Solutions Newsletter - Spring 2008 - Volume 13 Issue 1
| Seeking PMDF 6.4 Beta Testers | back to top |
Process Software is seeking beta testers for PMDF v6.4. The test will begin in late April and will last approximately 8 weeks. The major features being introduced are SPF, disclaimer channel, LDAP over TLS, web page interface for changing user passwords, SMTP authentication for outgoing mail, and other customer-driven enhancements. If you are interested in participating in the beta program, please sign-up for beta by completing the form found at this link:
http://www.process.com/tcpip/pmdf64beta.asp
| TCPware 5.8 Released | back to top |
TCPware 5.8 is imminent. Maintenance customers will be shipped the media and documentation update in the next few months. Contact support if you would like to download it from our FTP site. TCPware 5.8 features:
Features |
Description |
FTP over TLS |
FTP has been enhanced for higher security allowing for encryption of the communication between the FTP server and client. This is accomplished via support of RFC 4217. |
BIND 9.4.1p Server |
BIND 9 supports Multiple Views (also referred to as Split DNS). A common practice for organizations is to run servers for internal use separately from those for external use. But in many instances, both internal and external clients use both servers. And if the organization uses network address translation (NAT), the servers must be accessible from two different IP addresses. In the split DNS infrastructure administrators can create two zones for the same domain. One of the zones is used by internal network clients and the other zone is used by external network clients. The benefit of using split DNS is that it provides easier access management. Administrators need to manage the database in one location and not in multiple locations. Other enhancements made in the BIND 9 server include improved security in DNSSEC (signed zones) and TSIG (signed DNS requests), improved standard conformance for over 25 RFCs, and some BIND 9 tools (DIG, NSUPDATE, HOST, RNDC, and more). |
NTP v4.2 |
NTP is a protocol designed to synchronize the clocks of computers over a network. This release replaces DES with MD5 and includes various bug fixes. |
SSH Upgrade |
SSH has been upgraded and includes the following new features:
|
FTP support for VAM |
Users can be authenticated with Process Software’s VMS Authentication Module (VAM) which provides secure authentication via SecurID, LDAP, and Radius. |
Performance Enhancements |
|
SNMP Update |
A trap receive program has been added. TCPware has improved its reporting capability by displaying traps supplied by other programs. |
Improved third-party software compatibility |
Packets larger than 65535 bytes can be sent via the CRTL. |
| VAM 2.1 Released | back to top |
Process Software’s VMS Authentication Module provides an added layer of security for protecting mission critical applications running on OpenVMS. In addition to RSA SecurID Agent and secure LDAP authentication, VAM 2.1 now supports RADIUS.
RADIUS is a defacto industry standard, which allows organizations to maintain user profiles in a central database that all remote servers can share. It provides better security, allowing a company to set up a policy that can be applied at a single administered network point. VMS Authentication Module provides secure login access using a RADIUS server for authentication information. The login password is encrypted using the MD5 algorithm.
| Product Roadmap Update | back to top |
PreciseMail Anti-Spam Gateway v3.1 – Beta testing will begin in mid-summer and the release is scheduled late in 3Q. Check the Process Software website for updates and the beta sign-up form. The release will include the following features.
- Advanced Infrastructure (AI) phase 2 provides a scalable backbone for organizations that have deployed multiple high traffic email systems. Phase 2 replaces the DSC because AI will synchronize all the statistics among multiple systems.
- Sender Policy Framework (SPF) is an open standard specifying a technical method to prevent sender address forgery.
- Additional configuration and management will be added to the Web-based administrator interface such as viewing and updating alias files, and more.
PMDF v6.4 – Beta will begin at the end of April. The release will include the following features:
- Sender Policy Framework (SPF) is an open standard specifying a technical method to prevent sender address forgery.
- Disclaimer Channel allows for organizations to add automated legal notices to their email. It is invoked using a mapping table called DISCLAIMER. Administrators decide when to invoke it based on the incoming and outgoing channels. There are 5 choices of locations where disclaimer text can appear. The disclaimer text can also be configured to apply to certain groups of email users.
- LDAP over TLS support allows LDAP traffic to be confidential and secure. PMDF makes use of OpenLDAP v2.3 to support LDAP over TLS.
- PMDF change-password web page allows help desk administrators to change a password without knowing the old password.
- SMTP authentication for outgoing mail - username and password is associated with a channel so that PMDF can respond to the ISP's authentication challenge.
MultiNet v5.3 - Beta testing will begin in late summer. Check the Process Software website for updates and the beta sign-up form. The release will include the following features:
- FTP over TLS support for RFC 4217. It allows for encryption of the communication between the FTP server and client.
- Advanced Packet Filtering. This is based on an intrusion detection and prevention architecture. Instrumented applications can detect malicious or unwanted behavior and can react in real-time to block or prevent those activities. When an instrumented application detects a problem (or "event"), the event is communicated to a central filter server. The central filter server correlates these events based on predefined, application-specific, rule sets. Among the things that are included are source address, event type (as defined by the application; for example, an invalid password), and frequency of occurrence over a timeframe. It then determines if a blocking filter should be added to the list of filters for the interface.
- IPv6 Applications – IPv6 support will be added to the printing applications, DNS resolver, SMNP, and more.
- SSH update
- BIND 9 upgrade to v9.4.1p or later.
- Kernel level performance enhancements
SSH for OpenVMS v2.4 – there will be an update in 4Q08.
TCPware Next- the next release of TCPware is in the planning stages. Please send your suggestions to maschio@process.com.
| How to Win the Spyware Battle with Next Generation Technology | back to top |
In the past year there have been many real life examples of what can happen if sensitive data has not been secured properly. Data security breaches have been reported at many high profile companies including TJX, Disney, Western Union, Fidelity, Monster.com and TD Ameritrade. The FBI estimates that spyware and other computer-related crimes cost US businesses $67 billion per year. The damage to a company’s brand is immeasurable.
Spyware is on the rise and has been the cause of many data breaches. Even in the face of escalating data security breaches, many administrators are not using a solution that specifically addresses the spyware threat. This white paper describes some advances made in antispyware technology, provides examples of how it works, and outlines why it is more effective at eliminating spyware than current technology used by many solutions today.
http://www.process.com/spycatcher/spywhite.asp
| Patch Corner | back to top |
Here is a list of new product patches on the most current releases from January to March 2008.
MultiNet 5.2 PatchesDescription: |
Multiple changes |
ECO Ranking (max ranking): |
1 |
Release date: |
11-MAR-2008 |
Full description: |
Description: |
Various fixes |
ECO Ranking (max ranking): |
2 |
Release date: |
9-JAN-2008 |
Full description: |
|
Requisites: |
UCX_LIBRARY_EMULATION-060_A052 |
Description: |
Remove large send support - now in KERNEL-UPDATE ECOs |
ECO Ranking (max ranking): |
2 |
Release date: |
11-MAR-2008 |
Full description: |
TCPware 5.7
Description: |
Correct an error in ACCPORNAM information |
ECO Ranking (max ranking): |
1 |
Release date: |
18-MAR-2008 |
Full description: |
Description: |
Correct problem loading SSHLEI image |
Max Ranking : |
0 |
Release date: |
22-JAN-2008 |
Full description: |
|
Requisites: |
DRIVERS_V572P100 |
SSH for OpenVMS v2.3 Patches
Description: |
Various fixes |
ECO Ranking (max ranking): |
0 |
Release date: |
16-JAN-2008 |
Full description: |
| FAQs | back to top |
PreciseMail Anti-Spam Gateway
Q. How do I report missed spam that got through PreciseMail Anti-Spam Gateway?
Please report it to the Report-Spam@process.com mailing list. We do not usually reply to Report-Spam posts, but every one is reviewed. We encourage customers to report missed spam as it is not always possible that we have seen a particular type of message.
It's best if you can send the message in its original, unaltered form.
Please do not forward the messages from Outlook or other PC clients, as they change the format and strip out useful information.
Q. What files would I have to move from PreciseMail PTSMTP on OpenVMS to Linux to make the new Linux server have the same configuration as the old OpenVMS server?
The following directories need to be copied:
PMAS_ROOT:[DATA] -> /pmas/data
PMAS_ROOT:[USERS] -> /pmas/user_rules
PMAS_ROOT:[GROUPS...] (if they have any)
Install PreciseMail on Linux, then copy those directory contents over.
Q. Can I find out how many times a specific user has released the messages (from quarantine or discard areas)?
There isn't a direct way to get the count in PreciseMail, but releases are logged in the user_actions.log files in the PMAS_LOG directory. A sample release log entry is:
16-Jan-2008 15:43:46|user@example.com|quarcgi|release|/pmas/quarantine/...
The last field is the full filename of the released file on disk.
It should be pretty trivial to search for the user's email address in that log file along with the keyword "release" and get a count that way. (Remember that those log files are rolled over every night like the master pmas.log, so you can restrict your search to certain days if you need to.)
Q. I have a SAVI licenses from Process Software so I can use Sophos with PreciseMail PTSMTP. What do I have to do with the licenses PAK?
The PAK contents should be extracted to PMAS_ROOT:[000000]SAVI.LICENSE.
Q. I use PreciseMail PTSMTP configuration. How can I verify the number of concurrent incoming connections (to check if the max number of worker processes is acceptable)?
$ define/system/exec ptsmtp_show_status true
That'll cause the logical PTSMTP_STATUS_INFO to be maintained:
"PTSMTP_STATUS_INFO" = "Workers: 4, Pending accepts: 0"
If you also define this one:
$ define/system/exec ptsmtp_worker_status true
your workers' process names will show their active or idle status:
$ sho system
2020C3C7 PTSMTP 0001a LEF 4 959555 0 00:09:32.29 17375 4925
2020B7C9 PTSMTP 0002i LEF 6 113464 0 00:01:15.11 7055 820
2020C7CA PTSMTP 0003i LEF 6 17602 0 00:00:14.11 4450 559
2020C5CB PTSMTP 0004i LEF 6 7660 0 00:00:06.29 3047 553
It is good if "pending accepts" is 0 or close to it. That means no connection is waiting for a worker.
PMDFQ. What does a "Y" record in the PMDF connection log signify?
It means the connection try failed before being established.
Q. Are rejected (J) messages counted against the license limit?
The "messages processed so far today" value shown on the
Monitoring Web page
(http://"pmdf server":7633/monitor/monitorv_js.html)
does not include the J messages.
A message can have both valid and invalid recipients. Valid recipients generate E records, invalid recipients generate J records. If a message has no valid recipients it isn't accepted and doesn't count as a processed message. However, if it has at least one valid recipient, it does get counted. So in some sense there can be J records associated with a message that increments the "processed message" count. But they never make the count any higher.
MultiNetQ. I have the following Multinet installation:
Process Software MultiNet V5.2 Rev A-X, COMPAQ AlphaServer DS20E 833 MHz, OpenVMS AXP V8.3
The output of the command
$ multinet show/buffer
at the end reports the following message:
*** 2 BUFFERS ARE MISSING!!! ***
What does it mean?
MultiNet 5.2 will report some buffers missing because the MultiNet show command doesn't list (and count) buffers that are used for IPv6 objects.
Q. After the upgrade to Multinet V5.2 from V5.1 on a VAX (VMS 7.3) the nameserver gives the following error message:
%named-E-config: error: none:0: open: rndc.key: file not found
I couldn't find this file and neither could I find a reference to it in the DNS config files. What does this message mean?
Bind 9 replaced NDC with RNDC. RNDC allows you to control a nameserver remotely, and it requires a secret key. The rndc.key needs to be set up in your named.conf file - see the named_conf.default file for syntax that will eliminate the message.
O'Reilly's BIND has further details on RNDC and it's key requirements. Also, install ECO NAMED-030_A052 for the latest BIND 9 images.
Contacting Process Software
E-mail:
info@process.com - General information
sales@process.com - Sales
international@process.com
- International Sales information
support@process.com - Technical
Support
careers@process.com - Human Resources
webmaster@process.com - Webmaster
Phone/Fax/Address:
U.S.A./Canada - (800)722-7770
International - (508)879-6994
Fax - (508)879-0042
Mail:
959 Concord Street
Framingham, MA 01701-4682
Home > Newsletters > Spring 2008 - Volume 13 Issue 1
