========================================================================= 
Symantec Messaging Gateway (formerly Symantec Brightmail Gateway) version 
9.5.4 Software Update Notes 
========================================================================= 
May, 2012

Before you install this software update, copy and paste the URL below
into a Web browser to check for late-breaking issues:

http://www.symantec.com/docs/TECH185792


SPECIAL INSTRUCTIONS AND CAUTIONS
================================================

Unsupported platforms
----------------------------------------------
8220, 8240, 8260, and 8320 purchased on or before May 2008 (based on the 
Optiplex GX745 platform) hardware platforms are unsupported.
For more information about supported hardware versions, on the Internet, go to 
the following URL:
http://www.symantec.com/docs/TECH186269 

To determine what hardware version you have, at the command line type the 
following:
show -i 

Special update instructions for 9.5.0-19 users
----------------------------------------------
Symantec strongly recommends that you upgrade your Control Center before 
you upgrade your Scanners. If you do not upgrade the Control Center first, 
you must use the command line interface to upgrade remote Scanners.


Please thoroughly review the following sections:
================================================

--What's New
--Translated software update notes
--Documentation
--Update considerations
--Running software update
--Known Issues
--Note regarding IM filtering and access control features of Symantec Messaging 
Gateway 
--End User License Agreement (EULA)

What's new
==========

This release addresses changes in supported hardware versions and resolving 
known issues.


Translated software update notes
================================

These software update notes have been translated into the following languages:
--Simplified Chinese
--Traditional Chinese
--Japanese
--Korean

To access the translated software update notes, copy and paste the URL 
below into a Web browser:

Chinese (Simplified)
http://www.symantec.com/business/support/index?page=landing&amp;key=53991&amp;locale=zh_CN

Chinese (Traditional)
http://www.symantec.com/business/support/index?page=landing&amp;key=53991&amp;locale=zh_TW

Japanese
http://www.symantec.com/business/support/index?page=landing&amp;key=53991&amp;locale=ja_JP

Korean
http://www.symantec.com/business/support/index?page=landing&amp;key=53991&amp;locale=ko_KR


Documentation
=============

To access product documentation online, copy and paste the URL below into a 
Web browser:

http://www.symantec.com/business/support/index?page=landing&amp;key=53991


Update considerations
=====================

--Please read the Symantec Messaging Gateway 9.5.4 release notes for a 
complete list of update considerations. 
--For customers who update from version 8.0.3 using LDAP directories, there 
may be a new communications requirement for LDAP connectivity from Scanners. 
Please read the release notes for details. 
--Symantec Messaging Gateway 9.5 introduced a restructuring of the data 
storage for content incidents and Spam Quarantine. If you update to 9.5.4  
from 8.0.3, systems storing large amounts of data with these features will 
see increased update time for the Control Center. Delete as many content 
filtering incidents and quarantined spam messages as possible before you 
run the update. 
--Back up your existing data before you run the software update. The software 
update process may take several hours to complete. 
--Do not reboot while software update is in process. If you reboot before 
the process is complete, data corruption is likely. If data corruption occurs 
the appliance must be re-installed with a factory image. 


Important information for installing on VMware 
----------------------------------------------
Symantec Messaging Gateway 9.5.4 offers two methods for installing on supported 
VMware platforms. You can load the ISO file into a preconfigured virtual 
machine or you can load the OVF which includes the virtual machine 
configuration. Please note the following:

--The ISO file can be used on VMware ESX or ESXi 3.5 - 4.1 or vSphere 4.1/4.0.
--The OVF can be used for VMware ESX or ESXi 3.5 - 4.1 or for vSphere 4.1/4.0.
Refer to Symantec Messaging Gateway 9.5 Installation Guide for instructions.

If you use the BusLogic controller when you upgrade to 9.5.4 with VMware ESX or  
VMware ESXi 4.1/4.0/3.5, you must change the SCSI Controller Type in your 
virtual machine settings before  the upgrade as follows:

--When you upgrade through VMware ESX 3.5, you must switch the SCSI Controller 
Type in your virtual machine settings to "LSI controller".
--When you upgrade through VMware ESX  4.1/4.0, you must switch the SCSI 
Controller Type in your virtual machine settings to "LSI SAS".

For more information, on the Internet, go to the following URL:
http://www.symantec.com/docs/TECh168754

Supported previous versions 
----------------------------------------------
You can only update version 8.0.3 or later to version 9.5.4. Systems that run 
versions prior to 8.0.3 must be updated to 8.0.3, including all Scanners 
and the Control Center, before proceeding to the version 9.5.4 update.

Software update planning 
----------------------------------------------
--Ensure that you are running on a supported hardware platform.
--There is not an option to update a Control Center and multiple Scanners 
simultaneously. Each appliance must be updated individually. 
--It is crucial that the update window in which you update your Scanners 
to 9.5.4 is as short as practicable.  This is critical because if the Control 
Center and Scanner versions differ, the Control Center is unable to make 
configuration changes to the Scanner.  Configurations in which the Control 
Center and Scanners run different versions for an extended period are 
unsupported.


Running software update
=======================

Before running the software update from 8.0.3, ensure that your appliance is 
not performing tasks that, if disrupted, could cause problems after updating.

--Check for a running LDAP synchronization cycle.
--Check for a running Scanner replication cycle.
--Minimize the number of messages in any of the queues by setting the Scanner 
to reject incoming messages and then wait for the queues to drain completely.

To prepare for the software update, follow the steps below. The Control 
Center locations presented below are for version 8.0.3 and may differ for 
other versions.

1 To check for a running LDAP synchronization cycle or Scanner replication
  cycle, go to Status - System - LDAP Synchronization.
2 To halt incoming messages, go to Administration - Hosts -
  Configuration/Edit, click "Do not accept incoming messages", and click Save.
3 To check the queues, go to Status - SMTP - Message Queues.

Using the command line interface to update from releases
prior to 9.5.0
-----------------------------------------
For 9.5.0, Symantec introduced enhanced upgrade Control Center functionality. 
If you run a release prior to 9.5.0, or if you prefer not to use this new 
Control Center functionality, you can update through the command line interface,
which allows you to divide the update process into discrete steps. This may be 
more appropriate to use over imperfect Internet connections. 

To update using the command line interface:
1 Log into an appliance using an SSH client or log in at the console. You must 
use your administrator credentials to log in.
2 To list available updates, type the following command:
update list
3 To download the update, type the following command:
update download
4 To install the update, type the following command:
update install

You can monitor the software update progress using the steps below.

To monitor the software update progress:
1 Using an SSH client or the console, log into the appliance you are updating. 
You must use administrator credentials when logging on.
2 Type one of the following commands:
for 8.0.3: watch update.log
for 9.0.1 or later: tail -f update.log

The progress of the software update appears. When the update is complete, the 
appliance restarts automatically. Do not restart the appliance before the 
update completes. You will see the following message:

sms-appliance-release-version successfully installed.
Rebooting appliance...

The appliance reboots. If you've logged into the appliance using an SSH client, 
the connection will be lost.

You may receive warnings, which you can ignore. See the release notes for more 
information.


Testing update success
---------------------- 
To ensure that your appliance is running Symantec Messaging Gateway version 
9.5.4, log into the command line interface on an appliance and type the 
following command: 
show --version


Known Issues
============

Error messages are generated when you upgrade
---------------------- 
When you upgrade from a release before  9.5.3, you may observe a number of 
benign error messages during the upgrade process.  See the following knowledge 
base article for more information:
http://www.symantec.com/docs/TECH173852

Error messages are generated when you configure your NTP server information
---------------------- 
When you configure your NTP server information during installation or when
you modify it post-installation, you may observe an error message in your 
message log.  The message indicates that the requested IPv6 address cannot be 
assigned. You can ignore this message. 
http://www.symantec.com/docs/TECH186256

SSLv3 connections are not supported when FIPS mode is enabled 
---------------------- 
The Require TLS encryption option for SMTP authorization does not work as 
expected when FIPS mode is enabled. When you run in normal, non-FIPS mode, 
Symantec Messaging Gateway accepts both TLS and SSLv3.0 connections. When FIPS 
mode is enabled, even if the Require TLS encryption option is disabled, the 
connections that use SSLv3.0 and earlier are not supported. For more 
information, see the Symantec Messaging Gateway FIPS 140-2 level 1 Deployment 
Guide. 
http://www.symantec.com/docs/TECH186251

Error message appears when update check command is issued
---------------------- 
When you upgrade from a release before 9.5.2 and run the update check command, 
you may receive a message that some packages cannot be installed. You can 
ignore this message.
http://www.symantec.com/docs/TECH169454

Errors in logs during update
---------------------- 
During an update, errors may appear despite a successful upgrade as follows:
--Errors  appear in the  mysql error log for a successful update. You can 
disregard these errors.
--You may find some unexpected messages that are related to module-loading 
failure in the conduit log. You can ignore these messages. 
9.5.2 included changes to the appliance platform, which includes the operating 
system and database versions. 
http://www.symantec.com/docs/TECH169981

Possible errors during bootstrap process
---------------------- 
/data/logs/boot.log may not appear upon fresh install. As a result, you may 
see some related errors during the bootstrap process, including a red [FAILED] 
status from "Adjusting Symantec Messaging Gateway services".  You can ignore 
these errors. 
http://www.symantec.com/docs/TECH186249

FIPS mode not automatically enabled upon OS restore
---------------------- 
Your FIPS state is not saved as part of a backup. If you perform an OS restore 
on a Symantec Messaging Gateway 9.5.2 or later host with FIPS mode on, manually 
turn on the FIPS mode after the restore completes.
http://www.symantec.com/docs/TECH186248 

Download may take longer than for past updates
---------------------- 
When you upgrade from versions prior to 9.5.2, the download portion of the 
update process can take substantially longer than past updates. This situation 
is due to the large size of the download package.
http://www.symantec.com/docs/TECH186191

MTA takes several minutes to start on a FIPS-enabled appliance that is 
configured with SMTP authentication and Accept TLS
---------------------- 
The following actions take significantly longer with FIPS mode turned on than 
they do with FIPS mode turned off: 
--Restarting the Message Transfer Agent (MTA) service
--Any configuration change that implicitly restarts the MTA service
The host may appear to be hung for several minutes, but it is not.  As a best 
practice, enable FIPS mode as the final step in your setup process before you 
deploy the host in a production environment.
http://www.symantec.com/docs/TECH186189

delete ddsconfig does not remove directory data sources from Control Center
---------------------- 
If you use  the delete ddsconfig command to remove the ddsconfig.xml file from 
the disk, the DDS configuration remains in the database. The DDS configurations 
on the Control Center remain unchanged.
To delete data sources in the Control Center, perform the following tasks:
1. In the Control Center, click Administration - Directory Integration. 
2. On the Directory Integration Settings page, select the data source or sources 
you want to remove, and click Delete. 
http://www.symantec.com/docs/TECH186188

Unable to load cache data from /data/dds/dds-cache.ser in dds.log during 
upgrade from 9.0 to 9.5.4
---------------------- 
When you upgrade from a version before 9.5.2, Symantec Messaging Gateway is 
unable to load the cache data from /data/dds/dds-cache in dds.log. The DDS cache 
is rebuilt as messages are processed after upgrade.
http://www.symantec.com/docs/TECH186186
 
Virtual machine kernel panics after update to 9.5.2
---------------------- 
After you update the Symantec Messaging Gateway virtual appliance to 9.5.2, 
the virtual machine (VM) fails to restart. The VMware console indicates that 
VMware is unable to restart due to a kernel panic.
http://www.symantec.com/docs/TECh168754

The Russia time zone is incorrect.
---------------------- 
Russia no longer changes for Daylight Savings Time.  The correct time should be 
GMT +4 rather than GMT +3.
http://www.symantec.com/docs/TECH173452


Note regarding IM filtering and access control features of Symantec 
Messaging Gateway 
===================================================================

Symantec is removing IM filtering and network access control in the 10.0 
release of Symantec Messaging Gateway. Customers who are currently 
using the IM filtering features should plan for an alternative solution. 
Symantec recommends that customers do not enable IM filtering for new 
installations or existing installations that are not currently using IM 
filtering.


End User License Agreement (EULA)
=================================

After the update completes, you can display the End User License Agreement 
(EULA) from the command line interface.

To view the EULA

1 Log into the appliance's command line interface and type:
  show --eula
The EULA appears.
2 To page through the EULA, use the space bar.
3 To exit the display of the EULA, type:
  q
The command prompt appears.