Solutions Newsletter - Spring 2006 - Volume 11 Issue 1

Product Roadmap

PMDF v6.3 release is planned for the end of March. New features include support for Integrity on OpenVMS v8.2 or higher, Solaris 10, and user authentication against Microsoft Active Directory.

PreciseMail Anti-Spam Gateway v2.4 is planned for the second half of 2006. This release will add another layer of spam protection with a reputation filter. Other enhancements will focus on improving the administrative interface, such as implementing a web-based option for system-wide allow and block lists.

MultiNet v5.2 includes the following new features; upgrade of IPSEC to include automatic key management and VPN support, IPv6, BIND 9 server, and performance improvements. The planned beta and release dates will be posted on our website soon.

TCPware v5.7-2 was released in December. It supports VAX v5.5-2 or higher, Alpha v6.2 or higher, and Integrity v8.2 or higher. New features include an SSH/SFTP upgrade, ODS-5 for NFS Server support, and NTP v4.1 support. The next release of TCPware is in the planning stages. If you have any specific enhancement requests, send them to support@process.com.

Customer Satisfaction Survey

Your feedback is important to us. Please help us improve our products and services by taking a few minutes to complete a customer satisfaction survey. We have two surveys to address specific requirements and plans for the messaging and TCP/IP product lines. You are welcome to fill out one or both surveys.

If you use Process Software messaging products (including PMDF, PMAS, and Web Access), go to http://salesdemo.process.com:8080/index.php?sid=2

If you use Process Software TCP/IP products (including MultiNet, TCPware, and SSH for OpenVMS), go to http://salesdemo.process.com:8080/index.php?sid=3

As a thank you, we are offering all customers that complete this survey a chance to win an Apple iPod Nano in a drawing.

The closing date for submitting this survey is March 10. The winner of the drawing will be notified by email after this date.

New Product Preview - OpenVMS Authentication Module

Process Software's OpenVMS Authentication Module provides an added layer of security for protecting mission critical applications running on OpenVMS. The first authentication method being offered is RSA SecurID. Its two-factor authentication is based on something you know (a password or PIN) and something you have ( a small, portable hardware device called a hardware authenticator; sometimes called a security token )-providing a much more reliable level of user authentication than reusable passwords.

Process Software's OpenVMS Authentication Module software protects sensitive data assets stored within the enterprise from unauthorized access. Once an administrator logs into the OpenVMS operating system using normal procedures, access to specific applications can be granted to users with RSA SecurID cards. Administrators can also enable the RSA token authentication process to work as part of OpenVMS LOGINOUT on either a system-wide or user specific basis.

Organizations can integrate the RSA SecurID agent using the OpenVMS Authentication Module API. Process Software is also available to help with any special requests including additional authentication methods and application integration. OpenVMS Authentication Module will be released in late March. Look for the release announcement on the Process Software website. For a free evaluation, send an email to info@process.com.

Patch Corner

PreciseMail Anti-Spam Gateway

An ECO kit for PreciseMail Anti-Spam Gateway V2.3 is now available for download. This ECO kit increments the PMAS version number from V2.3 or V2.3-1 to V2.3-2. This is *NOT* a full installation kit. You must be running PMAS V2.3 before you can install the V2.3-2 ECO kit.

The PMAS V2.3-2 ECO kit includes the recently released v2.3-1 ECO. It contains both bug fixes and enhancements such as:

The quarantine and discard GUI dates are now displayed in the international format (yyyy-mm-dd) (as is the display in the quarantine notices).
The CGI scripts have been modified to work with CSWS V2.1.
The PreciseMail anti-spam engine has been modified to correct an access violation that would occur when quarantining or discarding a message that did not have a From: header.
The AUTHDEBUG program would occasionally generate a core dump on some UNIX systems. This problem has been corrected.
The PMASADMIN program's USER DUMP and USER LOAD functions have been reworked to properly handle bitmask entries stored in the user database. Previously, there was an incompatibility in the output between little-endian and big-endian systems.
The reports pages under the PMAS admin GUI were displaying the variable %GRAPH_LEGEND% instead of the desired HTML. This problem has been corrected.
The block_from and allow_from tests accept wildcards, but did not correctly handle a rule like the following:
block_from *@*.*.com. This rule would inadvertantly match an address of the form "user@domain.com" instead of requiring the presence of the two dots. This problem has been corrected. Note that a rule like the one above will still correctly match an address like "user@x.y.domain.com", as the leading wildcard character will match "x.y".

The PMAS V2.3-2 kits can be downloaded via FTP. Contact our customer support department for details.

MultiNet

There are several patches that have been issued since January 1, 2006. These patches address the following components: Kerberos 5, loadable R services, SSH, NTY drivers, and several kernel fixes. The recommended patch list and patch download links can be found at http://www.process.com/techsupport/patches.html#multinet.

TCPware

There have been several patches issued for TCPware which correct problems found in Integrity v8.2-1, FTP timing error, and assorted security fixes. The recommended patch list and patch download links can be found at http://www.process.com/techsupport/patches.html#tcpware.

SSH

SSH/SFTP CERT Advisory 419241 - There is a CERT advisory issued that addresses a potential vulnerability in SFTP as used by MultiNet, TCPware, and SSH For OpenVMS. We have examined the code, and this vulnerability is not present in Process Software SSH/SFTP.

Process Software Events

NERCOMP 2006 (an Educause Affiliate), March 21-22, Booth 321 at the DCU Center in Worcester, MA.

OpenVMS Bootcamp Partner Roundhouse, May 23, 2006 at the Sheraton Hotel in Nashua, NH.

Sun Java System Communications & Collaboration User Group presentation on spam filtering, April 12, 2006 at Sun Microsystems, 16000 Dallas Parkway, Dallas, TX.

A MultiNet 3-day technical training is tentatively scheduled in April. No dates have been set. If you are interested in attending this class, please contact your sales representative or send an email to sales@process.com and let us know what dates you are available to attend the class.

New top 10 Spamvertised domains

New to the Process website is a dynamic list of the top 10 Spamvertised domains (websites advertised in spam email messages) which is updated hourly. This list is located in our Spam & Virus Resource Center at http://www.process.com/precisemail/resource.html.

Exposing Nigerian Email Scams

First in a series of articles, a Process Software engineer chronicles his interactions with several scammers to demonstrate the inner workings of the Nigerian scams and who is behind them. As an email expert, he is able to protect his systems and identity from the scammers while exposing different elements of the con. http://www.process.com/techsupport/Exposing_419_1.pdf.

White Paper Suggestion Box

We would like to hear from you on the topics you want us to write about. Send your suggestions to maschio@process.com.

Tech Tip – PreciseMail Anti-Spam Gateway Performance Tuning

The Environment:

Here are tips on how to improve your message delivery performance if your current configuration includes PMDF with an integrated deployment of PreciseMail Anti-Spam Gateway (via the PMDF PMAS channel) and Sophos antivirus (using the PMDF conversion channel).

The Problem:

Sophos scanning via the conversion channel consumes a lot of resources, which can slow your system down. It can be very expensive, as the Sophos databases have to be read in for every execution of the Sophos image. There’s a lot of disk I/O required to do that---much more than that required by PreciseMail Anti-Spam Gateway, even with a huge aliases file. On top of Sophos overhead, the message gets copied at least three times (when it’s enqueued to the PMAS channel, when it’s enqueued to the conversion channel, and when it’s enqueued to whatever channel as it leaves the conversion channel), plus there’s the overhead of activating each of the channels, loading in databases, decoding the message (to disk, not memory), etc.

The Solution:

1. To improve your performance, we recommend you first change the sequence of events. Run anti-spam checking first then pass messages to the conversion channel to run Sophos. Move the Sophos antivirus executable and IDE files to a different disk from PMDF/PMAS files. The PMDF queue files should be on a separate disk.

2. Judicious use of allowlists will reduce scan times. Any performance improvement will depend on how much of your traffic would fall under allowlist rules.

3. Consider not using Bayesian filtering. The Bayesian filtering files can become large and therefore potentially impact your system’s performance. You will need to evaluate how much Bayesian filter contributes to the overall accuracy of PreciseMail system and consider the trade-offs. In its place, consider implementing a DNS-based block list service. You would block mail that is coming from open relays, compromised systems, spam gangs, and dynamic IP addresses. This could dramatically cut down the amount of mail on your system that requires scanning.

4. Implement the PreciseMail Anti-Spam Gateway PTSMTP proxy server and the Sophos plugin. Although this may not be the best solution for every environment because some PMDF configurations rely on PMDF features that can't be used in a proxy environment (PMDF will see all messages as originating from the system running the proxy server), it is the best way to increase performance (at the cost of additional memory and possibly some configuration changes).

For example, PreciseMail PTSMTP can run on a Linux (or any other platform) front-end and continue to use the VMS PMDF system as the backend MTA (process.com is setup this way).

The PMAS rules are maintained in memory, cutting down on disk I/O, and, more importantly, the Sophos databases are also kept in memory, which makes Sophos-scanning very fast.

In summary, switching to the proxy server will greatly reduce the amount of processing time required for each message, at the expense of additional memory for each worker process to keep the PreciseMail and Sophos rules in memory.

Frequently Asked Questions

SSH
Q. How do I resolve SFTP and SCP file transfer problems between my OpenVMS system and non-OpenVMS system?

A. The original SSH File Transfer Protocol specified binary access to files; though the protocol has been updated to include a text (ASCII) transfer mode, many vendors have not implemented this to date.

The first implementation of SCP2 and SFTP2 that Process Software offered in MultiNet v4.4, TCPware v5.6, and SSH for OpenVMS v1.0 would perform an automatic conversion of common VMS text file formats to stream-lf (Unix) format. The files types that were translated depended on the value of the logical MULTINET_SFTP_TRANSLATE (or for TCPware use TCPWARE_SFTP_TRANSLATE).

In MultiNet v4.4, TCPware v5.6, and SSH for OpenVMS v1.0 the default value is that no files are converted. Beginning in MultiNet v5.0, TCPware v5.7-1, and SSH for OpenVMS v2.0, the default value is all files. The down side of this conversion is an “end of file” message for implementations that expect to transfer the exact number of bytes that was reported for the file. Though the file size estimation routine uses a number of items to determine how many bytes will actually be delivered, it is usually high (it is never low). For customers that cannot tolerate the inaccuracies of the estimation there is now an estimate threshold (MULTINET_SFTP_FILE_ESTIMATE_THRESHOLD or for TCPWare use TCPWARE_SFTP_FILE_ESTIMATE_THRESHOLD). The default value of this is 0, so that performance is maintained, as files that are smaller than the threshold are read to get an exact number of bytes.

In MultiNet v5.1 (or v5.0 plus all ecos), TCPware v5.7-2, and SSH for OpenVMS v2.0 (plus ecos), the SFTP client and server connect the server reports its newline sequence. The SFTP client uses this value during ASCII translations to convert from the local representation to the negotiated representation for the transfer. If no value is specified during the connection, then the default value of linefeed is used. This can be overridden with the MULTINET_SFTP_ NEWLINE_STYLE logical (or for TCPware use TCPWARE_SFTP_ NEWLINE_STYLE). Use of this logical can also have a performance impact as it is possible to have a file that is in stream-lf format read, have carriage returns added, and then have them removed when the file is transferred. Because the SFTP client and server are backward compatible, it is often possible to transfer a file in ASCII mode to a server that does not have this transfer mode available. This depends upon the default newline value being appropriate for the remote system.

File naming is also another area that may require some additional configuration. VMS ODS2 disks only store file names in uppercase. To preserve the case of the original files we use SRI encoding. The SRI encoding on ODS2 disks can be disabled with the MULTINET_SFTP_ ODS2_SRI_ENCODING (or for TCPware use TCPWARE_SFTP_ ODS2_SRI_ENCODING). (This is also used by our NFS server and FTP server when operating in Unix mode.) ODS5 disks retain case, so SRI encoding is not normally used on these disks. VMS directories contain the extension .DIR, which is not used when directories are used in a file specification and generally not used by other systems. For compatibility sake the SFTP client and server assume that a file without a dot in it is a directory. There are times when the type of the file cannot be properly inferred, and the default value of UNKNOWN can yield to errors in parsing of file specifications. In order to provide a work around for these situations the logical MULTINET_SFTP_DEFAULT_FILE_TYPE_REGULAR (for TCPware use TCPWARE_SFTP_DEFAULT_FILE_TYPE_REGULAR) has been added to cause the SFTP client to assume that a file is a “REGULAR” (instead of a directory) when it cannot determine it from context.

Q. What logicals do I need to configure when doing SFTP and SCP files transfers between two Process Software OpenVMS systems?

A. Transferring files between two VMS systems using Process Software’s SFTP is much easier compared to a VMS and non-VMS system. Our client and server recognize each other automatically and send the necessary file characteristics so that the file can have the same format on the destination system as it had on the source system.

PMDF
Q. What is the simplest way to restrict access to a distribution list?

A.The quickest and more efficient way would be to use AUTH_LIST where the users in the list are the only ones having access to the distribution list.

Example:

1. Add an entry to the ALIASES. file for the list name:

$ TYPE ALIASES.

list_name: <pmdf_table:distro_name.lis,[auth_list] pmdf_table:auth_name.lis

2. Create AUTH_NAME.LIS where you specify the list of addresses to be allowed to
use the list:

$ TYPE PMDF_TABLE:auth_name.lis

address-1
address-2
...
$

To test this you would need to also specify /from=user that is allowed to
send to the list:

$ pmdf test/rewrite/from=address-1 list_name@domain

Contacting Process Software

E-mail:
info@process.com - General information
sales@process.com - Sales
international@process.com - International Sales information
support@process.com - Technical Support
careers@process.com - Human Resources
webmaster@process.com - Webmaster

Phone/Fax/Address:
U.S.A./Canada - (800)722-7770

International - (508)879-6994

Fax - (508)879-0042

Mail:
959 Concord Street
Framingham, MA 01701-4682