PreciseMail Anti-Spam Gateway Release Notes July 2010 This file contains the release notes for PreciseMail Anti-Spam Gateway V3.2. It describes any features, restrictions, changes, or additions made to the PreciseMail Anti-Spam Gateway software in this release. Revision/Update Information: This is a revised manual. Operating System and Version: OpenVMS VAX V6.1 or later OpenVMS Alpha V6.1 or later OpenVMS I64 V8.2 or later PMDF Version: PMDF V6.1 or later Software Version: PreciseMail Anti-Spam Gateway V3.2 Process Software ii Process Software, LLC ("Process") makes no representations or warranties with respect to the contents hereof and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose. Furthermore, Process Software reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation of Process Software to notify any person of such revision or changes. Use of PreciseMail Anti-Spam Gateway software and associated documentation is authorized only by a Software License Agreement. Such license agreements specify the number of systems on which the software is authorized for use, and, among other things, specifically prohibit use or duplication of software or documentation, in whole or in part, except as authorized by the Software License Agreement. Restricted rights legend Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 or as set forth in the Commercial Computer Software - Restricted Rights clause at FAR 52.227-19. MultiNet is a registered trademark of Process Software, LLC. TCPware is a trademark of Process Software, LLC. PMDF is a trademark of Process Software, LLC. All other trademarks are the property of their respective owners. _______________________________________________________ Contents _______________________________________________________ CHAPTER 1 NEW FEATURES AND BUG FIXES 1-1 _________________________________________________ 1.1 NEW FEATURES AND BUG FIXES IN PRECISEMAIL ANTI-SPAM GATEWAY V3.2 1-1 _________________________________________________ 1.2 NEW FEATURES AND BUG FIXES IN PRECISEMAIL ANTI-SPAM GATEWAY V3.1-3 1-7 _________________________________________________ 1.3 NEW FEATURES AND BUG FIXES IN PRECISEMAIL ANTI-SPAM GATEWAY V3.1-2 1-9 _________________________________________________ 1.4 NEW FEATURES AND BUG FIXES IN PRECISEMAIL ANTI-SPAM GATEWAY V3.1-1 1-11 _________________________________________________ 1.5 NEW FEATURES AND BUG FIXES IN PRECISEMAIL ANTI-SPAM GATEWAY V3.1 1-12 _________________________________________________ 1.6 NEW FEATURES AND BUG FIXES IN PRECISEMAIL ANTI-SPAM GATEWAY V3.0-2 1-17 _________________________________________________ 1.7 NEW FEATURES AND BUG FIXES IN PRECISEMAIL ANTI-SPAM GATEWAY V3.0-1 1-19 iii Contents _________________________________________________ 1.8 NEW FEATURES AND BUG FIXES IN PRECISEMAIL ANTI-SPAM GATEWAY V3.0 1-22 _________________________________________________ 1.9 NEW FEATURES AND BUG FIXES IN PRECISEMAIL ANTI-SPAM GATEWAY V2.4-3 1-25 _________________________________________________ 1.10 NEW FEATURES AND BUG FIXES IN PRECISEMAIL ANTI-SPAM GATEWAY V2.4-2 1-28 _________________________________________________ 1.11 NEW FEATURES AND BUG FIXES IN PRECISEMAIL ANTI-SPAM GATEWAY V2.4-1 1-29 _________________________________________________ 1.12 NEW FEATURES AND BUG FIXES IN PRECISEMAIL ANTI-SPAM GATEWAY V2.4 1-30 _______________________________________________________ CHAPTER 2 KNOWN BUGS AND RESTRICTIONS 2-1 iv _______________________________________________________ 1 New Features and Bug Fixes PreciseMail Anti-Spam Gateway V3.2 includes the following new features and bug fixes over earlier versions. __________________________________________________________________ 1.1 New Features and Bug fixes in PreciseMail Anti-Spam Gateway V3.2 o The quarantine and discard views in the PMAS GUI now support date ranges for message selections. Previously, messages could only be displayed by individual days (or all days). The new date ranges allow for more flexibility when displaying or searching the quarantine and discard. o Search terms used in the quarantine and discard GUI views are now remembered and reapplied when messages are deleted. Previously, deleting messages resulted in a return to your default quarantine or discard view. o The mail disposition codes stored in PMAS.LOG are now two-character codes for most dispositions. The new codes indicate whether or not the allow, quarantine, discard, etc, was done as a result of a user rule, a group rule, a domain, or a system rule. For example, the code "AU" indicates that a message was allowed by a user rule, while "RS" indicates that a system reject rule was triggered. o The configuration variable BLOCK_DISPOSITION now accepts a new value which forces blocked messages to be stored in the quarantine instead of being silently dropped or stored in the discard. 1-1 New Features and Bug Fixes o The procedure RUN_NOTIFY.COM was modified to remove an obsolete command to truncate the discard index files. o The quarantine notification program was modified to correctly handle double quotes appearing in email addresses. Previously, the double quotes weren't quoted, causing HTML parsing errors in the quarantine notice when such addresses were present. o The UNIX run_nightly.sh script has been modified to properly rollover the PMAS discard index files. Previously, the last file of each month was renamed to .log-YYYY-MM-00 instead of the proper date. o On UNIX, the pmas.log and user_actions.log files are now rolled over every night by the routines that write to the files, eliminating the need for RUN_ NIGHTLY.SH to perform the rollover. o A uDNS problem with setting the nameserver to use has been fixed. This change affects the VMF, URIDNSBL, and RDNS components. o Quotes are no longer added to rule rules if they're already present. Previously, an additional set of quotes were added, resulting in parsing errors. o When searching the PMAS quarantine via the GUI, some characters were inadvertantly improperly encoded, preventing proper matching. This problem has been corrected. o Per customer request, the "Block" and "Allow" buttons have been removed from the GUI quarantine and discard pages to discourage users from selecting all of the quarantine or discard and blocking all the addresses. The buttons are still available in the preview window. o The handling of the DNSBL option DNSBL_ALLOW_ EMAIL has been modified to correct a problem that prevented it from working correctly. 1-2 New Features and Bug Fixes o Date stamps are now added as comments to all allow and block rules added via the GUI or the email interface. These date stamps can help determine when a user added the rule he or she claims not to have added.... o The configuration variable UDNS_NAMESERVERS now supports multiple DNS nameservers by accepting a comma-separated list of IP addresses. o When viewing the allowlist, "rule allow" rules are no longer displayed. o The UNIX startup procedure has been modified to check for non-zero value of the configuration variable PTSMTP_MAILSERVER_PORT_TLS to determine whether or not TLS support should be enabled. o The Verify Mail From (VMF) feature has been modified to read a list of address that should be excluded from VMF checks. Such addresses would include addresses such as "DoNotReply", "nobody", etc. The exclusions are stored in the file PMAS_DATA:VMF_ EXCEPTIONS.TXT. Each entry describes MAIL FROM: addresses that will be excluded from the VMF lookups. The entry can be either a wildcard string (using "*" and "?" as the wildcards), or it can be a regular expression (prefixed with "regex"). Case- insensitive regular expressions can be specified by following the delimited expression with "i". See the VMF_EXCEPTIONS.TEMPLATE file for examples. o A network read/write failure in the Verify Mail From (VMF) feature caused PMAS to exit on UNIX instead of continuing. This problem has been corrected. o In the GUI quarantine and discard views, the search and date fields were ignored when the non-Java sort was used. This problem has been corrected. 1-3 New Features and Bug Fixes o In the GUI quarantine and discard views, the "Sort Ascending" and "Sort Descending" features were swapped in the non-Java sort version of the page. This problem has been corrected. o All administrator GUI options are now available for group and domain admininstrators. o The following changes have been made to the Advanced Infrastructure cluster support: o PMAS AI now includes support for user rule files and group files. New configuration variables were added to support these features: AI_USERRULES_ SERVER, AI_USERRULES_CLIENTS, AI_GROUPS_SERVER, and AI_GROUPS_CLIENTS. o The PMAS AI client now loads the PMAS configuration file before attempting to update it to get any changed variables since the last update. Previously, node-specific changes made by editing the configuration file on the client were inadvertantly overwritten when the AI code downloaded a new configuration file from the server. o A bug in the code that handled the AI configuration file would sometimes result in an infinite loop. This problem has been corrected. o The pmasadmin utility was modified to correct a bug that resulted in the command "pmasadmin group get_ membership" displaying nothing. o Deleted files are now indicated in the quarantine/discard view when "Show Deleted Messages" is checked. A new table column indicates deleted files with an "X". (This feature only works when the configuration variable gui_rename_upon_delete is set to "yes". 1-4 New Features and Bug Fixes o When releasing or viewing a message that was automatically deleted (via the configuration variable gui_delete_upon_release), the GUI now displays text indicating that the message has already been released. This text replaces the less- than-helpful "Unable to read file" message that was previously displayed. When releasing or viewing a deleted message (via gui_delete_upon_release), o Quotes in the %MSG_QUARTO% variable values, used in the PMAS quarantine and discard HTML files, are encoded now to avoid Javascript errors when a To: address has a single quote in it. o The PCRE regular expression library used by PMAS has been upgraded to PCRE v8.02. o The LIBSPF2 library used by PMAS for SPF lookups has been upgraded to LIBSPF2 v1.9.4. o The ClamAV anti-virus library used by PMAS on UNIX has been upgraded to the current release. o A new configuration variable, MAXIMUM_USER_BLOCK_ RULES, specifies the maximum number of block rules that are read from a user rules file. The default value is 1000; if a user has more than 1,000 block rules, only the first 1000 will actually be applied to incoming messages. This prevents slowdowns caused by end-users who misunderstand the ineffectiveness of adding block rules for every message quarantined or discarded, resulting in tens of thousands of block rules that will never actually trigger. o The GUI authentication routines have been modified to add new functionality: o A new qualifier, /QUOTE, can be specified after a host name in the AUTH_IMAP4_HOSTS and AUTH_POP3_ HOSTS configuration variables to cause passwords to be enclosed in double quotes when they are sent to the remote IMAP server. 1-5 New Features and Bug Fixes o A problem with the qualifier /virtual not always being honored has been corrected. o SSL is now supported for IMAP and POP authentications. Simply specify the new qualifier /SSL after the hostname in the variables AUTH_ POP3_HOSTS and AUTH_IMAP4_HOSTS. o The configuration variable LDAP_AUTH_SERVER now accepts a comma-separated list of servers to contact for authorization. Each server is tried until a successful connection is made. o The LDAP Authentication support accepts a new substitution sequence, "%c", that turns the domain specified in an email address into an LDAP RDN of the form "DC=domain,DC=com". o New site-specific startup and shutdown procedures are supported on UNIX. The optional files are located in /pmas/com and are named site_pmas_ start.sh and site_pmas_stop.sh o The PMAS startup procedure on UNIX (/etc/init.d/pmas) now supports a "restart" option for the proxy version of PMAS. o The rule parser now accepts numbers with decimal digits for the SCORE rules. Previously, scores such as "10." and "10.5" were improperly rejected. o The PMAS body parser now supports the "text/enriched" body part. Previously, these body parts were ignored by PMAS. o The MAIL FROM: envelope return address is now available for testing in the "ALL" header test as X-PMAS-MAIL-FROM:. This allows for the construction of ALL header tests that can compare the envelope from address with the RFC822 From: address. o A new "rule" test, ALLHEADERS, has been added. This allows the construction of rule rules that can test for multiple headers. 1-6 New Features and Bug Fixes o A new "rule" test, URI, has been added. This allows the construction of rule rules that can test URIs in message bodies. o A new configuration variable, SEND_QUARNOTICES_ DEFAULT, controls whether or not quarantine notices are sent to users by default. The default value is "yes". o New callable API routines have been added to PMAS_ USERDB_API: o AliasLookup() - Get the alias for an email address o AuthAliasLookup() - Get the authorization alias for an email address o RuleAdd() - Add an allow/block rule for an email address o RuleDelete() - Delete an allow/block rule for an email address o RuleFilename() - Get the filename for the allow/block list for an email address See the API examples directory for sample programs that use these routines. __________________________________________________________________ 1.2 New Features and Bug fixes in PreciseMail Anti-Spam Gateway V3.1-3 o PMAS rule files now allow includes (using "@") up to five levels deep. Previously, an included file could not include another file. o In order to reduce the memory requirements of the PMAS PTSMTP worker processes, a new configuration variable, PTSMTP_MAX_SIZE, has been created. The maximum message size is specified in bytes (the 1-7 New Features and Bug Fixes default value is 0, which disables the check). Messages larger than the specified size will be passed to the backend server without being scanned or logged in PMAS.LOG. o The AI support for quarantine and discard files did not handle the new ISAM indexed files on OpenVMS. This problem has been corrected. (Previously released in a separate image update to V3.1-2.) o When a message was written to the quarantine or discard index, the username was not converted to lowercase, causing problems for mixed-case addresses when those users logged in via the GUI. The symptom was they couldn't see their quarantined messages. This update corrects the logging code so that the email addresses are converted to lowercase so the keyed reads will work. (Previously released in a separate image update to V3.1-2.) o A problem with the UAI$M_PWDMIX support when logging into the PMAS GUI has been corrected (previously released in a separate image update to V3.1-2.) o A number of problems with the web-based PMAS GUI have been corrected. o A problem with the precedence order of the groups displayed in the group administration page has been corrected. o The PMAS domain administrator cookie is now cleared by PMASLOGOUT. o Alias lookups are now performed for the special "$default$" logins. o The PMAS CGI script ALLOWLIST did not properly handle uploaded CSV files using only carriage- returns as line terminators. This problem has been corrected. 1-8 New Features and Bug Fixes o Several problems in the user-impersonation features have been corrected: o When a domain admin impersonates a user and displays the quarantine, the quarantine displayed is only for that user. Previously, the quarantine for the entire domain was incorrectly displayed. o When logging out of domain-impersonated user, the start page no longer displays the user's email address. o When impersonating a user, the proper start page was not always displayed. This problem has been corrected. o When a domain admin impersonates a user, the default domain is now supplied if it is omitted in the given user email address. o The Thickbox Javascript code was modified to work around a problem with Internet Explorer 8 so that popup windows are properly displayed. o The nightly batch job on OpenVMS no longer tries to truncate the discard index files, which are now ISAM files. __________________________________________________________________ 1.3 New Features and Bug fixes in PreciseMail Anti-Spam Gateway V3.1-2 o User and system "rule" rules have been enhanced to support "tag" as an option. A message matching a tag rule is treated as an implicit allow, and tag rules are evaluated before allow rules are evaluated. o The group support in the PMAS GUI has been reworked so that it provides more functionality. Note: The format of GROUPS.DAT has changed. If you had previously set up PMAS groups, please contact 1-9 New Features and Bug Fixes Process Software Technical Support for information on how to convert the group configuration files. o PMAS administrator functions in the PMAS GUI have been expanded to allow for group and domain administrators. Entries can be created in the PMAS user database for special addresses that can then be used to manage default group and domain thresholds, rules, and allow/block lists. For group administrators, a special login of the form "groupname@GROUP" (where "groupname" is the name of a group) is used. For domain administrators, a special login of the form "$default$@domainname" (where "domainname" is the name of the domain) is used. o On OpenVMS, the PMAS quarantine and discard index files are now keyed ISAM files, meaning that quarantine and discard lookups for individual users are more efficient than in previous versions of PMAS. (PMAS will now process both the old text file format and the new ISAM format; no conversion of existing files is required, but the ISAM advantages will only be seen on files created after the V3.1-2 install.) o The PMAS GUI login script has been modified to support mixed-case passwords on OpenVMS (the SYSUAF flag PWDMIX). o The "subject" rules are now applied to both the original Subject: line and the decoded Subject: line (for Subject: lines that are encoded). Previously, the test was applied only to the decoded line, preventing users from testing for certain encodings. o The RULE ENVELOPE_FROM and RULE ENVELOPE_TO rules have been enhanced so that the condition MATCHES_ REGEXP can be used in tests. 1-10 New Features and Bug Fixes o The underlying regular expressions used by the HEADER rules have been enhanced so that it is no longer necessary to begin each rule with ".*". o For PMAS PTSMTP on OpenVMS, the PMAS.LOG file is now kept open for the life of the worker process. The file is automatically rolled over (i.e, a new file is created) each night at midnight, as the has been the case for the other log files in previous versions of PMAS. This change cuts back on the overhead required to open and close the log file for each message, as previous versions of PMAS did. o When reading in the rule files, the PMAS engine (and PMAS compiler for OpenVMS) now verify that there are no illegal characters in meta rule definitions. In previous versions of PMAS, an invalid character in a meta rule definition would result in an infinite loop when the rule was executed. o In the PMAS AI code, newlines are now properly added to the records when the quarantine index file is created. Previously, these newlines were missing, resulting in unterminated line in the index file. o The configuration variable AUTH_METHOD wasn't being handled properly by the PMAS GUI login script. This problem has been corrected. o On OpenVMS, the PMAS startup procedure has been modified so that the notification batch job is not submitted on AI secondary nodes. __________________________________________________________________ 1.4 New Features and Bug fixes in PreciseMail Anti-Spam Gateway V3.1-1 o A long-standing bug concerning improper message disposition for messages with multiple recipients, one or more of which was opted-out of PMAS scanning, has been corrected. 1-11 New Features and Bug Fixes o The PMAS GUI has been modified so that 8-bit characters can be specified in "rule" rules tests. o The PMAS GUI quarantine script has been modified so that "$default$" logins do not match partial domains when selecting quarantine messages to display. o A channel/socket leak in the VMF (Verify Mail From) code has been corrected. o The OpenVMS version of the PMAS scanning engine no longer uses the C RTL routines malloc() and free() for memory management. Apparent bugs in the C RTL routines were leading to random access violations when memory was exhausted instead of actually returning error status codes. o The wildcard help on the allowlist, blocklist, and rulelist pages in the PMAS GUI now appears in a popup window instead of in the main window. Previously, any unsaved additions were lost if the wildcard help was selected. o Site-specific authentication for the PMAS GUI is now supported on UNIX. A sample site authentication program for both OpenVMS and UNIX is supplied in __________________________________________________________________ 1.5 New Features and Bug fixes in PreciseMail Anti-Spam Gateway V3.1 o PMAS now supports SPF (Sender Policy Framework). For more information, see the PreciseMail Anti-Spam Gateway Management Guide. o PMAS now supports URI and Received: DNSBL lookups, as well as URI reverse DNS lookups. For more information, see the PreciseMail Anti-Spam Gateway Management Guide. 1-12 New Features and Bug Fixes o The PMAS Verify Mail From (VMF) feature has been reworked so the check is made locally by the PMAS code instead of by contacting the Process Software server. See the PreciseMail Anti-Spam Gateway Management Guide for full details. o New "discard" and "score" user rules are available. In addition, "reject" and the "regexp" method are now available to users (previously, only the PMAS administrator could define such rules). o A new configuration variable, LIMIT_USER_THRESHOLDS, can be used to limit user threshold values to the system-wide values (i.e, users will not be able to set the quarantine and discard thresholds higher than the system settings). o The second phase of the Advanced Infrastructure module is included in this release. Quarantined and discarded messages from one or more systems running PMAS may be coalesced onto a quarantine server and/or discard server. o Several enhancements have been made to the PMAS scanning engine: o The engine now recognizes longer numeric HTML encodings, e.g. "w". o When a message is quarantined or discarded, a new header, X-PMAS-Filename:, is added to the message's headers. This new header shows the quarantine or discard filename for the message. o Daily PMAS log files now roll over at midnight instead of on the first write after midnight. In the case of mostly-dormant worker processes, PMAS.LOG files could previously sometimes remain open well into the next day. o For multipart messages, "text/rfc822-headers" parts are now included in the "body" and "rawbody" tests. 1-13 New Features and Bug Fixes o When processing a message's body-part headers, the PMAS engine inadvertantly changed tabs to blanks, breaking digitally-signed messages. This problem has been corrected. o The web-based PMAS GUI has received several enhancements and bug fixes, including the following: o The PMAS GUI now checks to ensure that a user's browser has Javascript and cookies enabled before letting the user log in. Though Javascript and cookies have always been required, the GUI previously did not perform the check, resulting in unexpected behavior when those browser features had been disabled. Note: The INDEX.TEMPLATE file has been updated for this feature. You must update your copy of INDEX.HTML after you upgrade, or your users will not be able to log in to the PMAS GUI. Unless you have customized INDEX.HTML, simply copying the template file to INDEX.HTML will suffice. o The Javascript code that handles the PMAS popups (thickbox) has been upgraded, and several related problems have been corrected. o When adding a wildcarded address to the allow or block list via the PMAS GUI, the user is now warned that doing so may allow spam to pass through. o Leading and trailing spaces are now removed from addresses being added to the allow and block lists via the PMAS GUI. o The template variables %MSG_FILENAME% and %MSG_ FULL_FILENAME% are now supported for the PMAS_ QUARANTINE.TEMPLATE file for the PMAS GUI. 1-14 New Features and Bug Fixes o The pop-up balloons for the various sort options in the quarantine view have been corrected. Previously, they incorrectly always specified "ascending", even if the correct direction was "descending". o A very rare buffer overflow (and resulting accvio) in the CGI scripts has been corrected. The accvio happened when CGI debugging was turned on and a user's allow/block list was larger than 64K. o Various HTML corrections have been made to the template files. o The PMAS PTSMTP proxy server has been enhanced in the following ways: o The PMAS PTSMTP anti-relay plugin will now verify MAIL FROM: addresses purporting to be from a domain for which local addresses are defined in LOCAL_ADDRESSES.TXT. This will prevent forged mail addresses from those domains from being accepted. o The PMAS PTSMTP anti-relay plugin can now verify MAIL FROM: and RCPT TO: addresses by calling out to a site-supplied shareable image to verify the validity of the addresses. Normally, the backend SMTP server is used to verify RCPT TO: addresses, but the site-supplied routine provides more flexibility for verification. For example, the site routine could call out to an LDAP server to verify an email address's validity. See the PreciseMail Anti-Spam Gateway Management Guide for details on implementing site- verification. o The PMAS PTSMTP proxy server DNSBL plugin has been modified so that DNSBL lookups do not occur for authenticated SMTP sessions. 1-15 New Features and Bug Fixes o The PMAS PTSMTP proxy server now supports "tarpitting". When tarpitting is enabled, responses to RCPT TO: commands are intentionally delayed, increasing the amount of time it takes for the sending client to send the message. Some people view this as a way to "punish" spammers by increasing their message transmission times, thus decreasing the number of messages they can send. Two new configuration variables control tarpitting: ptsmtp_tarpit_count specifies the number of RCPT TO: commands per session that are allowed before tarpitting is activated, and ptsmtp_tarpit_delay species the number of seconds each RCPT TO: response should be delayed. o The logical "PTSMTP_SUPPRESS_REPORTS" can be defined /SYSTEM/EXECUTIVE to prevent the periodic OPCOM messages that report on the number of worker processes currently active. o The Sophos plugin for the PMAS PTSMTP proxy server has been modified to correct accvios in the Sophos callable routines when Sophos databases updates could not be loaded. Per the recommendation from Sophos, a database load is re-tried if it fails. If the second try fails, then a re-initialization of the Sophos API is performed. o The PMAS PTSMTP proxy server has been modified to properly determine the end of headers when adding the "X-PMAS-External:" and "X-PMAS-Internal:" headers. Previously, message headers with embedded carriage-return or linefeed characters could cause the PMAS header to appear in the message body when it was finally delivered to the user. 1-16 New Features and Bug Fixes o The following changes have been made to the PMAS update procedures: o On OpenVMS, the PMAS updates procedure now uses the VSWEEP_AUX_DIR logical for Sophos updates, if it's defined. Previously, updated Sophos files were downloaded to the location defined by the configuration variable ANTIVIRUS_DIR, which defaulted to PMAS_ROOT:[SOPHOS]. o PMAS_UPDATE has been modified so that when uploading PMAS statistics to the Process Software server, writes are broken up into 64K chunks. On older versions of UCX, MultiNet, and TCPware, writes larger than 64K characters would fail, resulting in partial uploads of the statistics. o A bug in the PMAS_UPDATE routines that could leave a socket open after a failed connection (and thus, a BG: device still allocated) has been corrected. o A minimal HTTP server is now included with all UNIX kits. Sites with high web interface traffic may wish to continue using a full-featured web server (Apache), but smaller sites may choose the simplicity of using the integrated HTTP server. Enable the PMAS HTTP server by setting the value of the httpd_port configuration variable to a non-zero value. By default, the integrated HTTP server is disabled. __________________________________________________________________ 1.6 New Features and Bug fixes in PreciseMail Anti-Spam Gateway V3.0-2 o The PMAS query services (VMF (Verify MAIL FROM), dynamic URI, and reputation URI) have been reworked to better handle times when the Process Software 1-17 New Features and Bug Fixes backend server is unreachable. These changes include: o A new backend server, physically located in a new datacenter in a different state from the primary Process Software datacenter, has been deployed. The PMAS query services will now attempt to contact this new backend server first. If it can't be reached, PMAS will attempt to contact the original backend system. This should minimize the effect of any outages due to Process Software ISP (or other ISP) issues. o Query service timeouts are now logged to OPCOM on VMS and syslog on UNIX. o In previous versions of PMAS, query service timeouts (usually caused when the Process Software backend server was unreachable) caused excessive delays when scanning messages, as each query would wait 30 seconds (the default) before timing out. For a message containing a lot of URIs, this could result in a scan time of several minutes, as each URI check timed out. The PMAS engine has been modified so that a query service timeout now results in no further attempts to contact the Process Software backend server for, by default, 15 minutes. This "no query" interval is controlled by the new configuration variable HTTP_NO_QUERY_INTERVAL. o Apparent bugs in the C RTL on OpenVMS systems often resulted in accvios when the query services timed out (either on the initial connection or when a read timed out). The timeout code has been reworked to use the $QIO TCP/IP interface to avoid those C RTL issues. o In previous versions of PMAS V3.0, the X-PMAS- Allowed: header added to messages with multiple recipients and multiple dispositions (i.e, user allowed and system allowed) contained incorrect 1-18 New Features and Bug Fixes information (or random text) for the matching rule. This problem has been corrected. o The code that sends messages via SMTP has been modified to properly handle multiline SMTP replies, as well as replies broken up into multiple TCP/IP packets. o The PMAS PTSMTP startup file on OpenVMS has been modified to properly support a multi-equivalence PMAS_DATA logical. __________________________________________________________________ 1.7 New Features and Bug fixes in PreciseMail Anti-Spam Gateway V3.0-1 o Some PMAS customers running on OpenVMS were experiencing "hanging" PMAS processes. These were due to read timeouts while doing the VMF, dynamic URI, and reputation URI lookups. When a timeout occurred, a bug in the C RTL caused the processes to hang when trying to close the socket. The timeout code has been modified to avoid the C RTL bug by calling the appropriate system services to shut down the connections. o The PMAS DSC cluster synchronization programs have been modified to make better use of system resources. o The PMAS scanning engine has been modified to allow for Content-transfer-encoding: headers appearing before Content-type: headers in message bodyparts. o The PMAS PTSMTP plugins for anti-relay and DNSBL on OpenVMS have been modified to create files with the proper file attributes. Previously, log files had no Record Attributes, preventing utilities like TAIL and TYPE from displaying the files properly. 1-19 New Features and Bug Fixes o The OpenVMS startup procedure has been modified so that the notify job is not run if the node is a DSC client. o The PMAS configuration template file has been modified to correct the names of a couple of configuration variables: GUI_FORCE_OPERA_JAVA_SORT and QUARANTINE_MSG_SUBJECT. o The quarantine notification code has been modified to encode the pound sign character "#" appearing in email addresses for the release URLs. Previously, such messages could not be released from the release link in the notification message. o The PMAS scanning engine has been modified to correctly allow for including files in the ALIASES.TXT. Previously, an included file replaced any previously-read aliases. o The PMAS scanning engine for OpenVMS has been modified to better handle errors that might occur during the reloading of the PMAS compiled rules. Previously, it was possible for an error to result in no rules being applied to messages. o Three new configuration variables can now be defined to hide options available in the GUI. o GUI_HIDE_SEND_TO_ADMIN prevents the display of the "Send to Administrator" button in the quarantine and discard views. o GUI_HIDE_UPLOAD_CSV prevents the display of the option to upload user address book CSV files on the allowlist page. o GUI_HIDE_USER_RULES prevents the display of the link to allow users to define their own "rule" rules for quarantining and discarding messages. o The following changes have been made to the PMAS web-based GUI. 1-20 New Features and Bug Fixes o The help popups for the buttons on the quarantine and discard views are now properly shown after the display is re-sorted. o Previously, checking one or more messages in the PMAS quarantine and discard views and then pressing RETURN would cause the checked messages to be released. (Because the "Release" button was the first action for the form, it was the default action when RETURN was pressed.) Javascript code has been added to prevent pressing RETURN from causing any action on those pages. o The page displayed when messages are released from the quarantine notice when the user is not logged in has been modified so that the various links are no longer displayed. Previously, the links to the allowlist, blocklist, etc, were displayed, and clicking on one of them would take the user to the login page. This caused confusion among users who expected the message sender to be added to the allow list, block list, etc. (actions that require that the user be logged in). o When clicking on links in the PMAS quarantine notification, the user's email address was supposed to show up as the default address if the user was redirected to the PMAS login page. This did not always happen, and the CGI script has been modified to correct the problem. 1-21 New Features and Bug Fixes __________________________________________________________________ 1.8 New Features and Bug fixes in PreciseMail Anti-Spam Gateway V3.0 o The PMAS web-based GUI now allows for the automatic importation of address books to a user's allow list. The Allowlist page now includes a form to let users specify the name of a CSV (comma-separated values) file that contains the contacts to be added to the allow list. Most email clients are capable of exporting their address books to a CSV format. Once the file has been uploaded, another confirmation page is presented, allowing the users to control which addresses are actually added to the allow list. o Previous versions of PMAS would not process messages larger than 1,000 512-byte blocks-messages larger than that size were effectively ignored by PMAS. The reasoning behind the limit was that spam wasn't that large, and there was no point in scanning a message that wasn't likely to be spam. Unfortunately, these days, some spam is larger than that, so this limitation has been removed, and a new, site- controlled size limit has been implemented. A new configuration variable, MAXIMUM_SCAN_SIZE, can be defined to specify the largest size a message can be and still be scanned by PMAS. Unlike the old limit, the user and system allow/block lists are applied to the messages before the size is checked, providing more control over a a large message's disposition. If the variable is undefined or defined as 0, there are no message size limits enforced. o The PMAS web-based GUI has been enhanced to allow for searching the quarantine and discard without having to load the initial quarantine view. Search options have been added to the PMAS Start page. 1-22 New Features and Bug Fixes o The PMAS group support has been extended to allow for a group-shared allowlist file. If a user is a member of a group, PMAS will look for a allow/block file named PMAS_USERS:groupname.GROUP, in addition to the user's own file and the system allow/block file. Additionally, a file named $DEFAULT$.domain is also loaded, if it exists. You can create group and default allow/block list files using an editor or via the PMAS GUI by logging in as "groupname@GROUP" or "$default$@domain". o The initial loading of Sophos databases by the PMAS PTSMTP worker processes on OpenVMS is now staggered, reducing the load on the system when PMAS is first started. Previously, all the worker processes would try to load the databases at once, resulting in a noticeable performance hit on the system. o The DNSBL plugin has been modified to allow email address exceptions. For example, if example.com is listed in a DNSBL, an exception rule can be added to allow mail from particular example.com address. The new keyword DNSBL_ALLOW_EMAIL can be used in the PTSMTP_DNSBL.CONF file to specify the email address to allow. A complementary keyword, DNSBL_BLOCK_ EMAIL, has been added to allow you to explicitly block email from certain addresses, regardless of the DNSBL check results. o Filtering statistics are now stored in an SQL database, rather than CSV files. The bastats utility continues to be responsible for updating the statistics databases, and the adminreports CGI program generates graphical reports based on the SQL. The new stats_migrate program is run once to import any existing CSV statistics into the new SQL databases. stats_migrate is run automatically at the end of the PMAS V3.0 install process. 1-23 New Features and Bug Fixes o The first phase of the new Advanced Infrastructure module is part of this release. Advanced Infrastructure is a high-performance software clustering module designed to be more suitable for extremely large, high volume sites than the older Data Synch Cluster (DSC) module. In V3.0-Beta1, PMAS configuration files may be synchronized between multiple nodes. A future Beta release will contain support for synchronizing statistics between nodes. Support for full synchronization will continue to be added in phases over future releases. o The UNIX kits are now installed using a simplified process common across all operating systems. See the new UNIX Installation Guide for details. (The UNIX Installation Guide supplants the separate installation guides for each UNIX operating system that were previously included in PreciseMail.) o The email-based PMAS Processor has been modified to take additional steps to avoid mail loops between the Processor and other automated email responders. The following steps have been taken: o Mail from "postmaster" and "mailer-daemon" is ignored. o Mail with a Subject: line showing a PMAS reply subject or "out of office" is ignored. o Error messages generated in response to user email is now sent with a return address of "PreciseMail-NoReply" to avoid bounces from coming back to the PMAS Processor. o All email messages originating from PMAS now include an Auto-Submitted: header showing that they were automatically generated by software. The PMAS Processor ignores any mail it receives containing an Auto-Submitted: header that shows 1-24 New Features and Bug Fixes whether the message was "auto-replied" or "auto- generated". o The PCRE regular expression library used by PMAS has been upgraded to PCRE V7.0. o OpenVMS installations now use a shareable image for the PCRE library, resulting in lower memory requirements for PMAS (in particular, the PMAS PTSMTP worker processes). o The PMAS web-based GUI now uses the Thickbox package for all popups. Thickbox creates frames on top of the existing browser window instead of a separate popup window. __________________________________________________________________ 1.9 New Features and Bug fixes in PreciseMail Anti-Spam Gateway V2.4-3 o PMAS has been enhanced to show the matching Allow rule for messages that are allowed by either a system or user allow rule. The X-PMAS-Allow: header that has always been added to such messages now shows the matching allow rule: X-PMAS-Allow: *@example.com o If an error occurs when trying to create a quarantine or discard file, the message is forwarded to the recipient. In previous versions of PMAS, the message was forwarded as-is. Such messages are now tagged (i.e, the Subject: line is modified) to show that the message is spam. o The PreciseMail Quarantine GUI has been enhanced to allow sorting using the From: column in the display table. o Chained TLS certificates are now supported by PMAS. o The pmasadmin utility now supports a rename command for renaming records. 1-25 New Features and Bug Fixes o A new eval test, check_for_bad_mime(), has been added to allow for testing of MIME messages that do not have valid MIME boundaries. o The PMAS PTSMTP anti-relay plugin (relayplug) has been modified in the following ways: o When checking local addresses, "+" subaddresses are now supported. o Authenticated SMTP connections (connections that authenticate using the ESMTP AUTH command) are now recognized and treated as internal connections (i.e, such connections bypass all of the anti-relay checks). Messages received from authenticated sources now reflect this in the X-PMAS-Internal: and X-PMAS-External: headers. which get a "-Auth" suffix added, making them X-PMAS-Internal-Auth: and X-PMAS-External-Auth: o Percent-hacked and UUCP-style bang (!) recipient addresses are now properly handled by the anti- relay plugin. Previously, such addresses were allowed through. o The PMAS PTSMTP DNSBL plugin now allows mail sent to "postmaster" and "abuse" from DSNBL-listed clients to adhere to the RFCs. A new PMAS configuration variable, PTSMTP_DNSBL_ALLOW_POSTMASTER, can be used to disable this feature. o The PreciseMail Quarantine CGI script now removes spurious carriage-return characters in From: addresses. Messages containing such headers previously caused errors in the Javascript used by the quarantine display, resulting in a blank table. o A debug line in the PMAS PMDF channel master program would result in access violations when processing messages with very long headers when debugging was turned on. This problem has been corrected. 1-26 New Features and Bug Fixes o The system quarantine threshold is now used when a user quarantine rule matches and the user's preferences specify that the system threshold should be applied. Previously, the user threshold was always used, resulting in a threshold of 0 for all such cases. o The run_nightly.sh script for UNIX systems has been modified to allow for directory mtime updates caused by deleting quarantine messages. Previously, empty directories were sometimes left behind longer than they should have been. o The run_nightly.sh script for UNIX systems has been modified to use -follow when looking for quarantine and discard files. Previously, symlink directories were not supported. o The PMAS milter program for UNIX systems has been modified to correct a segmentation fault that occurred when processing messages that had lines longer than 1,024 characters. o A problem detecting Daylight Savings Time when creating Date: headers for SMTP messages generated on UNIX systems has been corrected. o The "rule" rules did not properly support the ENVELOPE_TO_ALIAS (an access violation resulted when such rules were executed). This problem has been corrected. o The ClamAV engine shipped with PMAS PTSMTP for UNIX has been upgraded to version 0.90.1. 1-27 New Features and Bug Fixes __________________________________________________________________ 1.10 New Features and Bug fixes in PreciseMail Anti-Spam Gateway V2.4-2 o The PreciseMail email-based processor did not preserve rule rules in user allow/block lists when allow and block entries were added or removed using the email interface. This problem has been corrected. o Memory optimizations made in the handling of PMAS alias files for PMAS V2.4 on OpenVMS resulted in extra processing time, which caused unacceptable slowdowns for sites with many thousands of PMAS aliases. The pre-V2.4 processing algorithm is now used for everything except the PMAS_COMPILE image, which benefits from the memory optimizations versus processing time. o Under certain conditions, Javascript errors were reported when using the preferences page in the PMAS GUI. These problems have been corrected. o The PMAS_START.COM procedure has been updated to correct a problem with the automatic generation of configuration files when TLS is enabled for the PMAS PTSMTP proxy server. o SMTP pipelining caused problems for sites using only the Sophos plugin for the PMAS PTSMTP proxy server (and not the PMAS plugin). The SOPHPLUG image has been modified to disable pipelining, just as PMASPLUG always has. o When adding allow or block entries via the PMAS GUI, addresses containing an equal sign were rejected as being invalid. The Javascript code for these pages has been modified to allow an equal sign in addresses. 1-28 New Features and Bug Fixes o Internet Explorer did not properly handle the popup windows created by PMAS logins to multiple systems. The Javascript handling the popup windows has been modified to work around the Internet Explorer problem. (Firefox and Opera did not exhibit the problem; the fix works for all browsers.) o The login failure page for the PMAS GUI did not include a full path reference to the stylesheet used by the page. This problem has been corrected. __________________________________________________________________ 1.11 New Features and Bug fixes in PreciseMail Anti-Spam Gateway V2.4-1 o Some browsers send unexpected binary characters when saving allow, block, and rule lists via the GUI. The PMAS CGI scripts have been modified to ignore those characters. o (UNIX only) The PMAS images have been modified to use a lowercase domain name when looking up the "$default$" user database records. The behavior now matches the behavior on OpenVMS. o When modifying rule lists via the GUI, backslashes in regular expressions would "disappear" in the browser display. This problem has been corrected. o When adding a reject rule, the SMTP status text wasn't saved properly. This problem has been corrected. o (OpenVMS only) PMAS_START.COM was modified to properly create the plugins file for the anti-relay plugin support. o The PMAS CGI scripts were modified to work around a CSWS (Apache) V2.1 problem on OpenVMS by adding a secondary linefeed to redirect replies. 1-29 New Features and Bug Fixes o (OpenVMS only) allow_from rules containing wildcards were effectively ignored when the compiled rules global section was in use. This problem has been corrected. __________________________________________________________________ 1.12 New Features and Bug fixes in PreciseMail Anti-Spam Gateway V2.4 o New user-defined rules are supported to grant users more control over allowing, blocking, and quarantining messages. See the PreciseMail Anti-Spam Gateway Management Guide for details. o The PMAS PTSMTP Proxy SMTP Server no longer complains about TLS not being configured. It previously generated OPCOM warnings, even if you didn't intend to run TLS. o The PMAS PTSMTP Proxy Server now supports RHSBL (Right-Hand Side blacklisting). See the PreciseMail Anti-Spam Gateway Management Guide for details. o The PMAS rule file can now be "compiled" into a global section on OpenVMS. The compiled rules load significantly faster than the uncompiled rules, which will result in better message throughput for the PMAS PMDF channel. A new image, PMAS_EXE:PMAS_COMPILE.EXE, creates the global section, named PMAS_DATA:PMAS_COMPILED_ DATA.DAT, from the various .CF files in PMAS_ DATA:. The autoupdate batch job has been modified to automatically compile the rules whenever new rules are downloaded. The PMAS_DATA:ALIASES.TXT file is also included in the compiled data global section. 1-30 New Features and Bug Fixes o PMAS rule file lines can now be continued by ending a line with the backslash character "\". Leading whitespace on the continuation line is not ignored, so caution should be used when continuing a line in the middle of a regular expression. o Users can now opt to not receive positive-results email acknowledgements from the PreciseMail email- based processor. o The PMAS web-based GUI interface has been updated. o The system-wide allow/block lists can now be managed via the web-based system administrator's GUI. o Users can now choose to have web-based popup windows for various actions performed from the Quarantine View web page. If enabled, small popups are displayed when releasing messages, adding senders to the allow and block lists, and forwarding messages to the administrator. The use of popups preserves the quarantine view in the main window, instead of requiring that the user go back a page to return to the quarantine view. o Clicking on a link to leave the allowlist or blocklist page now results in a check for changes and a prompt to save the changes before going to the new page. Previously, any changes made were lost if the user did not explicitly save them before leaving the page. o The 5-second delay pages when logging in and logging out have been removed. o When deleting messages from the quarantine view, the quarantine view is now simply refreshed instead of going to a page that tells how many messages were deleted. 1-31 New Features and Bug Fixes o The user preferences page has been redesigned to make it easier for users to change their preferences. o A preferences page for the PMAS_ADMIN account that controls the quarantine view when viewing the quarantine for all users has been added. o The allowlist and blocklist entries can now be sorted by domain or by username, making it easier to manage the lists. o Addresses entered into an allow or block list are now more thoroughly checked for syntax errors. o The allowlist and blocklist pages now allow for an optional description to be added for each list entry, making it easier to manage the lists. When adding an address to your allowlist after releasing a message from the quarantine, the personal name from the From: header is now added as the optional description. o When entering a search string on the quarantine view page, you can now also choose which date to search without having to load that day's messages first. o Any errors that occur when releasing messages are now displayed. Previously, errors were shown only in the debug log files. o When messages are fowarded to the administrator from the pmas_admin account, the ADMIN_EMAIL_ ADDRESS address is now used as the envelope From: address. o When errors occur releasing messages, the error messages are now displayed in the GUI. o When adding addresses to allow lists after a release, the personal name from the email is now stored as a description for the address. 1-32 New Features and Bug Fixes o When authenticating against POP3 and IMAP4 servers, "/virtual" can be specified after the server host name to indicate that the server provides virtual domain support and that the entire email address should be used for authentication instead of just the username portion of the address. o The PMAS startup now correctly creates the necessary TLS configuration files for STARTTLS support in the PMAS PTSMTP Proxy SMTP Server. Previous versions of PMAS allowed TLS support, but only via a designated TLS port. The following new configuration variables have been added: PTSMTP_ENABLE_STARTTLS, PTSMTP_TLS_ PUBLIC_CERT, and PTSMTP_TLS_PRIVATE_CERT. o The following new configuration variables have been added: o GATHER_STATS - Specifies whether or not the PreciseMail Stats batch job should be run every hour. o PTSMTP_BASE_PRIORITY - Specifies the base priority for the PTSMTP Controller process. o AUTOUPDATE_TIMES - Specifies times the PMAS AutoUpdate batch job should be run, if you don't want it to run hourly. o The PMAS quarantine notification job now converts 8-bit characters to "." in the message body to avoid problems with character-cell displays. o The PMAS quarantine notice email message can now be completely customized, including specifying the layout of the message rows. Several new variables are supported now to make the customization as flexible as possible. 1-33 New Features and Bug Fixes o The reloading of Sophos data files by the PMAS PTSMTP proxy SMTP server worker processes is now staggered, reducing the performance and I/O load on the system after an update is downloaded. Previously, it was possible for all the worker processes to reload the data files at the same time, resulting in a severe performance hit for the system. o The PMAS filtering engine now ignores invalid quoted-printable encoding when processing message body parts. In previous versions, an invalid encoding resulted in that body part being ignored in all of the rule tests. o The Dynamic URI filtering code now ignores "cid:" URIs. o A new feature for dynamically testing URI reputations has been added to PMAS. Like the Dynamic URI filtering, the URI Reputation filter calls out to a Process Software system to consult a database to determine the URI reputation. PreciseMail proactively analyzes websites for pornographic, phishing, and drug content. The results of the analysis are used for URI reputation filtering. By comparison, Dynamic URI filtering only consults a few URI blacklists. o User action reports are now available. These web- based reports provide information on the number of users performing specific actions such as user GUI logins, quarantine views, allow/block list updates, releasing messages, previewing messages, deleting messages, etc. These reports give administrators information on how PreciseMail is being used by their organization. o The PMAS reports web pages now display statistics for DNSBL-rejected messages. 1-34 New Features and Bug Fixes o PreciseMail Anti-Spam Gateway SMTP proxy integrates with Clam AntiVirus on UNIX platforms. Clam AntiVirus is an open source anti-virus filter which includes a flexible and scalable multi-threaded daemon. For more information about Clam AntiVirus, go to http://www.clamav.net/. o A programmable interface to the PMAS user database is now available. See the PreciseMail Anti-Spam Gateway Programming Guide for more information. o The DNSBL plugin has been modified so that multiple DNSBL rules for a particular DSNBL server do not result in multiple DNS calls to that server for a single connection. o The PMAS_START.COM procedure has been modified to correctly create the PTSMTP plugin configuration file when the DNSBL file is created or updated. o PMAS Reports web page now includes DNSBL-rejected statistics o The PMAS user database API has been added to the VMS kits. Example files can be found in PMAS_ ROOT:[DOC.API.USERDB] on VMS. o The following configuration variables have been created to specify timeouts for various connection attempts: o VMF_CONNECT_TIMEOUT - Connect timeout for VMF queries o DYN_URI_CONNECT_TIMEOUT - Connect timeout for dynamic URI queries o REP_URI_CONNECT_TIMEOUT - Connect timeout for reputation URI queries o UPDATES_CONNECT_TIMEOUT - Connect timeout for PMAS rule updates o POP3_CONNECT_TIMEOUT - Connect timeout for POP3 authorization queries 1-35 New Features and Bug Fixes o IMAP4_CONNECT_TIMEOUT - Connect timeout for IMAP4 authorization queries They all default to 30.0 seconds, except for UPDATES_CONNECT_TIMEOUT, which has a default value of 120.0 seconds. Support for all of these variables has been added to the PMAS admin GUI pages. o The quarantine and discard CGI programs now remove any bogus carriage-return characters in the From:, To:, or Subject:. Previously, an embedded carriage- return resulted in a Javascript error when trying to view the quarantine or discard. o The RFC822 address parser has been modified to ignore any extraneous carriage-control characters. o For VMS, the rule update procedure now includes any PMAS_COMPILE error in the update status report mailed to the administrator. o For sites using source-route addressing, the source routes are now removed for VMF queries. o The PMAS admin GUI now includes support for the GUI_ DELETE_UPON_RELEASE variable. o A new configuration variable, GUI_RENAME_UPON_ DELETE, has been created. If defined as "yes", files deleted using the PMAS GUI are not actually deleted, but are instead renamed to a "_delete" extension. They no longer show up in the quarantine or discard display, but the files themselves are still physically present on the system and are visible to the administrator by selecting "Show deleted messages" on the quarantine and discard pages. This allows administrators to recover quarantined messages accidentally deleted by users. The PMAS admin GUI also supports this new variable. 1-36 New Features and Bug Fixes o The interactive PMAS.EXE image on VMS now inhibits the displaying of the final status message. PMAS exits with a status code indicating the final outcome of the message (forwarded, quarantined, etc.). Some of the status codes correspond to VMS access violation errors, which caused DCL to display a false access violation error message. The messages are supressed now, though the final $STATUS variable still reflects values from 1 through 12. o The DNSBL plugin for the PMAS PTSMTP proxy server now temporarily caches DNSBL responses to prevent unnecessary multiple DNS queries. o The default value for DISCARD_THREWHOLD has been raised to 50.0. 1-37 _______________________________________________________ 2 Known Bugs and Restrictions This chapter describes the known bugs and restrictions of PreciseMail Anti-Spam Gateway V3.2. There are no known bugs or restrictions at this time. 2-1