IronPort AsyncOS RELEASE NOTES for IronPort Security Appliances

Transcription

1 IronPort AsyncOS RELEASE NOTES for IronPort Security Appliances

2 COPYRIGHT Copyright 2007 by IronPort Systems, Inc. All rights reserved. Part Number: Revision Date: November 6, 2007 The IronPort logo, IronPort Systems, Messaging Gateway, Virtual Gateway, SenderBase, Mail Flow Monitor, Virus Outbreak Filters, Context Adaptive Scanning Engine (CASE), IronPort Anti-Spam, and AsyncOS are all trademarks or registered trademarks of IronPort Systems, Inc. Brightmail, the Brightmail logo, BLOC, BrightSig, and Probe Network are trademarks or registered trademarks of Symantec Incorporated. McAfee and VirusScan are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. Copyright 2007 McAfee, Inc. All rights reserved. Used with permission. All other trademarks, service marks, trade names, or company names referenced herein are used for identification only and are the property of their respective owners. This publication and the information contained herein is furnished AS IS and is subject to change without notice. Publication of this document should not be construed as a commitment by IronPort Systems, Inc. IronPort Systems, Inc., assumes no responsibility or liability for any errors or inaccuracies, makes no warranty of any kind with respect to this publication, and expressly disclaims any and all warranties of merchantability, fitness for particular purposes and non-infringement of third-party rights. Some software included within IronPort AsyncOS is distributed under the terms, notices, and conditions of software license agreements of FreeBSD, Inc., Stichting Mathematisch Centrum, Corporation for National Research Initiatives, Inc., and other third party contributors, and all such terms and conditions are incorporated in IronPort license agreements. The full text of these agreements can be found here: Portions of the software within IronPort AsyncOS is based upon the RRDtool with the express written consent of Tobi Oetiker. Portions of this document are reproduced with permission of Dell Computer Corporation. Portions of this document are reproduced with permission of McAfee, Inc. Portions of this document are reproduced with permission of Symantec Incorporated. Brightmail Anti-Spam is protected under U.S. Patent No. 6,052,709. IRONPORT SYSTEMS INC. IronPort Systems, Inc. 950 Elm Avenue San Bruno, CA CONTACTING IRONPORT CUSTOMER SUPPORT If you have purchased support directly from IronPort Systems, you can request our support by phone, or online 24 hours a day, 7 days a week. During our office hours (24 hours per day, Monday through Friday excluding US holidays), one of our engineers will contact you within an hour of your request. To report a critical issue that requires urgent assistance outside of our office hours, please call us immediately at the numbers below. U.S. Toll-free:1 (877) 641-IRON (4766) International: contact_support.html Support Portal: If you have purchased support through a reseller or another entity, please contact them for support of your IronPort products.

3 IronPort AsyncOS for Security Appliances Release Notes These release notes contain information critical to upgrading and running the latest version of AsyncOS for IronPort Security Appliances, including hardware-specific information and known issues. What s New in AsyncOS for Security Appliances on page 4 Enhanced: Content Scanning on page 4 Enhanced: Message Header Logging for IPMM Headers on page 7 Enhanced: IronPort Spam Quarantine Unicode Conversion on page 8 Enhanced: DKIM Authentification-Results Header on page 8 Fixed: Virtual Gateway Delivery Sometimes Disrupted on page 8 What s New in AsyncOS for Security Appliances on page 9 New Feature: Safelists and Blocklists on page 9 New Feature: IronPort Encryption on page 10 New Feature: DKIM Authentication on page 10 New and Enhanced: LDAP Queries on page 10 New and Enhanced: Content Scanning on page 12 New Feature: AsyncOS Reversion on page 14 New: findevent CLI Command on page 15 Enhanced: Reporting on page 16 Enhanced: IronPort Spam Quarantine Alias Consolidation on page 18 Enhanced: Text Resources on page 18 Enhanced: Content Filters on page 18 Enhanced: cleansmtp CLI Command on page 19 Enhanced: Graphical User Interface on page 19 Enhanced: Content Dictionaries on page 20 Enhanced: CLI grep Command on page 20 IRONPORT ASYNCOS FOR SECURITY APPLIANCES RELEASE NOTES 1

4 IRONPORT ASYNCOS FOR SECURITY APPLIANCES RELEASE NOTES Enhanced: Bounce Delivery Status Notification on page 21 Enhanced: Logging on page 21 Modified: LDAP Server Connections on page 21 Modified: SCP Port Configuration on page 21 Fixed Issues on page 22 Fixed Reporting Issues on page 22 Fixed Alert Issues on page 23 Fixed LDAP Issues on page 24 Fixed IronPort Spam Quarantine Issues on page 25 Fixed Message and Content Filter Issues on page 26 Fixed Clustered Environment Issues on page 28 Fixed Configuration File Issues on page 28 Fixed Domain Keys Signing Issues on page 29 Fixed Updater Issues on page 30 Fixed Upgrade Issues on page 30 Fixed: Antivirus Scanning Engines on page 30 Other Fixed Issues on page 30 Qualified Upgrade Paths on page 34 Upgrade Instructions on page 34 Pre-Upgrade Notes on page 34 Configuring the Update Server on Version 5.1 or Later on page 36 Replacing Mail Flow Monitor in AsyncOS Version 5.0 or Later on page 37 Upgrading to the AsyncOS Release on page 37 Performance Advisory on page 38 Known Issues on page 39 Security Monitor and Reporting Issues on page 40 Alert Issues on page 41 LDAP Issues on page 41 IronPort Spam Quarantine Issues on page 42 Message and Content Filter Issues on page 42 Clustered Environment Issues on page 44 Online Help and Documentation Issues on page 46 Configuration File Issues on page 47 Upgrade Issues on page 49 DKIM and Domainkeys Signing Issues on page 49 2

5 Trace Feature Issues on page 49 Localization Issues on page 49 Encryption Issues on page 49 Safelist/Blocklist Issues on page 50 Other Known Issues on page 50 Contacting IronPort Customer Support on page 53 IRONPORT ASYNCOS FOR SECURITY APPLIANCES RELEASE NOTES 3

6 IRONPORT ASYNCOS FOR SECURITY APPLIANCES RELEASE NOTES WHAT S NEW IN ASYNCOS FOR SECURITY APPLIANCES This section describes new features and enhancements added to the AsyncOS for Security Appliances release. Enhanced: Content Scanning In version 5.5.1, AsyncOS includes new filter conditions and filter actions. These new conditions and actions are available in the message filters and content filters. The examples below include directions for adding conditions and actions from the GUI for content filters and from the CLI for message filters. However, you can also create content filters via the CLI. attachment-unprotected filter condition. The attachment-unprotected filter condition returns true if the scanning engine detects an attachment that is unprotected. A file is considered unprotected if the scanning engine was able to read the attachment. A zip file is considered to be unprotected if any of its members is unprotected. To Add the attachment-unprotected Filter Condition in the GUI (Content Filters): 1. From the GUI, you can add this condition to new content filters by clicking Mail Policies > Incoming Content Filters or Mail Policies > Outgoing Content Filters, and clicking Add Filter. 2. Enter a name and description for the content filter. 3. Click Add Condition. 4. Select Attachment Protection. The rule builder for the content filter dynamically refreshes with the list of available options. 5. Select One or More Attachments are NOT Protected. 6. Click OK. The condition is now added to the content filter. You can save the filter or add other conditions or actions. To Add the attachment-unprotected Filter Condition in the CLI (Message Filters): From the CLI, you can add the attachment-unprotected filter condition using the following syntax: Code Example 1-1 attachment-unprotected filter example AsyncOS 5.5 for IronPort C100 Welcome to the IronPort C100 Messaging Gateway(tm) Appliance example.com> filters Choose the operation you want to perform: - NEW - Create a new filter. - IMPORT - Import a filter script from a file. []> new Enter filter script. Enter '.' on its own line to end. 4

7 Code Example 1-1 attachment-unprotected filter example attachment_protected_quarantine: if attachment-unprotected { quarantine ('Policy'); }. 1 filters added. Note The attachment-unprotected filter condition is not mutually exclusive of the attachment-protected filter condition. It is possible for both filter conditions to return true when scanning the same attachment. This can occur, for example, if a zip file contains both protected and unprotected members. body-dictionary-match filter condition. This new filter condition returns true if the dictionary term matches content in the body of the message only. The filter searches for terms within the MIME parts not considered to be an attachment. and it returns true if the user-defined threshold is met (the default threshold value is one). To Add the body-dictionary-match Filter Condition in the GUI (Content Filters): 1. From the GUI, you can add this condition to new content filters by clicking Mail Policies > Incoming Content Filters or Mail Policies > Outgoing Content Filters, and clicking Add Filter. 2. Enter a name and description for the content filter. 3. Click Add Condition. 4. Select Message Body. 5. Select Contains Term in Content Dictionary. 6. Choose the content dictionary to use from the drop-down list. 7. Click OK. The condition is now added to the content filter. You can save the filter or add other conditions or actions. To Add the body-dictionary-match Filter Condition in the CLI (Message Filters): Use the following syntax to add the dictionary-match filter condition: if (body-dictionary-match ('<dictionary_name>')) The following example shows mail that is quarantined if terms in the match the specified dictionary: Code Example 1-2 body-dictionary-match filter example AsyncOS 5.5 for IronPort C100 IRONPORT ASYNCOS FOR SECURITY APPLIANCES RELEASE NOTES 5

8 IRONPORT ASYNCOS FOR SECURITY APPLIANCES RELEASE NOTES Code Example 1-2 body-dictionary-match filter example Welcome to the IronPort C100 Messaging Gateway(tm) Appliance example.com> filters Choose the operation you want to perform: - NEW - Create a new filter. - IMPORT - Import a filter script from a file. []> new Enter filter script. Enter '.' on its own line to end. quarantine_secret_words: if (body-dictionary-match ('example_dictionary')){ quarantine ('Policy'); }. 1 filters added. drop-attachments-where-dictionary-matches filter action. This new filter action strips attachments based on matches to dictionary terms. If the terms in the MIME parts considered to be an attachment match a dictionary term (and the user-defined threshold is met), the attachment is strippped from the . To Add the drop-attachments-where-dictionary-matches Filter Action in the GUI (Content Filters): 1. From the GUI, you can add this condition to new content filters by clicking Mail Policies > Incoming Content Filters or Mail Policies > Outgoing Content Filters, and clicking Add Filter. 2. Enter a name and description for the content filter. 3. Add any conditions that may apply. 4. Click Add Action. 5. Click Strip Attachment by Content. 6. Select Message Body. 7. Select Contains Term in Content Dictionary. 8. Choose the content dictionary to use from the drop-down list. 9. Click OK. The action is now added to the content filter. You can save the filter or add other conditions or actions. 6

9 To Add the drop-attachments-where-dictionary-matches Filter Action in the CLI (Message Filters): Code Example 1-3 drop-attachments AsyncOS 5.5 for IronPort C100 Welcome to the IronPort C100 Messaging Gateway(tm) Appliance example.com> filters Choose the operation you want to perform: - NEW - Create a new filter. - IMPORT - Import a filter script from a file. []> new Enter filter script. Enter '.' on its own line to end. testme: if (true) { drop-attachments-where-dictionary-match('dictionary_example'); }. 1 filters added. Enhanced: Message Header Logging for IPMM Headers In previous versions of AsyncOS for Security Appliances, it was not possible to log message headers for IPMM messages. Now you can log IPMM message headers via the logconfig -> logheaders CLI command. To use this feature: from the logconfig CLI command, select LOGHEADERS, and choose to scan IPMM messages for existing headers: Choose the operation you want to perform: - NEW - Create a new log. - EDIT - Modify a log subscription. - DELETE - Remove a log subscription. - SETUP - General settings. - LOGHEADERS - Configure headers to log. - HOSTKEYCONFIG - Configure SSH host keys. []>logheaders Please enter the list of headers you wish to record in the log files. Separate multiple headers with commas. []> Message-ID Include IPMM variables with headers? [N]> Y Should IPMM messages be scanned for existing headers? [N]Y Note that the headers are extracted before the variables are substituted. Therefore, instead of seeing the variable value in the logs, the variable displays in the logs. For instance, if you log the subject header, you might see the following entry in your logs: IRONPORT ASYNCOS FOR SECURITY APPLIANCES RELEASE NOTES 7

10 IRONPORT ASYNCOS FOR SECURITY APPLIANCES RELEASE NOTES Subject: &usersubject; Note This feature only applies to IPM messages with a single XPRT body part. Enhanced: IronPort Spam Quarantine Unicode Conversion When the IronPort Spam Quarantine displays a message, it converts the message body to Unicode. If errors occurred when converting the message body to Unicode, sometimes messages were rendered unreadable. Now, instead of generating unreadable messages, the IronPort Spam Quarantine skips displaying unreadable characters. [Defect ID: 35757, 36909] Enhanced: DKIM Authentification-Results Header For DKIM Authentication, IronPort currently supports version 8 of the Draft Specification of Authentication-Results: header (draft-kucherawy-sender-auth-header). [Defect ID: 36848] Fixed: Virtual Gateway Delivery Sometimes Disrupted Fixed an issue in which Virtual gateway delivery to a host with invalid DNS entry sometimes disrupted the mailflow. [Defect ID: 37687} 8

11 WHAT S NEW IN ASYNCOS FOR SECURITY APPLIANCES This section describes new features and enhancements added to the AsyncOS for Security Appliances release. New Feature: Safelists and Blocklists The 5.5 version of AsyncOS introduces end-user safelists and blocklists. You can enable end users to create safelists and blocklists to better control which s are scanned by anti-spam scanning engines. Safelists allow a user to ensure that certain users or domains are never scanned with anti-spam scanning engines, while blocklists ensure that certain users or domains are rejected or quarantined. The safelists and blocklists settings are configured from the IronPort Spam Quarantine, so you must enable and configure the IronPort Spam Quarantine to use this feature. When you enable the safelist/blocklist feature, each end-user can maintain a safelist and blocklist for his or her account. Note A safelist setting does not prevent the IronPort appliance from scanning an for viruses or determining if the message meets the criteria for a content-related mail policy. Even if a message is part of a safelist, it may not be delivered to the end-user depending on other scanning settings. Note about Synchronizing Safelist/Blocklist Settings When an end user creates a safelist or blocklist, the setting is saved to a database. If the IronPort Spam Quarantine exists on an M-Series appliance, this database must be synchronized with a database on the C-Series appliance before the safelist/blocklist settings are applied to incoming mail. When the IronPort Spam Quarantine exists on a C-Series appliance, the database must be synchronized with a read-only database that is used when processing the mail queue. The amount of time it takes to automatically synchronize these databases depends on the model of the machine. The following table shows the default settings for updating safelists and blocklists: Table 1-1 Synchronization of Safelist and Blocklist Settings Appliance C10/C100/C150 C30/C300/C350 C60/C600/C650 X1000/X1050 Synchronization Time 10 minutes 15 minutes 30 minutes 60 minutes M10/M600/M minutes M1000/M minutes IRONPORT ASYNCOS FOR SECURITY APPLIANCES RELEASE NOTES 9

12 IRONPORT ASYNCOS FOR SECURITY APPLIANCES RELEASE NOTES For information about configuring safelists and blocklists, see Working with Safelists and Blocklists in the Quarantines chapter of the IronPort AsyncOS User Guide. New Feature: IronPort Encryption The 5.5 version of AsyncOS includes integrated encryption. To use this feature, first create an Encryption Profile that specifies characteristics of the encrypted message and connectivity information for the key server. The key server may either be the Cisco Registered Envelope Service (managed service) or an IronPort Encryption Appliance (locally managed server). Next, use content and/or message filters to determine which messages to encrypt. When outgoing messages that meet the filter condition are processed, the message is encrypted on the Security Appliance and the key used to encrypt the message is stored into the key server specified in the Encryption Profile. After you configure encryption, send a test message through to ensure it is encrypted. You can tail the logs, or you can use the CLI findevent command to get a summary of the events after they have occurred (using the MID). For updates to the IronPort Encryption appliance and updates to the Cisco Registered Envelope Service, please review the release notes for those products. Please note that AsyncOS version 5.5 is compatible with version of the IronPort Encryption appliance. For information about configuring IronPort encryption, see IronPort Encryption in the IronPort AsyncOS User Guide. New Feature: DKIM Authentication The 5.5 version of AsyncOS includes the ability to perform DKIM signing and verification. DomainKeys Identified Mail is a method for authentication in which a DKIM-Signature header is inserted in an , and the verifying MTA validates the signature by retrieving a sender's public key through the DNS. To use DKIM with the Security Appliance, you create a domain key profile, a signing key, and enable DKIM signing or verification on the mail flow policy. Note If you send a test to a reflector site, the IETF specification may differ from the one used by IronPort, and a failure may occur even when your configuration and settings are correct. If your test fails, verify the failure by testing against several different reflector sites. For more information about DKIM authentication, see DomainKeys and DKIM Authentication in the IronPort AsyncOS User Guide. New and Enhanced: LDAP Queries AsyncOS version 5.5 includes the following enhancements to LDAP queries: Domain-based queries. Domain-based queries are LDAP queries grouped by type, associated with a domain, and assigned to a particular listener. You might want to use domain-based queries if you have different LDAP servers associated with different domains but you want to run queries for all your LDAP servers on the same listener. 10

13 Chain queries. A chain query is a series of LDAP queries that the IronPort appliance runs in succession. The IronPort appliance runs each query in the chain until the LDAP server returns a positive response (or the final query in the chain returns a negative response or fails). Chain queries can be useful if entries in your LDAP directory use different attributes to store similar (or the same) values. For example, you might have used the attributes maillocaladdress and mail to store user addresses. To ensure that your queries run against both these attributes, you can use chain queries. Modified DHAP. In a previous release, DHAP counters were based solely on the rejections detected during LDAP acceptance queries. Now, the DHAP counters include both RAT rejections and LDAP acceptance query rejections. DHAP settings are now configured in the Mail Flow Policy rather than in the Listener settings. LDAP Referrals. The 5.5 version of AsyncOS supports LDAP referrals. When you use LDAP referrals, the original query gets referred to another LDAP server. For example, the following log shows a query that is referred from server openldap1 to server ldap_server2.com: Tue Jun 26 13:19: Debug: LDAP: (accept) Query (mail=user@domain.com) to server openldap1 (ldap_server1.com:389) Tue Jun 26 13:19: : LDAP: Query (mail=user@domain.com) following continuation: ldap://ldap_server2.com/ ou=test,ou=people,dc=com??sub Tue Jun 26 13:19: : LDAP: (accept) Query (mail=user@domain.com) lookup success, returned 1 results IMPORTANT: When you use LDAP referrals, you must have configured an LDAP server profile for each LDAP server you want to refer to. In the previous example, you would need to configure an LDAP server profile for openldap1 and ldap_server2.com. LDAP caches. In previous releases, LDAP cache settings were configured for each LDAP query. In AsyncOS 5.5, LDAP caches are now associated with the server profile, and cache settings are the same for all LDAP queries. When you upgrade from previous versions, the highest cache values from the previous configuration are used as the upgraded cache value. For example, if you set the maximum retained cache entries to a value of 1000 for the routing query, and a maximum retained cache entries to a value of 5000 for the Accept query, the upgraded value would be 5000 for all queries. Bypass LDAP Acceptance query. If you configure LDAP acceptance queries, you may wish to bypass the acceptance query for certain recipients. This feature can be useful if there are recipients for whom you receive which you do not want to be delayed or queued during LDAP queries, such as customercare@example.com. You can configure bypassing LDAP acceptance via the GUI or from the CLI. To configure bypassing LDAP acceptance via the GUI, select Bypass LDAP Accept Queries for this Recipient when you add or edit the RAT entry. To configure bypassing LDAP acceptance queries via the CLI, IRONPORT ASYNCOS FOR SECURITY APPLIANCES RELEASE NOTES 11

14 IRONPORT ASYNCOS FOR SECURITY APPLIANCES RELEASE NOTES answer yes to the following question when you enter recipients using the listenerconfig -> edit -> rcptaccess command: Would you like to bypass LDAP ACCEPT for this entry? [Y]> y Note When you configure a RAT entry to bypass LDAP acceptance, be aware that the order of RAT entries affects how recipient addresses are matched. The RAT matches the recipient address with the first RAT entry that qualifies. For example, you have the following RAT entries: postmaster@ironport.com and ironport.com. You configure the entry for postmaster@ironport.com to bypass LDAP acceptance queries, and you configure the entry for ironport.com for ACCEPT. When you receive mail for postmaster@ironport.com, the LDAP acceptance bypass will occur only if the entry for postmaster@ironport.com is before the entry for ironport.com. If the entry for ironport.com is before the postmaster@ironport.com entry, the RAT matches the recipient address to this entry and applies the ACCEPT action. For information about configuring new LDAP settings, see LDAP Queries in the IronPort AsyncOS Advanced User Guide. New and Enhanced: Content Scanning In version 5.5, AsyncOS includes the following enhancements to content scanning: Thresholds for Patterns in Content Scanning. When you add message or content filter rules that search for patterns in the message body or attachments, you can specify the minimum threshold for the number of times the pattern must be found in order to trigger the filter action. When AsyncOS scans the message, it totals the score for the number of matches it finds in the message and attachments. If the minimum threshold is not met, the regular expression does not evaluate to true. You can specify this threshold for the following filter rules: body-contains only-body-contains attachment-contains every-attachment-contains dictionary-match attachment-dictionary-match You can also specify a threshold value for the drop-attachments-where-contains action. Weighted content dictionaries. For each term in a content dictionary, you specify a weight, so that certain terms can trigger filter conditions more easily. When AsyncOS scans messages for the content dictionary terms, it scores the message by multiplying the number of term instances by the weight of term. Two instances of a term with a weight of three would result in a score of six. AsyncOS then compares this score with a threshold 12

15 value associated with the content or message filter to determine if the message should trigger the filter action. Smart identifiers. When you use message rules that scan message content, you can use smart identifiers to detect certain patterns in the data. Smart identifiers can detect the following patterns in data: Credit card numbers U.S. Social Security numbers CUSIP (Committee on Uniform Security Identification Procedures) numbers ABA (American Banking Association) routing numbers Improved embedded object detection. In version 5.5, AsyncOS treats ordinary files as if they were containers, similar to zip files. The embedded objects are extracted and processed as independent files that are separately fingerprinted, sent to the Stellent scanning engine, and scanned for content matches. This change allows for the following improvement to embedded object detection: A zip file is now processed as if it were directly attached to the message; the member files will themselves be scanned, and the names can be matched using an attachment-filename filter rule. Scanning exclusion lists and depth limits are better supported. Detecting zip files in Word and Excel is supported. Detect password-protected attachments. A new message filter condition and content filter condition is included in the 5.5 release to detect password-protected files. The new message filter condition, attachment-protected, uses the following syntax: if attachment-protected { quarantine("policy"); } Matched Content Viewing. You can now view the content that triggered a message or content filter action using the matched content action variable or by viewing a quarantined message in the system quarantine. In the system quarantine, matched content appears highlighted, so you can easily view the content that triggered the filter action. For information about configuring new content scanning functionality, see the following documentation: Policy Enforcement in the IronPort AsyncOS Advanced User Guide. Content Dictionaries in Text Resources in the IronPort AsyncOS User Guide. Content Filters Overview in Security Manager in the IronPort AsyncOS User Guide. IRONPORT ASYNCOS FOR SECURITY APPLIANCES RELEASE NOTES 13

16 IRONPORT ASYNCOS FOR SECURITY APPLIANCES RELEASE NOTES New Feature: AsyncOS Reversion The 5.5 version of AsyncOS includes the ability to revert the AsyncOS version to a previous qualified build for emergency uses. The earliest AsyncOS version supported for this is AsyncOS 5.5.0; prior versions of AsyncOS are not supported. WARNING: Using the revert command on an IronPort appliance is a very destructive action. This command destroys all configuration logs, databases and disrupts mail handling until reconfigured. Because this command destroys all configuration, it is absolutely required that you have physical local access to the IronPort appliance when you want to issue the revert command. Once the revert action is complete, you must use the console CLI or a network connection to the Management port on the default IP address of to reconfigure the appliance. To run the revert command, complete the following steps: 1. Save the configuration of your appliance (with passwords unmasked) off the IronPort appliance. To do this, you can it to yourself or FTP the file. A simple way to do this is the mailconfig CLI command. 2. If you use the Safelist/Blocklist feature, export the Safelist/Blocklist database to another machine. 3. Wait for the mail queue to empty. 4. Log into the CLI of the appliance you want to revert. When you run the revert command, several warning prompts are issued. Once these warning prompts are accepted, the revert action takes place immediately. 5. From the CLI, Issue the revert command and pay heed to the prompts. Note The reversion process is time-consuming. It may take fifteen to twenty minutes before reversion is complete and console access to the IronPort appliance is available again. The following example shows the revert command: mail.mydomain.com> revert This command will reset the device to a different AsyncOS version. Resetting the device will destroy all configuration, logs, databases, and generally disrupt mail handling until reconfigured. This command will reset the device to a different AsyncOS version. Resetting the device will destroy all configuration, logs, databases, and generally disrupt mail handling until reconfigured. Resetting the device will cause an immediate reboot to take place. The device will then reboot, reinitialize itself, and finally reboot again to the desired version. 14

17 Are you sure you want to continue? yes Are you *really* sure you want to continue? yes Available version Install date ================= ============ Available version Install date Tue Aug 28 11:03:44 PDT Tue Aug 28 13:06:05 PDT Wed Sep 5 11:17:08 PDT 2007 Please select an AsyncOS version: 2 You have selected " ". The system will now reboot to perform the revert operation. 6. Once the machine comes back up, use the serial console to configure an interface with an accessible IP address using the interfaceconfig command. 7. Enable FTP or HTTP on one of the configured interfaces. 8. Either FTP the XML configuration file you created, or paste it into the GUI interface. 9. If you use the Safelist/Blocklist feature, import and restore the Safelist/Blocklist database. 10. Commit your changes. The reverted IronPort appliance should now run using the previous AsyncOS version. New: findevent CLI Command The findevent CLI command simplifies the process of tracking messages within the system using the onbox mail log files. The findevent CLI command allows you to search through the mail logs for a particular message by searching for a message ID or a regular expression match against the subject header, envelope sender or envelope recipient. You can display results for the current log file, all the log files, or display log files by date. When you view log files by date, you can specify a date or a range of dates. After you identify the message you want to view logs for, the findevent command displays the log information for that message ID including splintering information (split log messages, bounces and system generated messages). The following example shows the findevent CLI command tracking the receiving and delivery a message with confidential in the subject header: example.com> findevent Please choose which type of search you want to perform: 1. Search by envelope FROM 2. Search by Message ID 3. Search by Subject IRONPORT ASYNCOS FOR SECURITY APPLIANCES RELEASE NOTES 15

18 IRONPORT ASYNCOS FOR SECURITY APPLIANCES RELEASE NOTES 4. Search by envelope TO [1]> 3 Enter the regular expression to search for. []> confidential Currently configured logs: 1. "mail_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll Enter the number of the log you wish to use for message tracking. []> 1 Please choose which set of logs to search: 1. All available log files 2. Select log files by date list 3. Current log file [3]> 3 The following matching message IDs were found. Please choose one to show additional log information: 1. MID 4 (Tue Jul 31 17:37: ) sales: confidential [1]> 1 Tue Jul 31 17:37: Info: New SMTP ICID 2 interface Data 1 ( ) address reverse dns host unknown verified no Tue Jul 31 17:37: Info: ICID 2 ACCEPT SG None match ALL SBRS None Tue Jul 31 17:37: Info: Start MID 4 ICID 2 Tue Jul 31 17:37: Info: MID 4 ICID 2 From: <user@example.com> Tue Jul 31 17:37: Info: MID 4 ICID 2 RID 0 To: <ljohnson@example02.com> Tue Jul 31 17:37: Info: MID 4 Subject 'sales: confidential' Tue Jul 31 17:37: Info: MID 4 ready 4086 bytes from <user@example.com> Tue Jul 31 17:37: Info: MID 4 matched all recipients for perrecipient policy DEFAULT in the inbound table Tue Jul 31 17:37: Info: ICID 2 close Tue Jul 31 17:37: Info: MID 4 interim verdict using engine: CASE spam negative Tue Jul 31 17:37: Info: MID 4 using engine: CASE spam negative Tue Jul 31 17:37: Info: MID 4 interim AV verdict using Sophos CLEAN Tue Jul 31 17:37: Info: MID 4 antivirus negative Tue Jul 31 17:37: Info: MID 4 queued for delivery Tue Jul 31 17:37: Info: Delivery start DCID 0 MID 4 to RID [0] Tue Jul 31 17:37: Info: Message done DCID 0 MID 4 to RID [0] Tue Jul 31 17:37: Info: MID 4 RID [0] Response '/null' Tue Jul 31 17:37: Info: Message finished MID 4 done Enhanced: Reporting In version 5.5, AsyncOS includes the following enhancements to reporting: 16

19 System Capacity Report. The system capacity report gives the administrator current and historical information about resource usage on the IronPort appliance. The report shows CPU usage broken down by feature or by total CPU usage. The system capacity report can be used to accomplish the following tasks: Determine when an Security Appliance is exceeding recommended capacity and additional boxes or system tuning are needed. Identify historical trends in system behavior which point to upcoming capacity issues. Identify which part of the system is using the most resources to assist with troubleshooting. Outgoing Destinations. The Outgoing Destinations page provides information about the domains your company sends mail to. This report can be useful in completing the following tasks: Determining which domains the IronPort appliance is sending mail to. Determining how much mail is sent to each domain. Determining how much of the sent mail is clean, spam, virus positive, or stopped by a content filter. Determining how many messages are delivered or bounced by the destination server. Outgoing Senders Report. The Outgoing Senders page provides information about the quantity and type of mail being sent from IP addresses and domains in your network. You can view the results by domain or IP address when you view this page. You might want to view the results by domain if you want to see what volume of mail is being sent by each domain; Or, you might want to view the results by IP address if you want see which IP addresses are sending the most virus messages or triggering content filters. This report can be useful for accomplishing the following tasks: Determining which IP addresses send the most virus or spam-positive . Determining which domains send the most mail (for billing or planning purposes). Virus Types Report. This report tracks the viruses caught by the virus scanning engines running on the IronPort appliance. This displays a summary verdict of all scanning engines running on the IronPort appliance (if multiple virus scanning engines run on the machine). In addition, multiple scanning engines may use different nomenclature to describe the same virus. In this case, the same virus may appear in the report using both virus names. Note The Virus Types page may not display the same number of total viruses as the Overview page. This can occur when a message is both spam- and virus-positive. In this case, the spam counting takes precedence over virus counting in our reporting system to prevent double-counting. IRONPORT ASYNCOS FOR SECURITY APPLIANCES RELEASE NOTES 17

20 IRONPORT ASYNCOS FOR SECURITY APPLIANCES RELEASE NOTES For more information about new reporting functionality, see Using the Security Monitor in the IronPort AsyncOS User Guide. Enhanced: IronPort Spam Quarantine Alias Consolidation In version 5.5, when the system is configured for LDAP authentication, you can now consolidate the s sent to different aliases. This means that end-users can now receive consolidated spam notifications. This is useful if there are several address aliases configured for a single user. In previous releases, such users received multiple spam notification for each alias address. Note This feature does not apply to listserv entries. For more information about configuring alias consolidation, see Quarantines in the IronPort AsyncOS User Guide. Enhanced: Text Resources In version 5.5, custom notifications have been expanded to include the following new and enhanced notifications: User-defined HTML Encryption Notification. You can create a custom HTML notification to send to users who receive encrypted . User-defined Text Encryption Notification. You can create a custom text notification to send to users who receive encrypted . User-defined Bounce Notification. You can create a custom bounce notification to send to users who receive bounced . User-defined Delay Notification. You can create a custom delay notification to send to users whose delivery is delayed. User-defined Anti-virus Container Notification. You can create a custom anti-virus notification to send to users when the antivirus notification contains the original message as an attachment. User-defined Anti-virus Text Notification. You can create a custom anti-virus notification to send to users when the antivirus notification is sent in place of the original message. This notification is used when it is unsafe or undesirable to send the original message. For more information about creating custom notifications, see Text Resources in the IronPort AsyncOS User Guide. Enhanced: Content Filters The 5.5 version of AsyncOS includes the following enhancements to content filters: Enhanced Rule Builder Interface. The content filters use a new rule builder interface that simplifies and streamlines the creation of content filters. 18

21 Logging and Archiving. You can now log and archive content filter actions. The log action allows you to save a copy of the original message, including all message headers and recipients into an mbox-format file on the appliance. The system creates a log subscription with the specified filename for the action. New alt-src-host Action. The alt-src-host action changes the source host for the message to the source specified. The source host is the IP interface or group of IP interfaces that the messages should be delivered from. Support of Action Variables. The following content filter actions now support action variables: bcc() bcc-scan() notify() notify-copy() For more information about content filters, see Security Manager in the IronPort AsyncOS User Guide. Enhanced: cleansmtp CLI Command Changes to the AsyncOS operating system have resulted in changes to the way SMTP traffic is handled. This change affects the cleansmtp command. You access the cleansmtp command via listenerconfig -> edit -> [listener#] -> setup -> cleansmtp -> 1 The cleansmtp CLI command now has the following options: 1. Clean data 2. Reject unclean data 3. Accept unclean data, but do not clean By default, when you upgrade, the cleansmtp setting is configured to clean data (option 1). To accept unclean data, you can select option 3; however, for best performance, IronPort recommends you select option 1. For more information about configuring listeners, see Customizing Listeners in the IronPort AsyncOS Advanced User Guide. Enhanced: Graphical User Interface In version 5.5, the GUI has been updated to use a drop-down menu rather than a sidebar menu, and the Commit button has been moved to the right-hand side of the screen and has more visible icons. In a previous release, the Support Request and Remote Access pages were located under the System Administration drop-down menu. These page can now be found under the Help menu. Beginning with AsyncOS 5.5, the web-based UI incorporates libraries from the Yahoo! User Interface (YUI) Library, which is a set of utilities and controls, written in JavaScript, for building richly interactive web applications. IRONPORT ASYNCOS FOR SECURITY APPLIANCES RELEASE NOTES 19

22 IRONPORT ASYNCOS FOR SECURITY APPLIANCES RELEASE NOTES The YUI library supports the vast majority of browsers that are in general use. The YUI library also has a comprehensive, public approach to browser support and is committed to making sure that components work well in all of what are designated as "A-Grade" browsers. For more information on graded browser support, see: Enhanced: Content Dictionaries Content dictionaries have been enhanced in the following ways: Smart identifiers. You can add smart identifiers to your content dictionaries. When you use message rules that scan message content, you can use smart identifiers to detect certain patterns in the data. Smart identifiers can detect the following patterns in data: Credit card numbers U.S. Social Security numbers CUSIP (Committee on Uniform Security Identification Procedures) numbers ABA (American Banking Association) routing numbers Weighted dictionary entries. For each term in a content dictionary, you specify a weight, so that certain terms can trigger filter conditions more easily. When AsyncOS scans messages for the content dictionary terms, it scores the message by multiplying the number of term instances by the weight of term. Two instances of a term with a weight of three would result in a score of six. AsyncOS then compares this score with a threshold value associated with the content or message filter to determine if the message should trigger the filter action. Expanded limits on number of entries. In previous releases, dictionary entries were limited to 1000 entries per dictionary. Now, dictionaries can have up to 5000 entries. [Defect ID: 32748] IronPort recommends that you create separate entries for each dictionary term to improve performance and simplify GUI maintenance of your content dictionaries. If you used groups of regex entries, such as "(word1 word2 word3)", IronPort recommends you break these up into separate entries for better performance. If you do group terms, IronPort recommends you use non-capturing parentheses in the following format: (?:term1 term2 term3). For more information about content dictionaries, see Text Resources in the IronPort AsyncOS User Guide. Enhanced: CLI grep Command The grep CLI command has been enhanced to support a count option. The count option displays the number of lines matching the regular expression in the log file. Use the following syntax: grep -c <regular expression> <log name> 20

23 Enhanced: Bounce Delivery Status Notification By default, messages generated by the system use the Delivery Status Notification (DSN) format for both hard and soft bounces. In previous releases, if the message size was greater than 10k, the delivery status notification included the message headers only. Now, you can configure the size of the message to include in the DSN via the CLI bounceconfig command. This parameter is only configurable in the default bounceconfig profile, and applies to all bounce profiles once it is configured. To configure this value, enter the message size (in bytes) to include in the bounced notification message. If the message exceeds this size, the status notification includes the message headers only. [Defect ID: 399] Enhanced: Logging In previous releases, status information was written to the mail log every minute. Now, the status_log entries are only recorded to the status_logs. [Defect ID: 33107] Modified: LDAP Server Connections In previous releases, if you configured an LDAP Server profile for load balancing, and you configured a maximum number of simultaneous connections for all hosts, the number of connections you configured was load-balanced over all your LDAP servers. For example, if you configured the maximum number of simultaneous connections as 10, AsyncOS would distribute 10 connections over your LDAP servers. Now, the maximum number of simultaneous connections represents the number of simultaneous connections to a single server. So, if you configure the maximum number of simultaneous connections as 10, AsyncOS creates 10 connections to each LDAP server. Modified: SCP Port Configuration In previous releases, the SCP port number for SCP log push was not configurable. Now, you can configure the SCP port. [Defect ID: 32419] Modified: Brazilian Daylight Savings Time Settings In 2007, Brazil Daylight Savings Time will start on Oct 14th and end on Feb 17th AsyncOS has been updated to use these settings. [Defect ID: 37176]. IRONPORT ASYNCOS FOR SECURITY APPLIANCES RELEASE NOTES 21

24 IRONPORT ASYNCOS FOR SECURITY APPLIANCES RELEASE NOTES FIXED ISSUES The following issues have been fixed in the AsyncOS for Security Appliances 5.5 release. Fixed Reporting Issues Fixed: Errors When Running Long Report Queries Fixed an issue in which errors occurred when running long reports. Delayed logouts that occur during report processing now behave the same as other places in the GUI. "Info: Session lookup error due to delayed logout action and the non-existent session is redirected to the login page. [Defect ID: 33199] Fixed: IronPort Security Monitor Underreports Connection Rejections Fixed an issue in which the IronPort Security Monitor underreported connection rejections when multiple connections rejects occur within a single minute for a single IP. [Defect ID: 32182] Fixed: Anti-Virus Messages Not Included in Dropped Message Count Fixed an issue in which the IronPort Security Monitor did not count messages dropped by anti-virus engines in the dropped message totals. This issue has been resolved. [Defect ID: 31989] Fixed: Reports Output in PDF Format Generate an Application Error When generating PDF output for a report, an application error occurred if special characters were included in the text. This issue has been addressed. [Defect ID: 31025] Fixed: C300D/350D Appliance Displays Virus Outbreak Filters Report In a previous release, C300D/350D appliances erroneously displayed a Virus Outbreak Filters report. The IronPort Appliance generated an application error if you attempted to open the report. [Defect ID: 29609] Fixed: Virus Outbreak Reports In a previous release, when you sorted the results of a Virus Outbreak report, the report sorted by string rather than by number, so the sort order appeared erroneous. For example, the report sorted as 100, 1000, 200 instead of 100, 200, [Defect ID: 29452] Fixed: Generating Reports Using Generate Now Fixed an issue in which if you selected Generate Now and the custom date range, the available data field only showed the available data from the login host. [Defect ID: 29329] Fixed: Scheduled Report Messages In a previous release, when the IronPort appliance generated scheduled reports, the report descriptions in the message did not contain detailed information about the reports. Because the messages contained minimal text, they were sometimes interpreted by scanning engines as spam. This issue has been resolved. [Defect ID: 29164] 22

25 Fixed: Queue Space Utilization Underreported In a previous release, the IronPort appliance underreported the space utilized from Monitor > System Status > Gauges. If the message queues filled completely, an application error was generated because the IronPort appliance used the queue space gauge to determine when to start resource conservation. This issue has been resolved. [Defect ID: 28211] Fixed: Scheduled Reports and System Time Changes In a previous release, scheduled reports were not generated when the clock was moved forward in observation of daylight savings changes, and were generated twice when the clock went back to standard time if the report was scheduled to run during the hour that was skipped or added. This issue has been resolved. [Defect ID: 27757] Fixed: Security Monitor Reporting and Outbound Mail Fixed an issue in which Security Monitor did not record outbound threat messages separately. Spam-positive outbound mail was counted as clean, but virus-positive mail was not. [Defect ID: 27447] Fixed Alert Issues Fixed: Frequent SSL Alerts Fixed an issue in which frequent SSL alerts were sent due to a problem handling an sslip.error. AsyncOS sent errors similar to the following: An application fault occurred: ('coroutine/coro_ssl.py _non_blocking_retry 98', 'sslip.error', "( , 'error: :ssl routines:ssl3_read_bytes:tlsv1 alert unknown ca')", '[imh/smtp_server.py main 561] [imh/smtp_server.py cmd_starttls 865] [coroutine/coro_ssl.py ssl_accept 143] [coroutine/coro_ssl.py _non_blocking_retry 98]') MID: 0 [Defect ID: 33779] Fixed: M-Series System Alerts Not Routed as Expected Fixed an issue in which system alert messages were not routed via the IP addresses entered. Instead, the alerts followed DNS or smtproutes. [Defect ID: 32574] Fixed: Erroneous Alerts Sent When Reporting Disabled Fixed an issue in which the AsyncOS appliance sent out the following erroneous alert when reporting was disabled and users attempted to view report pages: Mon Nov 20 13:29: Warning: Report Query Failed query_id: mga_overview_outgoing_message_deliverydata_source: SimpleTotalRDS IRONPORT ASYNCOS FOR SECURITY APPLIANCES RELEASE NOTES 23