log Subscriptions page on the System Administration tab (or the logconfig command in the CLI) to remove or rename the “reporting” log file. [Defect ID: 32958]

KNOWN ISSUES

The following list describes known issues in this release of AsyncOS:

40


Email Security Monitor and Reporting Issues

Report Titles Display Incorrectly When Using Multibyte Characters

Entering multibyte character in report title results in unreadable characters. Report titles are converted to character entity references. [Defect ID: 33729]

Reports Exported in CSV Format Display Entries for Metrics with No Data

When you export a report in CSV format, it displays an entry with a value of 0 for metrics with no data, instead of skipping the metric in the report. This line can be ignored. [Defect ID: 33223]

Reporting Graphs and PDFs Do Not Support Double Byte Characters

When you generate reports or PDFs of reports using double byte characters, the characters do no display properly. This issues manifests itself only in cases where you create a system resource and name it with double-byte characters. For example, if you have a content filter named "déjà-vu" and it was one of the top 10 content filters referenced in the report, the PDF version would have the "é" and the "à" characters rendered incorrectly. [Defect ID: 27275]

Localization for PDF Reports

When you generate a PDF report from an AsyncOS appliance configured for localization, the PDF report does not display localized text. Localized text will be available for report PDFs in a later release. [Defect IDs: 27275, 31830, 31787]

Virus Outbreak Reports

Adaptive rules do not count towards protection time, and the protection time number does not increment. [Defect ID: 29451]

Global Outbreak Reporting Counter Errors

When virus outbreaks occur outside of the specified time range, the Global Outbreak Filters report may include global outbreak statistics for outbreaks that do not occur within the specified time range. This occurs because the report is not accounting for its offset from GMT which is the timezone used for global data. [Defect ID: 29608, 29612]

Application Errors

When you generate a report, you may sometimes get blank pages or application faults. This is due to an internal error. [Defect ID: 33489]

Tables on the Monitors Tab Truncate Rows with Zero Values

When you sort values in tables on the Monitor tab, only rows with values greater than zero for the sorted column are displayed. Although accurate, when there only a few rows with values greater than zero, the table may appear truncated. [Defect ID: 28900]

Outbreak Viruses Not Counted in Email Security Monitor Overview

From the Monitor > Overview page, viruses found after a message is released from the Virus Outbreak Filters quarantine are not counted towards the number of viruses detected. [Defect ID: 29449]


Active Recipient Virtual Gateway Counter Incorrect

When you run the hoststatus command, the active recipient virtual gateway counters may be incorrect if you deliver emails that are queued up in the retry queue with a delivernow command, change the smtproute, or perform deleterecipients. These issues only occur when you use virtual gateways. [Defect IDs: 32417, 32141]

Global Unsubscribed Recipients and Message Counting

Global unsubscribed recipients are handled as clean recipients in reports. [Defect ID: 27047]

Email Security Monitor Report for 300D/350D Appliance Displays Extraneous Counters

The totals shown in the Email Security Monitor Overview report for C300D/350D appliances erroneously include spam and suspect spam counts. [Defect ID: 34562]

Alert Issues

Power Supply Failure and Alerting

Currently, an alert is not sent if a power supply fails in an IronPort appliance. You can, however, monitor power supply status via SNMP (see the IronPort AsyncOS Advanced User Guide for more information). [Defect ID: 25901]

No Alerts Sent for CMOS Battery Failure

If the CMOS battery fails, the IronPort appliance does not send an alert. Instead, the system front panel LCD may display an error condition. [Defect ID: 29262]

LDAP Issues

LDAP Group Query Field Truncates Group Query

When you create a new LDAP profile that includes a long group query, the query string is truncated when you add the LDAP group query to an incoming mail policy. You can work around this by saving the mail policy and returning to the policy to edit it. When you return to the policy, the field expands to display the full query text. [Defect ID: 27607]

LDAP Routing Query Issue

LDAP routing queries that resolve to an attribute in a routing address such as:

mailAlternateAddress: “Joe User” <[email protected]>

will perform DNS lookups on the string “example.com>” (note the ending angle bracket). The system is unable to parse the angle brackets in the attribute. The DNS lookup will then fail. [Defect ID: 8074]

IronPort Systems recommends constructing queries and issuing the test subcommand to ensure that all configured LDAP queries will resolve with expected results.

LDAP Group Queries are not Supported for Lotus Notes

Due to the way that Lotus Notes handles group membership, LDAP group queries are not supported for Lotus Notes in this release. [Defect ID: 18102]

42


IronPort Spam Quarantine Issues

Notifications

If the “Enable End-User Quarantine Access” checkbox is selected and the “Enable Spam Notification” checkbox is also selected, then all users will receive notifications. If the “Enable Spam Notification” checkbox is selected and the “Enable End-User Quarantine Access” checkbox is not selected, then only the administrator configured in the “Deliver Bounced Messages To” field is notified of new spam in the quarantine. There is no way to control or limit recipients of notifications at this time, other than setting different quarantine options for groups of users in the Email Security Manager. [Defect ID: 20470]

M-Series Appliance Sending Mail

For mail reinjected into a C- or X-Series appliance from an M-Series appliance, the C-Series appliance will skip the RAT, work queue, aliasing, masquerading, and other message processing that was already done on the first pass before being quarantined on the M-Series appliance.

However, the C-Series appliance must be configured in the HAT to accept mail from the M-Series host, or this mail will be rejected, and the bounce may be rejected as well. [Defect ID: 23759]

IronPort Spam Quarantine and Available Disk Space

Disk space on your IronPort appliance is shared between the IronPort Spam Quarantine, log files, and other data. If the shared space becomes nearly full with logs or other items, the IronPort Spam Quarantine will begin purging old data even if the quarantine has not yet reached its configured maximum capacity. [Defect ID: 22185]

tophosts and the IronPort Spam Quarantine

On upgrade or installation, the CLI command tophosts will immediately display an entry for the IronPort Spam Quarantine, even if the quarantine has handled no messages. [Defect ID: 21161]

Message and Content Filter Issues

attachment-protected Filter Condition Does Not Detect All Password-protected Files

The filter condition, attachment-protected, may not detect all password-protected files. It detects password-protected Word, Excel, PowerPoint, PDF, and Zip files. [Defect ID: 37453]

Content Filter Features Not Available from CLI

The following content filter conditions available in the GUI are not available in the CLI:

• Attachment Filename

• Attachment File Type

• Attachment MIME Type

• Subject Header


• Other Header

• Envelope Sender

• Envelope Recipient

• DKIM Verification

The following content filter functionality available in the GUI are not available in the CLI:

• You cannot delete conditions or actions

• You cannot reorder conditions and actions

[Defect ID: 35711]

Non-ASCII Characters in Content Filters Do Not Display Correctly

When you attempt to edit non-ASCII characters in a content filter action or condition, the form that the GUI displays is not filled in correctly. If you click ‘Cancel’, there should be no change to the text. However, if you modify the text, you will need to reenter the non-ASCII characters. [Defect ID: 36525]

Log files Created via the Archive Filter Action not Stored in Configuration File

When you create a log file via the archive filter action, the log file is not stored to the XML configuration file in the way that other log files are. Therefore, saving the configuration file does not store this log file. [Defect ID: 34560]

“Message Body Matches Term in Dictionary” Condition Not Available

The 'contains term in content dictionary' rule cannot be used with the 'Message Body' condition. [Defect ID: 33768]

Unable to Detect .exe files Embedded in Microsoft Office 2007 Documents

When .exe files are embedded in Microsoft Office 2007 documents, the scanning engine is unable to detect the .exe attachment using the attachment-filetype == "Executable" filter condition. [Defect ID: 33350]

Embedded Uuencoded Data Treated as Message "Content"

When using message filters to scan messages, the scanning engine associates a uuencoded attachment with the MIME part in which the attachment was found. As a result, the scanning engine sometimes skips performing some message filter actions on uuencoded data. For example, if the uuencoded attachment is embedded in a message body, the attachment-filetype skips the uuencoded attachment because it is associated with the content MIME part. [Defect ID: 29703]

Content Scanning Does Not Support Scanning .mdb File

The content scanning engine does not support scanning .mdb files. [Defect ID: 25849]

44


Application Error with Message Filters and the archive() Action

If, while processing a message, a message filter references a log subscription that has been removed, an application error may be generated. This happens when the change is made while the filter is processing the message, typically due to loading a new configuration file. [Defect ID: 27764]

Filters Issues

• The Body Scanning feature is not intended to be a first-line attack against potential spam. A workaround is to enable Brightmail Anti-Spam on the appliance, as Brightmail rules are updated every few minutes.

• If a filter uses any kind of variable substitution that involves a message header, the substituted value is always the original value, ignoring any changes made. [Defect ID: 11321]

Content Dictionary Entries

Content dictionary entries with the regular expression: “.*” at the beginning or end will cause the system to lock if a match for the “word” MIME part is found. [Defect ID: 11843]

IronPort Systems recommends you do not use “.*” at the beginning or end of a content dictionary entry.

Header Insertion of International Character Sets

Using the insert-header message filter or content filter action to insert headers that contain international character sets can impact system performance. [Defect ID: 9392]

Using Alt-Mailhost to Redirect to IronPort Spam Quarantine Corrupts Files

Using the Alt-Mailhost message filter or content filter action to redirect messages to the IronPort Spam Quarantine results in corrupted messages. [Defect ID: 29442]

Clustered Environment Issues

Application Fault Occurs During Cluster Initialization

In a clustered environment, sometimes a configuration notification was sent from a cluster to an IronPort appliance while the AsyncOS operating system for that machine was starting. This desynchronization caused an application fault similar to the following:

Tue Aug 7 15:00:21 2007 Critical: An application fault occurred: "('imh/imh.py

start_server|477', 'exceptions.TypeError', 'unsubscriptable object', '[coroutine/coro.py

wrap|736] [imh/imh.py imh_manager|893] [imh/imh.py injector_update|1114]

[imh/imh.py start_server|477]')"

28: Tue Aug 7 15:00:07 2007 Need to retrieve: (cluster ) hermes.imh.injectors


28: Tue Aug 7 15:00:07 2007 Setting on remote side:

28: Tue Aug 7 15:00:07 2007 sync_update

28: Tue Aug 7 15:00:07 2007 sync_retrieve

Tue Aug 7 15:00:07 2007 High latency (1.450s) for <coro <function _in_parallel_wrap

at 0x85ad534> #

28 [5] (frame 0x86a1c0c wait) at 0x89bd140>

28: Tue Aug 7 15:00:17 2007 Setting data to self: (cluster ) hermes.imh.injectors

= (2279, 1186

511694413514L, '0019B9B0CE9C-30NWLC1', 'benecja')

28: Tue Aug 7 15:00:21 2007 _sync_config done

Workaround: If you receive this application fault, reboot your IronPort appliance. [Defect ID: 36605]

In Clustered Environment, Original Bounced Message Is Cut Off at 10K

Bounce messages generated by the system, by default, use the Delivery Status Notification (DSN) format for both hard and soft bounces. In a clustered environment, if the message size is greater than 10k, the delivery status notification includes the message headers only. This defect is originally logged as defect ID 399, but the issue now exists in clustered environments only. [Defect ID: 36236]

Orphaned Connections in Clustered Environment

In a clustered environment, connections may be orphaned. Normally this does not cause problems, but occasionally it may cause CPU usage to max out. Rebooting your IronPort appliance resolves this issue. [Defect ID: 34441]

Clusterconfig Setgroup May Assign Node to Wrong Group

If one of the groups name starts with a numeric character, attempting to assign systems to the non-default cluster group may fail. Systems may be assigned to the wrong group. [Defect ID: 30516]

Centralized Management C300D/350D with Non-C300D/350D Appliances Unsupported

In a clustered environment, you cannot combine C300D/C350D appliances with AsyncOS appliances that are not configured with the delivery performance package. [Defect ID: 26565]

Cannot Edit policyconfig Settings for a Group without a Machine

In a clustered environment, if a group does not contain a machine, you cannot edit the policyconfig settings from the CLI. However, as a workaround, you can edit the settings from the GUI interface. [Defect ID: 30386]

46


Clusterconfig Assigns Node to the Wrong Group

In a clustered environment, performing setgroup assigns nodes to the wrong group if the group name is numeric or uses special characters. As a workaround, use a group name that is non-numeric and contains no special characters. [Defect ID: 30516]

Clusterconfig Subcommands Use Inconsistent Case-Sensitivity

The clusterconfig -> addgroup subcommand is case-sensitive, whereas other subcommands are case-insensitive. This can create issues if you use case-sensitivity to distinguish groups. For example, if you use the addgroup command to add the groups, “USERS” and “users,”, the other clusterconfig subcommands treat the groups interchangeably. [Defect ID: 30571]

Clusters Disconnected

When you experience a break in a cluster connection, the cluster may become disconnected and stay disconnected. This problem is triggered by time adjusts (common when using multiple NTP servers). Also, when the cluster is in this state, cluster commands return incorrect values, as it is in an inconsistent state. When this occurs, you must reboot the IronPort appliance to reconnect the cluster. [Defect ID: 29418]

Accessing a Rebooting Appliance While in a Cluster Generates an Application Error

When a clustered appliance is rebooting, attempting to access that appliance via another appliance in the same cluster will cause an application error. [Defect ID: 24404]

Transient DNS Errors Reported When Joining a Cluster

Occasionally, when joining a cluster, DNS errors may be reported. These errors may be transient and do not indicate that a problem exists. To confirm, wait several minutes and run clusterconfig connstatus. If that command reports that the connection status is good, the errors may be ignored. If not, the problem may be due to an actual misconfiguration (wrong hostnames, firewall permissions, or misconfigured interfaces). [Defect ID: 19964]

Safari Web Browser Issue

In clustered environments, the Preview Inherited Settings information is not displayed when using the Safari web browser. [Defect ID: 18112]

Centralized Management: Disconnecting and Reconnecting Via the GUI

The ability to disconnect a machine from (or reconnect to) a cluster via the GUI has been removed. [Defect ID: 20014]

Online Help and Documentation Issues

Port Numbering Reversed in C600 and X1000 Rear Panel Graphic

The IronPort Quickstart Guides displays reversed numbering for the fiber optic interface in the C600 and X1000 rear panel graphic. In Section 3, “Connect,” the order of the fiber optic interface should be 4 - 3. [Defect ID: 30608]


Opening Online Help in a Separate Browser Window

Attempting to open the online help (via the Help link in the GUI) in a separate browser window in Internet Explorer 6 results in an error. [Defect ID: 15762]

The online help opens in a separate browser window by default.

Configuration File Issues

Errors When Performing Operations on Removed Configuration Directory

If you remove or delete the Configuration directory, AsyncOS returns application errors or traceback errors when you attempt to perform operations on that directory (such as exporting the dictionary or saving the configuration file). [Defect IDs: 34333, 34336]

M-Series loadconfig action Allows Duplicate Items in the 'Quarantine Spam From' List

On an M-Series appliance, the loadconfig action accepts xml configuration file with duplicated items in the 'Quarantine Spam From' list. Duplicated hosts in the “Quarantine Spam From” list can impact system performance. [Defect ID: 33690]

Loadconfig Erroneously Allows Multiple Content Filters with Identical Names

When you edit a loadconfig file, it erroneously allows you to add multiple content filters with identical names. Because you cannot use the same name for content filters in the IronPort appliance, it only displays one of the content filters of the same name you added in the loadconfig file. To work around this issue, ensure that you do not enter multiple content filters of the same name in the loadconfig file. [Defect ID: 31381]

Parse Error When Loading 4.7.0 or 4.7.1 Configuration Files

After upgrading to AsyncOS 5.0 or later, you may get a parse error if you attempt to load a 4.7.0 or 4.7.1 configuration file.

To work around this issue, remove the following sections from the configuration file:

1. Remove the following text from the configuration file:

<mailFlowMonitorDiskLimit>40</mailFlowMonitorDiskLimit>

<mailFlowMonitorWebServer>off</mailFlowMonitorWebServer>

<mailFlowMonitorHoursLimit>192</mailFlowMonitorHoursLimit>

<mailFlowMonitorDaysLimit>32</mailFlowMonitorDaysLimit>

<mailFlowMonitorWeeksLimit>0</mailFlowMonitorWeeksLimit>

<mailFlowMonitorMonthsLimit>0</mailFlowMonitorMonthsLimit>

<mailFlowMonitorDomainMapCacheMode>in<mailFlowMonitorDomainMapCacheMode>

2. Remove the following sections (everything from <periodic_reports> to </periodic reports>):

<periodic_reports>

48


<periodic_report_dir_token>0</periodic_report_dir_token>

</periodic_reports>

3. Remove the following log entries:

<log_case>

<name>case</name>

<retrieval>

<ftp_poll>

<filename>case</filename>

<rolloversize>10485760</rolloversize>

<rollover_max_files>10</rollover_max_files>

</ftp_poll>

</retrieval>

<log_level>3</log_level>

</log_case>

<log_brightmail>

<name>brightmail</name>

<retrieval>

<ftp_poll>

<filename>brightmail</filename>

<rolloversize>10485760</rolloversize>

<rollover_max_files>10</rollover_max_files>

</ftp_poll>

</retrieval>

<log_level>3</log_level>

</log_brightmail>

[Defect ID: 31198]

Configuration File Filenames Containing Special Characters

Configuration filenames that include special characters such as “[“ “]” and “,” are not allowed. If you have a configuration file that includes those characters, you will have to rename the file to remove the characters before loading the configuration. [Defect ID: 25989]


Upgrade Issues

Pressing Ctrl-C does not Abort Upgrade Process

When performing an upgrade, if you press Ctrl-C, the upgrade process does not immediately abort, and it may take some time before you can restart the upgrade. [Defect ID: 32689]

GUI Display Incorrect After Upgrade to Version 5.5.1

After you upgrade to version 5.5 or later, the GUI may not display correctly.

As a workaround, clear the browser cache and force the page to reload. [Defect ID: 33851]

DKIM and Domainkeys Signing Issues

DKIM Verification of Multiple Signatures

Current DKIM verification stops at the first valid signature. It is not possible to verify using the last signature encountered. This functionality may be available in a later release. [Defect ID: 34075]

Trace Feature Issues

Malformed MIME Messages Not Detected as “Unscannable”

If malformed MIME messages are entered in the trace feature, the command will not note that a message is considered “unscannable” because of the scanconfig settings. [Defect ID: 5802]

No Use of Tab Character in the Trace CLI

The trace command will not allow tab characters to be typed in the command line interface. [Defect ID: 5799]

Localization IssuesCurrently, the safelist/blocklist notifications are not localized. [Defect ID: 36194]

The IronPort Spam Quarantine page currently has a poorly-localized plural strings. [Defect ID: 30576]

Time ranges in reports are not localized. [Defect ID: 30705].

Creating localized IronPort Spam notifications sometimes only displays part of the localized text. [Defect ID: 36194]

Email Encryption Issues

Envelope Fails to Open in OWA 2007

Envelope fails to open in OWA 2007. OWA 2007 modifies the wrapper in such a way that it cannot be opened. A workaround is to forward to [email protected] which provides a temporary link to view the message. [Defect ID : 36694]

50


Double Byte Characters in Attachment Filenames

Double byte characters in attachment filenames don’t display in Save As . [Defect ID: 35803]

Double Byte Character Display

Double byte characters don’t display properly in read receipts and subject of the email when seen on the "Search Sent Messages" screen. [Defect ID: 36090]

Safelist/Blocklist Issues

Email Attributes in Safelist/Blocklist Database Are Not Validated

The safelist/blocklist database attempts to consolidate email addresses using LDAP authentication. However if the email attribute in the LDAP directory contains invalid emails addresses, these invalid email addresses are added to the safelist/blocklist database. This can result in the following problems:

• You may not be able to restore an exported safelist/blocklist database.

• The system can display error messages to end users when he or she logs into the IronPort Spam Quarantine.

[Defect ID: 36967]

Other Known Issues

Performing Trace on Encrypted Messages Does Not Display Message Body

When you perform the Trace CLI command or use the Trace page to test the flow of an encrypted message, the message body does not display in the trace results. [Defect ID: 34085]

“To” Headers Stripped When Performing Masquerading or Copy

When you perform masquerading or copy functions, all “To” headers but the masqueraded or copied headers may be erroneously stripped from the message. [Defect ID: 32422]

Matched Content Displays Incorrectly in the Local Quarantine

When you view messages in the local quarantine that have triggered message or content filter rules, the GUI may display content that did not actually trigger the filter action (along with content that triggered the filter action). The GUI display should be used as a guideline for locating content matches, but does not necessarily reflect an exact list of content matches. This occurs because the GUI uses less strict content matching logic than is used in the filters. This issue applies only to the highlighting in the message body. The table that lists the matched strings in each part of the message along with the associated filter rule is correct. [Defect ID: 34687]

RAID and Hard Disk Events Not Reported on C350 Appliances Using SNMP Monitoring

On the C350 appliances, changes to the hard disk and to the RAID table are not generating traps when using SNMP monitoring. [Defect ID: 29045]


IronPort Anti-Spam Regional Scanning Option Available Prior to CASE Updates

You can view this option in the GUI before it is possible to enable it. This can occur when you view this option prior to CASE updates because there are not yet any available regional rules. [Defect ID: 32542]

CLI Version Command Does Not Reflect RAID Rebuild Status

When running the CLI version command on the 2950 platform when the RAID is being rebuilt, the CLI displays a status of ‘degraded.” It does not indicate that the rebuild is in progress. [Defect ID: 31896]

Erroneous Commit Required from Mail Policies > Anti-Spam Page

The AsyncOS appliance may unexpectedly activate the 'Commit' button when you make changes from the 'Mail Policies> Anti-Spam' page settings after you configure Cloudmark or IronPort Anti-Spam message scanning via the CLI. [Defect ID: 30688]

Brightmail DFA Enabled by Default

In the AsyncOS appliance builds 5.0.0-221 through 5.0.0-229, Brightmail DFA is enabled by default. In all other builds, Brightmail DFA is disabled by default, however. If your IronPort appliance has DFA enabled, it can cause the appliance to run out of memory. To disable DFA, enter the following command from the CLI:

antispamconfig -> disable usedfa

[Defect ID: 30753].

New Listeners Do Not Use Default SBRS Scores

When you create a new listener via the System Setup Wizard, the IronPort appliance creates the listener with default values. However, when you create a listener manually, the IronPort appliance does not use these default SBRS values. [Defect ID: 29315]

Hard Disk Failure

Hard disks on a C350, C650, M650 appliance may fail. This issue is related to Defect ID 27605 in which the C350, C650, and M650 appliances do not start a raid rebuild on power up. To rebuild the raid, you must hot swap the drive. If the problem still occurs, replace with a new drive. [Defect ID: 27493]

Alternate Mailhost and Default SMTP Route

If you have configured a default SMTP route, and then specify an alternate mailhost for a message, the alternate mailhost will not work. You can work around this by setting an SMTP route specifically for the alternate mail host. [Defect ID: 27293]

SenderBase Reputation Service Score Sorting

When SenderBase Reputation Service scores are sorted ascending, as on the Sender Information tab of a Domain Profile report, some scores of “0” will be present above the negative numbers in the list. [Defect ID: 27265]

52


Resetconfig Resets Counters Back to Unlimited on C300/350D Appliances

If you run resetconfig on a C300/350D appliance, the counters are erroneously reset to unlimited. Because counters impact performance, they should be limited on a C300/350D appliance. To reset the counters again, you must reboot the appliance. [Defect ID: 29564]

Leading Period Character Stripped from Notification Templates

AsyncOS strips leading periods (.) from notification templates that have text that begins with a period. A simple workaround is to add an extra period at the beginning of lines that should begin with a period. [Defect ID: 24865]

Messages with Non-RFC-Compliant Received Headers

Messages with non-RFC-compliant received headers (including hex values, for example) are currently accepted by AsyncOS. [Defect ID: 26091]

Unable to Add RAT Entries After Clearing All Entries in the RAT

When clearing all entries in the RAT via the GUI, you must commit your changes prior to adding new entries. You can use the CLI to work around this problem. [Defect ID: 23223]

Cannot Specify Multiple Ports on a Single IP Address in SMTP Routes

Configuring SMTP Routes to point to multiple port numbers on a single IP address is not supported. [Defect ID: 17806]

Masquerading Fails with Specific Formatting of the “To:” Header

This particular issue only occurs with the following header example:

To: Joe Worker <[email protected]>,

'[email protected]' <[email protected]>

If you remove the single quotes around the name, ‘[email protected]’ or change the email address in the single quotes to just a name (so that it is not an email address), masquerading will occur as expected. [Defect ID: 12087]

Perpetual Messaging Keys on New IronPort C-Series Appliances

Perpetual messaging keys will not work on an IronPort C-Series appliance if the appliance has not already processed at least one message. [Defect ID: 12005] Send a test message before applying perpetual messaging keys.

Delivering Mail to Multiple Ports on a Single Listener

Mail delivery policies cannot be configured so that mail is delivered to multiple ports on a single IP address (for example, port 25 for normal delivery and port 41025 for BrightMail quarantine). [Defect ID: 10926] IronPort Systems recommends running each delivery option on a separate IP address or host.

Further, it is not possible to use the same hostname for regular email delivery and quarantine delivery. [Defect ID: 11381]


Incorrect Brightmail Expiration Log Entry

If you initially set an invalid “Filter Update URL” in the Security Settings -> Anti-Spam page or using the antispamconfig command, the brightmail.current log file will erroneously log an entry indicating that the Brightmail evaluation period has ended. This error is transient, and printed only upon initialization of the engine after enabling Symantec Brightmail. [Defect ID: 8458]

CONTACTING IRONPOR T CUSTOMER SUPPOR T

You can request our support by phone, email, or online 24 hours a day, 7 days a week.

During customer support hours (24 hours per day, Monday through Friday excluding U.S. holidays), an engineer will contact you within an hour of your request.

To report a critical issue that requires urgent assistance outside of our office hours, please contact IronPort using one of the following methods:

U.S. Toll-free:1 (877) 641-IRON (4766)

International: www.ironport.com/support/contact_support.html

Support Portal: www.ironport.com/support

If you have purchased support through a reseller or another entity, please contact them for support of your IronPort products.

Date post:	30-Jun-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times