Release notes Information Foundation 2007 Symantec Mail Security Appliance 7.5 Copyright 1999-2007 Symantec Corporation. All rights reserved. Before installing or upgrading: Migration issues If you are a new Symantec Mail Security Appliance customer, refer to the Symantec Mail Security Installation Guide for detailed installation instructions before proceeding. If you are upgrading from a previous release of the Symantec Mail Security Appliance software, refer to the Software Update Note for this version for pre-migration information and recommendations before proceeding. The following sections describe known issues in Symantec Mail Security Appliance version 7.5. This section contains issues that are related to migration/upgrade from previous versions. For detailed pre-migration recommendations, refer to the Software Update Note for this version. Errors in BrightmailLog.log when upgrading You may notice errors similar to invalid column site.ima_config in field type when upgrading from a previous version of the Symantec Mail Security Appliance software. These errors can be safely ignored.
2 Release notes Must clear configuration of Scanner before adding it to new Control Center If you have a Scanner associated with a Control Center and wish to associate it with a different Control Center, you must first log into the Scanner and use the command line clear scannerdata command before you add the Scanner to the new Control Center. Encoding and localization issues This section contains issues related to encoding and localization. Japanese documentation and Help displayed in English until Japanese version is released At the time of this release, documentation and Help is English-only. The Japanese documentation and Help will be available by software update shortly after the shipping version is released. Incorrect display of some doublebyte characters in notifications and annotations In certain cases, a small number of doublebyte characters may not display correctly in notification and annotation text. General and Control Center issues This section contains general issues and issues related to the Control Center. Previously deleted content compliance policies returned as untested dispositions reported as generic violations in Message Audit Log If you delete a defined content compliance policy and subsequently query the Message Audit Log (MAL) for untested dispositions, the query is made to the MAL using a policy ID number, and the actual name of the deleted policy is not available. If a deleted content compliance policy is returned as a potential untested disposition, the generic term Content Compliance Violation result will be displayed in the MAL anywhere that the policy name was listed previously. This will remain the case until the MAL is purged.
Release notes 3 Delete action for blocked domain takes precedence over allow action In previous versions of Symantec Mail Security, end users could receive email from an email address at a blocked domain by adding that email address to their allowed senders list. New support for multiple verdict and action combinations in this version means that the action used when a domain is in the blocked senders list (delete) takes precedence over the action used when an address is in the allowed senders list (which is to deliver the message). As a result, users can no longer circumvent the blocked list by adding individual email addresses from a blocked domain to their allowed senders lists. Addition of wildcard email addresses to groups not supported When adding email addresses to a group, addresses of the form fflanda@*.* is not supported. Password-protected zipped attachments not stripped A password-protected zip file will trigger a Content Compliance policy if that policy contains a Password protected files attachment list condition. However, if the policy specifies that all attachments within the Password protected files attachment list be stripped, the zip file is not stripped. Allowed list trumps Open Proxy Senders list even if disabled If you disable the Allowed Senders list, entries in that list that are also on the Open Proxy Senders list are not blocked. If an IP address is on the Allowed Senders list and also on the Open Proxy Senders list, you must remove the entry from the Allowed Senders list if you want messages from that IP to be blocked by the Open Proxy Senders list. HTTP authentication not supported for download of antivirus definitions from local host using Java Live Update Designating a local (LAN) HTTP host that requires authentication as the source of antivirus definition updates is not supported. To designate a host that uses authentication, use FTP with authentication instead.
4 Release notes Instant Messenger Issues Software acceleration not recommended for Symantec Mail Security 8220, 8240, and 8320 hardware models Use of the Software Acceleration feature is not recommended for the Symantec Mail Security 8220, 8240, and 8320 hardware models due to memory requirements. Enabling or disabling this feature does not impact the effectiveness of the appliance. This section contains issues or notes regarding Instant Messenger filtering functionality. On AIM, newlines from notification messages are being stripped When a notification message is sent to an AIM user, newlines are stripped from the notification message. If you anticipate sending notifications to AIM users, you may wish to craft these notification messages so that newlines are not needed for clarity. File transfers on AOL and Yahoo using Trillian, Google Talk, or Yahoo Linux are not supported Symantec Mail Security IM filtering features require that your enterprise s IM traffic be routed through the Symantec Mail Security Appliance s IM relay. AOL and Yahoo using Trillian, Google Talk, and Yahoo Linux do not support file transfers for IM traffic routed over a relay. LDAP issues This section contains issues or notes regarding use of LDAP routing and LDAP synchronization. User email addresses with trailing spaces in LDAP data do not match in policies If you have primary user email addresses in your LDAP source that include trailing spaces, Symantec Mail Security will accept messages for aliases of these addresses, but policies created using the primary email addresses will not fire.
Release notes 5 Distribution list data containing cyclic relationships may not be retrieved when synchronizing from multiple LDAP sources If your LDAP source data contains distribution lists with cyclical relationships (where two or more distribution lists include each other as members) LDAP synchronization may intermittently not retrieve one or more of the cyclically related distribution lists, meaning that the data is not replicated to Scanners. To work around this, you can either remove cyclic relationships in your distribution lists data (recommended), or disable Address Violation Handling and review your settings for Directory Harvest Attacks from within the Control Center. To disable Address violation handling 1 From the Control Center, click Protocols > Invalid Recipients. 2 Uncheck Drop messages for invalid recipients. To review Directory Harvest Attacks settings 1 From the Control Center, click Spam > Directory Harvest Attacks. 2 Review your configuration for Directory Harvest Attacks. Active Directory sources with more than 100K records not supported The addition of Active Directory datasets containing more than 100K records is not supported. LDAP Synchronization from Domino LDAP sources may create undeliverable aliases If you are using a Domino LDAP source, LDAP Synchronization to the Control Center may generate some superfluous email aliases. If the Drop Invalid Recipients feature is enabled, such aliases would be considered valid, but would be rejected by the Domino server as undeliverable. Must complete LDAP synchronization fully before disabling LDAP source and replicating to Scanners If you run an LDAP synchronization and cancel it, then subsequently wish to disable the LDAP source in the Control Center, you must re-run the LDAP synchronization fully before disabling the LDAP source. This is to prevent replication of incomplete data to Scanners.
6 Release notes Modifications required to use Active Directory for LDAP Routing To use the LDAP Routing feature, you must map the Transport attribute to an LDAP user attribute containing the TCP/IP address or fully qualified domain name (FQDN) of the server to which the user s mail is to be routed. The Exchange schema extensions to Active Directory include user attributes identifying the account s home server including: ms-exch-home-server-name, ms-exch-home-mdb, and ms-exch-home-mta, but each of these attributes refer to the server as an object in Active Directory, such as /o=first Organization/ ou=first Administrative Group/cn=Configuration/cn=Servers/cn=EXCH- SERVER-NAME Additionally, there is no mechanism in Microsoft Exchange (5.5, 2000, or 2003) to automatically populate the TCP/IP address or FQDN of the home server to a user object s list of attributes. This requires the identification, or creation, of a schema attribute in Active Directory to use as the Transport Attribute. You must create a process (such as a cron-driven perl script) external to both the Symantec Mail Security Appliance and Microsoft Exchange to set, and keep synchronized, the address or FQDN of the SMTP server to which the Symantec Mail Security Appliance should deliver the account s mail. Large sites should configure access to a Global Catalog Server If you intend to use your Microsoft Active Directory deployment as an LDAP Synchronization or Authentication source, and your site has more than 1000 users total, or domain controllers that are geographically separated, you should use a Global Catalog server (port 3268 instead of port 389). To configure access to an Active Directory Global Catalog, specify the port for the Global Catalog (usually 3268) in your LDAP server settings page in the Control Center. In addition, on the Active Directory server, verify that the ncname attribute is replicated to the Global Catalog.