Bugs on Ironport ASYNCOS 8.0.0 – 402

Similar Messages

• Cisco IronPort AsyncOS 6.7.6-068 for Management GA Notification

  Cisco is pleased to announce the General Availability (GA) of a new major release of AsyncOS 6.7.6-068 for
  Management to all customers. This release applies to all our Security Management Appliances (M-Series).
  AsyncOS 6.7.6-068 for Management enables Centralized Tracking and Reporting for the new features introduced in AsyncOS 7.0 for Email.
  New Features and Enhancements in AsyncOS 6.7.6-068 for Management
  New Feature: Centralized support for the reporting and tracking changes in the AsyncOS for Email release 7.0:
  RSA Data Loss Prevention
  Marketing Message Detection
  New Feature: Reporting by ESA Groups
  Enhanced: Domain-Based Executive Summary Report now configurable by:
  Domain of Email Server
  Domain of Email Address
  Fixes in AsyncOS 6.7.6-068 for Management
  Fixed: MemoryError after losing Housekeeper thread [Defect ID: 52048]
  Fixed: The Show Details link results in a timeout [Defect ID: 51558]
  Fixed: Safelist/Blocklist should be exportable via CLI [Defect ID: 43360]
  Fixed: LDAP Query strips spaces [Defect ID: 46099]
  Fixed: Tracking database time does not update after system timezone is changed [Defect ID: 49407]
  Fixed: Application error when accessing Online Help from the End User Spam Quarantine page [Defect ID: 52395]
  This release has gone through our beta program, internal soak tests and is also running in production at our FCS customers.
  Please upgrade at your convenience and let us know how you like this new release!
  Cheers,
  Jakob

  Hi,
  We identified an issue in AsyncOS 6.7.6-068 for Management that under certain circumstances can cause loss of historical reporting data when reporting groups are configured. To ensure a high quality release, further testing on our side is required.
  6.7.6-068 is no longer available for upgrade to your M-Series appliances.
  If you already upgraded to 6.7.6-068 we strongly recommend to disable group based reporting to avoid being affected.
  We expect to release a new improved build of 6.7.6 shortly and apologize for any inconvenience or confusion this might have caused.
  If you are required to upgrade to 6.7.6 before a new build is available, please contact Cisco IronPort Customer Support.
  I'll let you know once the new build is available...
  Best Regards,
  Jakob

• Cisco IronPort AsyncOS 7.0.1-010 for Email GA Notification

  Cisco, is pleased to announce the General Availability (GA) of a new major release of AsyncOS 7.0.1-010 for Email to all customers. This release applies to all our Email Security Appliances (C- and X-Series). Code named "Bally's" internally (yes, after the Casino), this release is packed with major new functionality. We have completed our usual, extensive Beta test process as well as a 2 month FCS time period; over 500 customers have already upgraded.  Though we always recommend customers test out new releases before upgrading all of your production servers, we have great confidence in this release. Please upgrade and tell us what you think!
  Note for Security Management Appliance (SMA) customers. To report on the new features in 7.0.1, you'll need to upgrade your M-Series to AsyncOS 6.7.6-068.
  New Features and Enhancements in AsyncOS 7.0.1-010 for       Email
  New Feature: RSA Email Data Loss Prevention (requires Feature         Key)
  New Feature: Guaranteed Secure Delivery (requires PXE         Encryption Feature Key)
  New Feature: Unwanted Marketing Message Detection
  Enhanced: Prioritized SMTP Routes
  Enhanced: RADIUS Groups and Protocols for External         Authentication
  Enhanced: Quarantined Messages Attachments Enhancements
  Enhanced: PXE Encryption Enhancements
  PXE Encryption Enhancements
  AsyncOS 7.0 provides the following enhancements to IronPort         Email Encryption:
  Guaranteed Secure Delivery
  Encrypt on Delivery
  Encrypt on Quarantine Exit
  Multi-Envelope Branding
  Automatic PXE Engine Updates
  Fixes in AsyncOS 7.0.1-010
  Fixed: TLS/SSL Man-in-the-Middle Vulnerability [Defect ID:         55972]
  Fixed: Reporting Engine Stops Allocating Memory, Stops         Processing Data, and Causes an Application Fault When the         Housekeeper Thread Stops [Defect ID: 52048]

  Thanks!
  Since started on Ironport ESA 3 years ago, UCE handling has always be problematic (basically, UCE is never treated as spam).
  I hope the new Unwanted Marketing Message Detection feature fixes that!

• Bug ID 88822 : reversion to older version after upgrade

  Hello,
  in the last Release Notes for Cisco IronPort AsyncOS 7.5.0-838 for Web document
  http://www.cisco.com/en/US/docs/security/wsa/wsa7.5/release_notes/WSA_7.5.0-838_GA_Release_Notes.pdf
  we can see that  bug 88822 has been fixed.
  Previously, customers who upgraded to version 7.5.0 were unable to revert to an older
  version. Now customers can revert to older versions after upgrade.
  Does it mean we can now revert to 7.1.4 version, if wsa was in 7.1.4 version before upgrade into 7.5.0-838 ?
  Regards

  Hi,
  Under the "AsyncOS Reversion" it states the following:
  "AsyncOS for Web 7.5 supports the ability to revert the AsyncOS for Web operating
  system to a previous qualified build for emergency uses. However, you cannot
  revert to a version of AsyncOS for Web earlier than version 7.5."
  I hope this helps,
  Luis Silva
  "If you need PDI (Planning, Design, Implement) assistance feel free to reach"
  http://www.cisco.com/web/partners/tools/pdihd.html

• EoS (end of support) AsyncOS 7.5.2-014 of ESA

  Hi All,
     I would like to know about end of support for AsyncOS 7.5.2-014 of ESA  and I want official document  end of support announcement from cisco. Please give link or document if some who have it.
  Thanks,

  EOL dates and information can be found here:
  http://www.cisco.com/web/ironport/asyncOS_esa_eol_dates.html
  7.5.2-014 would have been EOL as of April 30, 2014.
  Full EOL info:
  http://www.cisco.com/web/ironport/product_discontinuance.html
  Cisco IronPort AsyncOS and Mail Flow Central software releases are supported for up to eighteen (18) months from the First Customer Shipment Date (FCS), or two (2) subsequent major releases of such software, whichever occurs first. At such time, the software reaches EOL. Major releases of the software are designated as an increment in the first number in a release designation (i.e. 4.y.z to 5.y.z).
  At EOL, Engineering, Customer Support and the Cisco IronPort Threat Operations Center no longer provide support for the software release. Thus, update releases (e.g. service, maintenance, and patches) are no longer created for the software release and "signatures," "rules," or similar data services may not be compatible with discontinued versions of the software. To receive software support and updates, customers are required to upgrade to a supported version of the software.
  -Robert

• List of Alerts per category for Ironport?

  Hello,
  Does anyone know of a list of the what the different Alerts are per category that can get emailed to people?
  I know how to sign up for System Administration\Alerts and the categories of System, hardward, Updater, VOF, Anti-v, anti-spam and Dir Harvest Attack.
  My boss wants to know what alerts can come from each category...
  Will the Ironport email an alert if one of my three C appliances stops working? etc.  Is there a chart or table somewhere that defines what alerts get sent and when?
  On a side note:
  Will the Ironport tell me if a Queue is past a certain threshold?
  Thanks!
  Elias

  Hi Elias,
  you can find a list of alerts in a table in the Cisco IronPort AsyncOS Email Configuration Guide. Easily accessible via the online Help "GUI - Help and Support - Online Help". Search for chapter "Alerts".
  The table tables list alerts by classification, including the alert name (internal descriptor used by IronPort), actual text of the alert, description, severity (critical, information, or warning) and the parameters (if any) included in the text of the message.
  Coming to your side note:
  The alerts will not send out a notifications if the work queue passes a certain value. For this you would need to configure a message filter like this:
  wq_notification:
  if (workqueue-count == 2000)
  notify ('[email protected]', 'Workqueue hit 2000');
  Here is a link to our knowledge base where you can find instructions on how to create a message filter:
  http://tinyurl.com/mg8kp
  Hope that helps!
  Enrico

• Ironport C170 Config file restore

  Hi Team,
  We have 2 clustered Ironport server with AsyncOS 7.5.2  with site 1 and now we are building new DR site for Exchange 2010 and buiding Ironport on DR site.
  We have one ironport AsyncOS 7.6.2 for Cisco IronPort C170 build 201 at DR site.
  We have to restore configuration file from Site 1 to DR site.
  Can you please provide me the steps to restore the file from site 1 to DR site
  I have removed the one node from ironport cluster from site 1 and taken the backup of the configuration file.
  Regards,
  Pravin

  Pravin -
  You will need to upgrade all appliances to the same revision in order to have the configuration used from site 1 to the DR.  Also, 7.5.2 and 7.6.2 are EOL, and you would be strongly suggested to upgrade to the minimum of 7.6.3-019 for all appliances.
  After that - it would just be a matter of looking at this two ways - while upgrading the appliances at site 1, just save the configuration copy once upgraded as needed to 7.6.3-019.  Make a copy and modify the Network Configuration section: Hostname, Interface <IP>, Routing Table... and then load that copy on the DR site.
  Or - the other way to look at it would be to just join the DR site to the cluster.  That way all configuration is shared among the three appliances.
  I hope this helps!
  -Robert
  (*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

• Ironport back-up smtp routes

  Hi Guys,
  I have 2 lotus notes servers. Is it possible on the ESA to add these two servers on the SMTP routes while using the same domain name?
  How will the ESA forward incoming mail then? Some sort of load balancing, or will it be a priority thing?
  Thanks,
  Adrian

  Hi Adrian,
  Q:
  I have 2 lotus notes servers. Is it possible on the ESA to add these  two servers on the SMTP routes while using the same domain name?
  A:
  Yes. Please use SMTP Routes option, under Network > SMTP Routes.
  Q:
  How will the ESA forward incoming mail then? Some sort of load balancing, or will it be a priority thing?
  A:Whenever the appliance accept the connection and the message from the sender host, it will check the destination domain of the recipients and look up for SMTP route to reach that destination domain. If there is a SMTP route the appliance will then use the information configured on how to reach the destination. If you have version 7.x of the AsynOS which allows priorization, then the appliance will follow the configuration. If both destiantion servers configured have the same priority, round-robin fashion will be applied.
  If you are running a version prior of AsyncOS 7.x then the appliance will connect to the first server configured. If that server is unreachable then it will try the next one configured.
  SMTP Routes Overview
  SMTP Routes allow you to redirect all email for a particular domain to a different mail exchange (MX) host. For example, you could make a mapping from example.com to groupware.example.com. This mapping causes any email with @example.com in the Envelope Recipient address to go instead to groupware.example.com. The system performs an “MX” lookup on groupware.example.com, and then performs an “A” lookup on the host, just  like a normal email delivery. This alternate MX host does not need to  be listed in DNS MX records and it does not even need to be a member of  the domain whose email is being redirected. The Cisco IronPort AsyncOS  operating system allows up to forty thousand (40,000) SMTP Route  mappings to be configured for your Cisco IronPort appliance. (See SMTP Routes Limits.)
  This feature also allows host “globbing.” If you specify a partial domain, such as .example.com, then any domain ending in example.com matches the entry. For instance, [email protected] and [email protected] both match the mapping.
  If a host is not found in the SMTP Routes table, an MX lookup is performed using DNS. The result is not re-checked against the SMTP Routes table. If the DNS MX entry for foo.domain is bar.domain, any email sent to foo.domain is delivered to the host bar.domain. If you create a mapping for bar.domain to some other host, email addressed to foo.domain is not affected.
  In other words, recursive entries are not followed. If there is an entry for a.domain to redirect to b.domain, and a subsequent entry to redirect email for b.domain to a.domain, a mail loop will not be created. In this case, email addressed to a.domain will be delivered to the MX host specified by b.domain, and conversely email addressed to b.domain will be delivered to the MX host specified by a.domain.
  "The SMTP Routes table is read from the top down for every email delivery. The most specific entry that matches a mapping wins. For example, if there are mappings for both host1.example.com and .example.com in the SMTP Routes table, the entry for host1.example.com will be used because it is the more specific entry — even if it appears after the less specific .example.com entry. Otherwise, the system performs a regular MX lookup on the domain of the Envelope Recipient."
  From our documentation:
  "A receiving domain can have multiple destination hosts, each assigned a priority number, much like an MX  record. The destination host with the lowest number identifies as the  primary destination host for the receiving domain. Other destination  hosts listed will be used as backup.
  Destinations with identical priority will be used in a “round-robin” fashion. The round-robin process is based  on SMTP connections, and is not necessarily message-based. Also, if one  or more of the destination hosts are not responding, messages will be  delivered to one of the reachable hosts. If all the configured  destination hosts are not responding, mail is queued for the receiving  domain and delivery to the destination hosts is attempted later. (It  does not fail over to using MX records)."
  I hope this helps.
  Cheers,
  Valter

• Async os 6.5.1

  Just after the new year started, I upgraded my first of three x1050s to 6.5.0. A few days later after no issues were encountered by this first upgrade, I processed upgrades to my remaining two X's and my M. Unfortunately, on one of these X's I upgraded straight to 6.5.1. Fast forward a few days and another admin went to recreate the cluster, to process some rules, and encountered the out of sync AsyncOSs. A panic ensues and upgrades are applied to the remaining three, all to 6.5.1.
  I ran this past through a support ticket and found the actual problem with another MTAs TLS config. Here we check for TLS and require if available. Outside MTAs is available but broken. Prior to upgrades, unsecure email processed through to my internal users without issue. After the upgrades, all messages failed. Support reports that they attempted email with this domain using earlier Async OS versions and all comm still failed.
  Allegedly no change on outside MTA. They have broken TLS, know it, have experienced it with other MTAs as well. They are not fixing their corrupt TLS deployment. However, unsecure still worked. Outside MTA domain is sigc.us.
  Are my tracking logs gone after an AsyncOS upgrade? Can I recover?
  Was TLS enhanced to fail with broken outside TLS config, from 6.4.x to 6.5.1?
  6.5.1 is a maintenance release? Should I be running it?
  Can I get the bound version of the Ironport AsyncOS 6.5 users guide and advanced users guide? Can I download? I have 5.1 literature. I'd really like to get my ironports dialed in to 6.5.x.
  Thanks,
  -bear

  So I take it from thsi that all systems in the cluster are now running 6.5.1-004, and the cluster is intact?
  Absolutely. No problems really before or after the upgrade, and once the cluster was recreated after the final 6.5.1-004 push, everything has been characteristcally stable.
  By require if available, do you mean TLS preferred-verify? And by all messages, you mean all messages to one domain? It sounds like you should get back in touch with support. They will have access to your configuration.
  Actually just prefer. No verify. By all messages, I mean all messages from sigc.us to us (all messages from anyone to us [we listen for a few domains] we prefer TLS). I think support did what they could, and did a great job at that. I'm just stuck in this "it worked/didn't work quandry," with the only definite change being me upgrading. Without the worked/didn't work data slice, everything support provided is spot on. Sigc.us' TLS is broken..that's not in dispute. It's the behaviour now of my ironports, to their error, that appears to have changed. I have added a destination control specifically for this domain, to not use TLS but these one off fixes trouble me.
  Your tracking logs should survive an upgrade. Whether you still have data from prior to the upgrade will depend on your mail volume. The tracking database will purge the oldest records when it gets full.
  OK. I only seem to be going back to my upgrade date. Actually rechecking my tracking history has shrunk. Now only goes back a little more then a week. That's another obstacle, as I haven't been able to confirm the sigc.us report of success prior to the upgrade.
  There were no enhancements or bug fixes that would cause the appliance to be more picky about who to send encrypted mail to. If the remote MTA advertises STARTTLS, we will attempt to negotiate a TLS connection. There are a number of reasons this can fail. If you are using TLS Required, the mail will be bounced. If it is TLS Preferred, then it will be delivered plain text.
  There's my problem. It doesn't revert to plain text, it just fails. Like this:
  Message 109885282 to [email protected] received remote SMTP response '2.6.0 <49F384F3EE03C14886B2F0F78A53B5432FB803> Queued mail for delivery'.
  I don't even think a hard or soft bounce occurs? Just no one receives it.
  Absolutely. If you saw it in early January, you must have been on the early availability list. Just this week we released it to all customers.
  Whew...
  How did this work? We defintitely didn't request anything. What's the early availability list inclusion criteria?
  You can see all of the Documentation in the online help on your appliance. You can alos download PDFs from the Support Portal. If you prefer the printed copies, I'll check and see how you can order that.
  I'd love the printed versions if available for a reasonable price. Downloads are adequate, but there's nothing quite like a well creased and dog-eared bound reference on my bookshelf.
  Thanks Karl.
  -bear

• Cisco Email Security Appliance (ESA) - Reporting

  In previous versions on ESA you could export data and reports in CSV formats using an API. Is that still available?
  >From the following document :
  IRONPORT ASYNCOS 6.4 REPORTING API FOR IRONPORT APPLIANCES
  REPORTING API OVERVIEW
  The Reporting API feature allows you to download the same data collected by the Email Security Monitor component of the IronPort Email Security appliance or Security Management appliance in a comma separated value (CSV) format. This format allows users to integrate the IronPort appliance's data gathering capabilities into other IT and business reporting systems. 
  DOWNLOADING REPORTING DATA
  You can retrieve the data used to build the charts and graphs in the Email Security Monitor feature via HTTP. This is useful if you plan to perform further analysis on the data via other tools. The data is available in standard comma separated value (CSV) format. The easiest way to get the HTTP query you will need is to configure one of the Email Security Monitor pages to display the type of data you want. You can then simply click the Export... link to initiate the download process.

  It went away, there's a new one (RESTful) in 9.0/9.1
  http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa9-0/ESA_API_1-0_Getting_Started_Guide.pdf

• User not local

  We are trying to send email to a domain that appears to have a configuration problem. The mail resolves to two servers:
  Host Preference IP(s) [Country]
  mail.neal-prince.com. 5 66.0.186.134 [US]
  mail.itcdeltacom.net. 10 165.212.65.113 [US]
  My C100 returns this error:
  551 <JoeSixpack>... User not local (at 12 Sep 2007 14:46:11 (GMT)) IP:165.212.65.113
  The Ironport wants to send to the 165.212.65.113 address which causes this error. Can I make it send to the 66.0.186.34 address?
  I have contacted the ISP to see if they can fix the problem, just thought I'd do what I can to resolve it myself if I can.

  Here are some diagnostic commands that you can perform from the command line (CLI) of the Ironport appliance. Once you've ssh'ed onto the command line with a terminal program like Putty.
  tophosts --> Active Recipients(1)
  - This displays messages in the delivery queue. Messages here have
  already been scanned and is waiting to be delivered.
  hoststatus --> domain (i.e. yahoo.com, stetson.edu)
  - This provides some information about the mailserver and if they are
  up or down.
  delivernow
  - Will try to immediately re-send all mail that was previously deferred and sitting in the delivery queue.
  - nslookup
  To perform hostname, MX records and IP addresses of a domain
  In your case, "hoststatus" would be useful since it will display the MX records and IP addresses near the bottom of the 'hoststatus' output.
  For example,
  nslookup
  Please enter the host or IP address to resolve.
  []> neal-prince.com
  Choose the query type:
  1. A the host's Internet address
  2. CNAME the canonical name for an alias
  3. MX the mail exchanger
  4. NS the name server for the named zone
  5. PTR the hostname if the query is an Internet address,
  otherwise the pointer to other information
  6. SOA the domain's "start-of-authority" information
  7. TXT the text information
  [1]> 3
  MX=mail.itcdeltacom.net PREF=10 TTL=1d
  MX=mail.neal-prince.com PREF=5 TTL=1d
  I noticed that there is a Time to Live (TTL) of 1 day for the hostname before it clears the cache. To immediately clear the DNS cache and have the Ironport AsyncOS go out and obtain current MX and IP addreses, type the following:
  dnsflush
  by the way, you can get a snippet of information on how the command works by typing,
  help
  help dnsflush
  --kevin
  Hmmm, the fact that your C100 is going to the MX 10 destination instead of the MX 5 one probably means that the MX 5 destination is down, since smaller MX values are more preferred.
  But to answer your question directly, you can use an SMTP route to force the mail to go where you want it. Use the "smtproutes" command in the CLI.

• How to Disable VRFY and RCPT

  How does one disable VRFY and RCPT on Ironport AsyncOS for Email Security 7.6 and what is the impact? I understand an attacker can perform an account enumeration and verify whether e-mail accounts exist and a spammer can automate the method to perform a directory harvest attack and send spam emails.
  Thanks

  There are three SMTP commands that apply here.
  VRFY - not implemented by ESA. ESA will respond "250 ok" to everything
  EXPN - not implemented by ESA. ESA always responds "500 command not recognized"
  RCPT - can't be "disabled" as there is no other way to specify envelope recipients.
  I would recommend that you set up LDAP Accept and DHAP (Directory Harvest Attack Prevention). That will allow the ESA to stop dictionary attacks. Once too many bad recipients have been tried the appliance will reject all recipients from that IP address for an hour.
  DHAP is normally best set up to function during the SMTP conversation and to drop connections. If you enable it during the work queue your appliance can get bogged down with undeliverable outgoing messages from all the bounces. Dropping the connection can help with botnets since they usually don't waste time by re-queuing messages to be tried later.

• Update issues when ESA Virtual replacing C170 Appliance in Cluster Config

  I have opened a TAC ticket on this one but was curious if any others experienced the same issue.
  I have C170s in Centralized ClusterConfig. I recently learned about the Virtual ESAs after reading about the EOL for C170s in a few years. I think the Virtual ESAs will add a lot of flexibility. The only issue I've noticed was trying to join Virtual ESAs to our Cluster are updates so far. 
  The first virtual ESA I brought up I was able to initially update it so it could join the cluster. I thought maybe I messed up the network config somewhere. So after messing with it over the Weekend and opening a TAC case with Cisco. I thought I would try configuring the second Virtual ESA. Sure enough updates are working, and no errors. Hooked it up enough to do some quick testing to make sure the listeners were working. Feeling pretty good about it, I join the cluster. Everything copied over configuration wise, I also setup a new ClusterGroup for the Virtual ESAs so I could customize the listeners and interfaces. Before I got too crazy I quickly realized that my updates stop working on the second virtual appliance.
  So just curious if there are some configuration compatibility issues between appliance hardware and Virtual we should be aware of. I found some great information from the Forums about forcing updates and reading the tail of the updater_logs, which produced the following:
  Info: Dynamic manifest fetch failure: Received invalid update manifest response
  I found the fix for non-cluster configured Virtuals for this Update error:
  http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118065-maintainandoperate-esa-00.html
  But  this does not for for clusterconfig.
  So is my best course of action to:
  run the clusterconfig on one of my virtuals, 
  Remove Virtual from ClusterConfig after config is migrated
  Apply CLI fix to point post-cluster config Virtual so it now points to the right update servers
  Create new cluster with the now fully Updating Virtual-Uno ESA
  Join Remaining virtuals to the newly created cluster and phase out the old physical cluster?
  Obviously I left out all the fine details about MX records, IP addresses, Central Reporting and Spam and outbreak reporting. Just want to make sure I'm not missing something, maybe tare down the old clusterconfig first, set it to point to the update servers in the article above. Then I can phase out my old physicals later on down the line as they break down over time and avoid configuring two clusters for every rule change.

  So it looks like I have found the answer to my own question. Looks like the fix in the following article does apply to Virtual ESA in a cluster. 
  http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118065-maintainandoperate-esa-00.html
  Some things I'd like to figure out is, will this change stick, will new virtual nodes pick up the incorrect update URL when I join them to the cluster? I made the changes and all my hosts seem to be updating fine. Will wait and see how well they do over the next few days and let them bake in a little before I push e-mail through them.
  Step by Step how it looks with a cluster config from the CLI:
  (Machine esa1.yourcompany.com)> updateconfig
  Service (images):
  Update URL:                                  
  Feature Key updates
  http://downloads.ironport.com/asyncos        
  RSA DLP Engine Updates
  Cisco IronPort Servers                       
  PXE Engine Updates
  Cisco IronPort Servers                       
  Sophos Anti-Virus definitions
  Cisco IronPort Servers                       
  IronPort Anti-Spam rules
  Cisco IronPort Servers                       
  Outbreak Filters rules
  Cisco IronPort Servers                       
  Timezone rules
  Cisco IronPort Servers                       
  Enrollment Client Updates (used to fetch certificates for URL Filtering)
  Cisco IronPort Servers                       
  Cisco IronPort AsyncOS upgrades
  Cisco IronPort Servers                       
  Service (list):
  Update URL:                                  
  RSA DLP Engine Updates
  Cisco IronPort Servers                       
  PXE Engine Updates
  Cisco IronPort Servers                       
  Sophos Anti-Virus definitions
  Cisco IronPort Servers                       
  IronPort Anti-Spam rules
  Cisco IronPort Servers                       
  Outbreak Filters rules
  Cisco IronPort Servers                       
  Timezone rules
  Cisco IronPort Servers                       
  Enrollment Client Updates (used to fetch certificates for URL Filtering)
  Cisco IronPort Servers                       
  Service (list):
  Update URL:                                  
  Cisco IronPort AsyncOS upgrades
  Cisco IronPort Servers                       
  Update interval: 5m
  Proxy server: not enabled
  HTTPS Proxy server: not enabled
  Choose the operation you want to perform:
  - SETUP - Edit update configuration.
  - CLUSTERSET - Set how updates are configured in a cluster
  - CLUSTERSHOW - Display how updates are configured in a cluster
  []>dynamichost
  Enter new manifest hostname:port
  [update-manifests.ironport.com:443]>update-manifests.sco.cisco.com:443
  Choose the operation you want to perform:
  - SETUP - Edit update configuration.
  - CLUSTERSET - Set how updates are configured in a cluster
  - CLUSTERSHOW - Display how updates are configured in a cluster
  []> 
  (Machine esa1.yourcompany.com)> commit

• Mail Flow Central questions

  I was wondering if anyone can give me the official stance on if MFC is still supported or not. An IronPort engineer that I've been working with tells me that it's not supported anymore, but I just went through IronPort training for the C-series and the instructor tells me that it is supported through next year or so. When I check the knowledge base I see references to check the product page for information about MFC, but nothing is listed. I can't seem to find any documentation or software downloads.

  Here is info from the Support Portal.
  Click on "Announcements & Policies" on the left panel, then "IronPort Systems Product Discontinuance Policy" at the top of the page.
  At the bottom, it mentions this:
  +++
  Software Support
  IronPort AsyncOS and Mail Flow Central software releases are supported for up to eighteen (18) months from the First Customer Shipment Date (FCS), or two (2) subsequent major releases of such software, whichever occurs first. At such time, the software reaches EOL. Major releases of the software are designated as an increment in the first number in a release designation (i.e. 4.y.z to 5.y.z).
  At EOL, Engineering, Customer Support and the IronPort Threat Operations Center no longer provide support for the software release. Thus, update releases (e.g. service, maintenance, and patches) are no longer created for the software release and "signatures," "rules," or similar data services may not be compatible with discontinued versions of the software. To receive software support and updates, customers are required to upgrade to a supported version of the software.
  +++
  Then, if you click on "IronPort AsyncOS for Email" at the very bottom. It mentions this at the very bottom:
  Mail Flow Central December 17, 2004 July 31, 2011
  I was wondering if anyone can give me the official stance on if MFC is still supported or not. An IronPort engineer that I've been working with tells me that it's not supported anymore, but I just went through IronPort training for the C-series and the instructor tells me that it is supported through next year or so. When I check the knowledge base I see references to check the product page for information about MFC, but nothing is listed. I can't seem to find any documentation or software downloads.

• Attachments being removed

  Hey Guys
  I have an issue here when the IronPort (AsyncOS, 8.5). scans emails from particular sender the folling error occurs and the attachment is stripped.
  Message 129182579 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN 
  Message 129182579 scanned by Anti-Virus engine. Final verdict: Negative 
  Message 129182579 contains attachment 'DocumentName_10212014.pdf'. 
  Message 129182579: scanning error (name='DocumentName_10212014.pdf', type=document/pdf): file is corrupt
  I don't believe the file is encrypted and the error only occurs for this one sender, with all attachments they send. They only send PDFs. We are able to receive PDFs from all other companies, however the client is able to send to other companies without their attachments being stripped.
  Any Ideas?
  Thanks,
  Robert

  Hey Robert,
  What I would suggest as a temporary workaround for the time being is to create a mail policy for just this sender that will bypass content filters that may have attachment scanning so we can get some of the attachment files to have investigated.
  There may be some form of damage within the PDF stopping the IronPort from doing a deep scan when coming from this sender and if the attachment is fine and we have the sample, we will attempt to replicate the concern.
  Once you have some copies of these PDF attachments which was reported as corrupted, please open a Cisco TAC case and send this to us for review.
  Regards,
  Matthew