cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1847
Views
0
Helpful
15
Replies

AsyncOS 5.5.1-014 for Email is now available

chhaag
Level 1
Level 1

UPDATE: 2008-2-26 5.5.1-014 releases:
This release includes a number of fixes:

* Fixed: Appliances Are Not Generating SNMP Traps
* Fixed: Leftover Files Are Deposited in scanning_temp_files Directory
* Fixed: DNS-Related Memory Issues Delay Acceptance of Incoming Mail


UPDATE: 2007-12-17 5.5.1-011, 5.1.2-011, 4.7.2-005 releases:

This release includes a number of updates and fixes:

* Fixed: 35715,38152,38531,38532 Consolidated LDAP fixes
* Fixed: 38506,38527 Certain malformed messages can severely degrade performance
* Fixed: 38274 IronPort Spam Quarantine alias consolidation issues with Active Directory
* Fixed: 38248 Clustered SafeList/BlockList incorrectly prompts for login

About Earlier Builds of AsyncOS for Email

38527 is also present in earlier builds of AsyncOS for Email. Due to the potential severity of this issue we have also patched the earlier versions listed below, customers who are not ready to upgrade to 5.5.1-011 are encouraged to upgrade to one of these builds:

5.1.2-011
4.7.2-005

UPDATE: 2007-11-28 5.5.1-010 releases:

This Hot Patch release contains the following feature and stability fixes

* New: PCI, HIPAA, GLB and SOX dictionaries preloaded for use in content and message filters
* 37711 Logging into the IronPort Spam Quarantine generates error
* Fixed: 37971 LDAP can slow delivery after log subscription update
* Fixed: 37772 LDAP routing host is ignored when the routing address matches the original address
* Fixed: 36408 application fault in smtpauth


IronPort Systems is pleased to announce the release of AsyncOS 5.5.1-010 for Email for all C-Series and X-Series Email Security Appliances. This release includes all of the powerful new tools for integrated Data Loss Prevention and Encryption released in AsyncOS 5.5.0 as well as critical security patches. IronPort recommends all customers to upgrade to 5.5.1.

* New Feature: IronPort PXE Encryption
* Enhanced: Content Scanning capabilities for Data Loss Prevention
* Enhanced: LDAP Capabilities
* New Feature: DKIM Authentication
* New Feature: End-User Safelists and Blocklists
* Enhanced: Reporting
* Enhanced: Web User Interface
* Updated: Brazilian DST
* Fixed: Double-Byte character rendering in IronPort Spam Quarantine
* Fixed: Performance optimization of disabled content filters
* Fixed: Virtual gateway delivery to host with invalid DNS entry may disrupt mailflow


NOTE: For customers running pre 5.5.0 releases, there is no requirement to upgrade to 5.5.0 first. If 5.5.1 appears as an available upgrade customers are encouraged to upgrade directly to 5.5.1.

Customers running older builds who are not ready to move to 5.5.1, are encouraged to upgrade to our current patched builds:
- 5.1.2-014

These builds provide out latest stability fixes.


Webinar for Selected New 5.5.0 Features

We are pleased to offer a webinar that presents information about Safelist/Blocklists, Smart Identifiers and DKIM. You can download the webinar from the Support Portal:
http://tinyurl.com/2o28uw

Preparing to Upgrade
As a best practice, IronPort recommends preparing for an upgrade by taking the following steps:

1. Save the XML configuration file off of the appliance.
2. Suspend the listeners.
3. Drain the mail queue and the delivery queue.
4. Re-enable the listeners after you upgrade.

15 Replies 15

steven_geerts
Level 1
Level 1

I have an additional reason:

We have planned the upgrade for next week. Our change management procedure forces us to plan (non blocking/high risk) changes with a two week anouncement period.
Since our devices are working fine at the moment we need to respect this timeframe.

Donald Nash
Level 3
Level 3

Yet another reason: I read the vulnerability description and decided that we don't meet the conditions required for the vulnerability to be exploited. We don't have any message or content filters which use BCC().

In actuality, I upgraded almost immediately because I had the time to do so and we had gotten a few revs behind anyway. But had I been pinched for time, then I would not have hesitated to skip this update entirely because we weren't vulnerable.

meyd45_ironport
Level 1
Level 1

Chris,
What are the bugs fixed between the 5.1.2-005 and 008 builds?

James

chhaag
Level 1
Level 1

008 was a maintenance release, targeted to our Brazilian customers.

5.1.2-008 contains the updated Brazil Daylight Savings Time schedule, as well as several bugs fixes, the biggest of which are:
1) 36666 Cluster Commits can disrupt ethernet connectivity. This is a rarely seen issue affecting customers running the C350/C650/X1050 platform (Dell 2950) in clusters of 6+ boxes under very high message volume.
2) 36518 Handle new Sophos error code. The latest Sophos engine introduced a new error code '0x80040237', meaning "The scan has been terminated due to the Virus Engine reaching its storage recursion limit (e.g. files nested
inside other files)." With this fix we properly set this to INFO level (like all the other unscannable alerts).

As always, the complete list of fixes can be found in the release notes.

regards.

Michael Coxe
Cisco Employee
Cisco Employee

> As always, the complete list of fixes can be found in the release notes.

Which begs the question: how does one view the changes build-to-build from the Release Notes? The Release Notes for 5.1.2 are cumlative; I don't see any breakout per build. Or is there another document available to see these changes (ala version history)?

- Michael

BrianS_ironport
Level 1
Level 1

I haven't upgraded to 5.5.0 yet, but I was very excited to learn about end-user whitelists and blacklists, which is something we'd been pushing for since we bought our Ironports. Unfortunately, it looks like it's being implemented in a way that makes it impossible for me to deploy at this time.

We have two C350s, and would need the whitelists and blacklists to appear on each box. It appears that I could do this by exporting the database from one machine, transferring it to the other, and then importing it. However, this appears to ONLY be able to be done via the GUI.

This is a showstopper for me, because I do not want to have to log into the Ironport every day to import and export the databases - I would want to automate it. I talked to technical support, and it appears that there is no way to do this via the CLI.

My feature request is this: please consider adding a command that would allow me to remotely force the database to be dumped, and another command to import the database.

Ideally, it would be something like:

safelistconfig dump
safelistconfig import

If that was available, I would make my users a lot happier with this feature.

chhaag
Level 1
Level 1

Brian,

There is a way to have a centralized SL/BL. IronPort has an M-Series Security Management Appliance (SMA) that allows customers to do both Centralized SL/BL and centralized IronPort Spam Quarantine (ISQ). Coming towards the end of this year, the M-Series will also offer centralized reporting and centralized message tracking (AsyncOS for email 6.0).

You might want to ping your sales contact to see if an M-Series would be a good fit.

cheers.

Donald Nash
Level 3
Level 3

BrianS: Centralized Management should get you what you need.

Oops, strike that. Too bad BBCode doesn't have a strikethrough tag.

Chaag is right, you can only sync the SL/BL via an M-Series unit.

So what's with the huge delay (up to two hours!) synchronizing the SL/BL between units? Given that the delay is known precisely enough that you've actually got a table documenting it for each model of appliance, it must be something that was done deliberately. I'm curious to know why.

Thanks,

IIAGDTRnSC
Level 1
Level 1

IronPort Systems is pleased to announce the release of AsyncOS 5.5.0-430 for Email for all C-Series and X-Series Email Security Appliances.  This major release provides IronPort customers with powerful new tools for integrated Data Loss Prevention and Encryption.


I upgraded over the weekend and really like how things are highlighted in the quarantine that caused a policy to be invoked. I.e. I have "Incredimail" set as a keyword and it lights up when it is included in the body of an email now.

This also very helpful in seeing if words trigger a profanity dictionary hit because the word is randomly formed in the body of a file.

Good stuff.

chhaag
Level 1
Level 1

BrianS: Centralized Management should get you what you need.
So what's with the huge delay (up to two hours!) synchronizing the SL/BL between units? Given that the delay is known precisely enough that you've actually got a table documenting it for each model of appliance, it must be something that was done deliberately. I'm curious to know why.

Thanks,


Those times are essentially "worse case scenarios" assuming the SL/BL is at it's max allowed size (which differs by model) and the ESAs are in different locations. So we are estimating sync time for transfer and import time -- it is probably going to be important to set end-user expectations conservatively so they don't call up their mail admins 5 minutes after blocking a sender because they are still getting emails from that sender. However, some customers may see sync times better than what we post.


My feature request is this: please consider adding a command that would allow me to remotely force the database to be dumped, and another command to import the database.

Ideally, it would be something like:

safelistconfig dump
safelistconfig import


Is there any way to dump the SLBL via the CLI? I currently have a script to saveconfig and then retrieve the xml file as often as I see fit, but without a CLI command for dumping the SLBL I simply can't turn it on.

If this doesn't currently exist, I'd like to see a command that returns the filename ala saveconfig so that retrieval can be automated, eg:

The file slbl-20071105T160901.csv has been saved in the configuration directory on machine "c350".

Is there any way to dump the SLBL via the CLI?


The answer from IronPort support is that it cannot currently be done. There is a Feature Enhancement request #1391 for adding this functionality. If anybody else needs a way to dump and restore the safelist and blocklist via CLI please let IronPort know.

bender_ironport
Level 1
Level 1

Hi,

in the Update Doc for a Cluster its necessary to disconnect the machines from it (cuz different versions wont work in a Cluster), Is there a way to avoid this, so the Emailservices are aviable during the update process?
How is your way to update all machines in a Cluster or whats the usual way to do this?


I have two c100 in a Cluster with AsyncOS v5.1.1-003

thx and bye

Donald Nash
Level 3
Level 3

Bender,

Disconnecting the cluster does not shut down the individual members. They continue to operate. The only thing you can't do is make configuration changes and expect them to take effect everywhere. But that's easy to avoid by simply not making any configuration changes during the upgrade process. So what you do is disconnect the cluster, upgrade each member individually (which involves a mandatory reboot), and then reconnect the cluster. You never have an outage so long as your cluster is sufficiently well provisioned to handle your mail load during the few minutes when each node reboots.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: