Symantec has become aware of an issue that can cause a failure in the database migration step that occurs after performing a software update from version 8.0.3 to 9.0. This issue only occurs on systems where customers have either deleted or renamed one or more of the following default attachment lists: "Archive Files", "Document Files", "Executable Files", "Image Files", "Multimedia Files", "True Type Executable Files"
How to determine if this issue affects your site:
- Login to the Brightmail Control Center.
- Navigate to the Attachment Lists page (Compliance -> Attachment lists).
- Validate that each of the attachment lists, listed above, appears on the page, exactly as displayed in this document (without quotes, but capitalization and spelling MUST match). If all of the listed attachment lists appear, then you are not affected by this issue and you may proceed with other update tasks.
- If any of the above listed items does NOT appear you MUST perform the following steps for EACH of the missing lists prior to beginning the software update process:
- Navigate to the Attachment Lists page (Compliance -> Attachment lists).
- Select the "Add" button.
- Enter the name of the missing list in the "Attachment list name:" box.
- Add an attachment type to the list (you may use anything, this step is only being performed to allow you to save the list).
- Select "Add" to add the selected type to the list.
- Select "Save"
- Validate that the attachment list you just re-created now appears on the Attachment List page with the correct capitalization, spelling and spacing.
Assume that you have examined the list of attachment lists on your system and you notice that the entries for "Archive Files" and "Multimedia Files" are missing. You must perform the above steps twice: once to create a list named "Archive Files" and a second time to create a list named "Multimedia Files". Again, please note that capitalization and spacing are significant in this context!
5. Once you have validated that all of the required attachment lists have been re-created, you may safely continue with other update tasks.
For some installations, you may need to add access to LDAP ports for Symantec Brightmail Gateway 9.0. The Control Center and Scanners using any LDAP features must be able to communicate to the LDAP servers. LDAP features include authentication, routing, recipient validation, and address resolution (previously known as synchronization). Your Control Center and Scanners may already meet this requirement. This access change is a new requirement if your environment matches the following criteria: If your environment matches these criteria, use the ldapsearch command to check connectivity on each host before you update to version 9.0. For information about how to use ldapsearch, go to the following URL on the Internet: http://www.symantec.com/docs/TECH95775
- You have a distributed deployment with at least one separate Scanner AND
- The deployment uses one or more LDAP sources with the Synchronization usage enabled
- The new directory data service caches the query results to reduce the load that is placed on the directory servers and to improve Scanner performance. The cache builds over time. After you update to version 9.0 there may be an initial slow down of mail throughput under heavy load. The slow down can occur in the first few minutes as the cache builds.
- The LDAP query filter formats in Symantec Brightmail Gateway 9.0 have been standardized to use the %s, %u, and %d tokens. These tokens were previously used only for the recipient validation and routing query filters. If authentication, synchronization, or both are enabled in 8.0.3, the query filters are modified to use the standard tokens after you update to version 9.0. If you modified any of the query filters, confirm the functionality of the authentication and address resolution functions in 9.0. Use the new Test Query option in the Control Center.
- In Symantec Brightmail Gateway 8.0.3 and earlier releases, only LDAP groups were displayed in the Administration > Users > Groups page. In Symantec Brightmail Gateway 9.0, both LDAP groups and distribution lists are displayed for a newly added LDAP source. You can view both groups and distribution lists after you update your deployment. Click Administration > Settings > Directory Integration and then click Restore Defaults on the address resolution group query. Alternatively, click Customize Query to remove the part of the group query filter excluding distribution lists.
- The LDAP "recipient validation" function is now used to check incoming messages for both Reject invalid recipients and Drop invalid recipients. If you have an 8.0.3 deployment using LDAP synchronization with Protocols > SMTP > Invalid Recipients set to Drop invalid recipients, the LDAP source is migrated to a source with both "recipient validation" and "address resolution" functions enabled after you update to Symantec Brightmail Gateway 9.0. Additionally, if you have any enabled "recipient validation" sources in your 8.0.3 deployment, they are used for Drop invalid recipients upon update to 9.0.
- In version 9.0, any recipient address that includes a domain alias is considered valid if the following conditions are true: If both of the conditions are true, no call is made to the LDAP server to determine whether the recipient is valid or not.
- You have one or more domains configured as an alias in Protocols > SMTP > Aliases
- You have Protocols > SMTP > Invalid Recipients set to either Drop or Reject
- After you update a Control Center to version 9.0, the Control Center displays twice the number of content incidents than you previously had configured. To facilitate the new incident expunger, Symantec Brightmail Gateway 9.0 requires Informational Incidents and Quarantine Incidents (hold for review) to be stored in separate folders. Folders containing mixed incidents are separated in the migration process. After migration, new incident folders are created for the quarantine incidents. All policies are migrated to save quarantine incidents to the new folders. You do not have to adjust your policy configuration after migration.
- In Symantec Brightmail Gateway 9.0 the content folders can contain either informational incidents or quarantine incidents but not both. As a result, new behavior has been introduced. If a message violates multiple Content Quarantine polices then an incident is created for the higher precedence policy in the designated folder. Subsequent Content Quarantine violations are recorded as informational incidents in the default information incidents folder.
- Previous versions of Brightmail Gateway used the LDAP synchronization schedule time to replicate user preferences to the Scanners. In Symantec Brightmail Gateway 9.0, LDAP synchronization has been deprecated and user preferences replication happens on the default schedule of once per day at midnight. You can change the schedule or replicate user preferences manually on the Administration > Settings > Control Center page.
- End user preferences are no longer in effect after you update to version 9.0 if all of the following conditions occur: To reenable end user preferences, update the Control Center and ensure that user preferences are replicated.
- You have a distributed deployment
- End user preferences are enabled
- You update the Scanners before you update the Control Center
- User preferences are not replicated to remote Scanners during the migration process. To ensure user preferences are applied, you must replicate them manually after you update the Control Center and all Scanners. Otherwise user preferences are replicated at the default time of midnight.
- The user preference replication alert is enabled by default after you update to version 9.0. Symantec Brightmail Gateway sends an alert to administrators configured to receive alerts when user preferences replication finds an error. You can disable this alert on the Administration > Settings > Alerts page.
Table 1-1 Symantec Brightmail Gateway Migration Guidance
|Best practice: Perform a backup||Symantec recommends that you take a full system backup before you run the software update.|
|Important: Do not reboot||The software update process may take several hours to complete. If you reboot before the process is complete, data corruption is likely. If data corruption occurs, the appliance must be reinstalled with a factory image.|
|Important: Reduce Spam Quarantine size||Previous versions used a database for Spam Quarantine messages. In Symantec Brightmail Gateway 9.0, Spam Quarantine messages are stored in the file system to make the message store more robust and scalable. Migration of Spam Quarantine messages to the file system can take a significant amount of time depending on the number of messages to be migrated. Migration can take several hours if your Spam Quarantine contains a large number of messages. To minimize the migration time, reduce the number of messages in Spam Quarantine before you update the Control Center to version 9.0. Use the Spam Quarantine Expunger to reduce the number of Spam Quarantine messages.|
|Important: Reduce content incident folder size||Changes have been made in how content incidents are stored in Symantec Brightmail Gateway 9.0. As a result, migrating content incidents can take a significant amount of time. In particular, the amount of time can be large if your Control Center has a large number of incidents in the folders. To minimize update time, delete unnecessary incidents before you update the Control Center to version 9.0.|
|Best practice: Delete log messages||If your site policies let you, delete all Scanner and LDAP log messages.|
|Best practice: Stop mail flow to Scanners and flush queues before updating||To reduce Scanner update time and complexity you should stop mail flow to Scanners and reduce the size of all queues.
To halt incoming messages, click Administration > Hosts > Configuration, click a Scanner, click Do not accept incoming messages, and click Save. To check the queues, click Status > SMTP > Message Queues. Flush the messages that are left in the queues.
|Best practice: Stop mail flow to shared Control Center/Scanner systems if using content incidents||Stop mail flow to all-in-one Control Center and Scanner systems before you update. The new incidents that are created on a combined Control Center and Scanner during the migration process are stored in the default incident folder. This behavior is limited to only the new incidents that are created during the Control Center migration. All previously created incidents are migrated to the correct folders. After you update to version 9.0, new incidents are sent to the correct folder.|
|Best practice: Update Scanners first||Each appliance must be updated individually. As a best practice, Symantec recommends that you update all Scanners before updating the Control Center. You do not have to update all of your Scanners at the same time. You can update some Scanners to version 9.0 and leave some with the older version. That way some Scanners continue to protect your site while you update others. However, if the Control Center and Scanner versions are different, the Control Center cannot make configuration changes to the Scanner.|
|Best practice: Perform software update at off-peak hours||When you update the Control Center, the Control Center appliance is offline and unusable. Scanners cannot deliver messages to quarantine on the Control Center during the software update, so messages build up in a queue. Running software update on a Control Center appliance can take quite some time. Plan to update the Control Center appliance during off-peak hours.
When you migrate a Scanner, it goes offline. Scanner resources are unavailable during the migration process. Software update of a Scanner takes less time than the software update of the Control Center.
|Staggered update notifications||The Symantec Brightmail Gateway Control Center displays (and can deliver) update notifications to customers when new software is available for download. Starting as a new feature with Symantec Brightmail Gateway 9.0, Symantec has a rolling notification process. Customers are incrementally notified of a new update over several weeks between the software release date and the general availability (GA) date. If you learn of a new software update but have not received a notification, you can check for an update before receiving an update notification. In the Control Center, click Administration > Hosts > Version > Updates > Check for Updates. If an update is available, you can download and install the update. Not receiving a notification right away is not a problem, and there is no need to contact Technical Support.|
|Directory integration considerations||
|Domino-specific directory integration considerations||If you are using one or more Domino LDAP Sync sources with one or more "Alias domain" values, add those values as Symantec Brightmail Gateway domain aliases before you update to version 9.0. Once you have updated, you can optionally modify the resulting data directory service recipient validation and address resolution query filters to include (mail=%u@<domain>
|New content folders are created||
|User Preferences Considerations||
|Change in crash alert mail from||In previous releases, crash alert notifications were sent from process-cleanup@<appliance hostname>
|URI reporting disabled after update||This release can detect and record Uniform Resource Identifiers (URI) that occur in email messages to improve URI-based filters. Symantec Brightmail Gateway sends Symantec Security Response every URI in the messages that Symantec Brightmail Gateway scans for spam (inbound and outbound scanning). Symantec uses this information to develop new URI-based filters. You receive these updated filters through the Conduit. This feature is disabled by default. After you finish migration, enable URI reporting.|
Imported Document Id