Solutions Newsletter - Volume 14 Issue 2

Email to a friend

“Recently, a number of people have moved on from HP's VMS Engineering team and Process Software would like to thank them for creating the best operating system in the world. Over the past 30+ years, VMS has provided a reliable and secure solution for so many mission critical systems. Process Software has been proud to be a partner for 25+ of those years and we look forward to many more years of working together.

There have been many words written about each of these special people, but we would like to thank the person who has been the face of VMS: Sue Skonetski. Sue has been a great partner for us and all the others who use VMS. Her farewell says so much:

http://groups.google.com/group/comp.os.vms/browse_thread/thread/381c2410ed9bfe0a?hl=en

Thank you Sue, you will truly be missed!

Geoff Bryant
Vice President of Process Software Engineering

Process Software is celebrating 25 years in business. The company began back in 1984 with the introduction of TCPware as an OpenVMS solution to customers with mission-critical networks. In 1997, Process Software acquired MultiNet from Cisco and in 2001; Process Software took over the development and support of PMDF from Sun. Since then, Process Software has continued to offer new products and services to the OpenVMS market including PreciseMail Anti-Spam Gateway, SSH for OpenVMS, and VMS Authentication Module.

Process Software welcomed our customers and partners to join in our celebration by posting favorite OpenVMS memories to our messageboard. As a thank you, Process Software has given away a classic tie-dyed t-shirt to those who participated. It was great fun viewing what customers had to say. Here are a few comments that have been posted…

“I have been using one of Process Software's TCP/IP platforms (TCPWare, MultiNet) for at least 15 of those 25 years. Everyone there has been pleasant to work with, support has always been great, and last but not least, the products work! Congratulations on 25 years.” Rodney Wager

*****

“The employees of our research center have been enjoying your PMDF (and PreciseMail now too) products for many, many years. These products are very dependable and are loaded with useful, powerful features. Thanks Process Software!” Rich Groh

*****

“We've been using TCPware since 1992 and the love affair continues. TCPware’s ‘FTP Library’ and ‘Telnet Library’ saved us a lot of time and money. Keep up the good work and we’ll meet you for a shot of Jack Daniel’s on your fiftieth.” Neil Rieck

*****

“It has always been a pleasure to work with Process. Their products and commitment to extend and support them has been first-class. Innovation (Purveyor, SSH, VAM) is job one.” Hal Kuff

*****

“Process Software products have a long and deserved reputation for being as good as the OpenVMS operating system they run. With people like Hunter Goatley and Richard Whalen, long may it continue.” Ian Miller

*****

“MultiNet and PMDF: two awesome applications that have been the definitive standard when it comes to IP stacks and email handling on OpenVMS. Congratulations on 25 years of superb software engineering, Process Software.” Jim Duff

*****

“It has been my good fortune to have the opportunity to work with Process Software products and personnel during the past 10 years. The networking and email/SPAM-detection products are very reliable, and in the few instances where additional support was necessary, it was immediate and effective. Congratulations on your 25th anniversary.” Bill Glessner

*****

“…I remain extremely grateful to Process for saving both MultiNet and PMDF from the software scrap heap when the prior vendors saw fit to let those products die. Thank you!” Ken Connelly

MultiNet - MultiNet v5.3 was released this past spring and the latest features include FTP over TLS (FTSP), new IPv6 Application Support, Ephemeral Port Randomization, and Multicast Name Responder. There have also been Kernel Performance Improvements, an SSH upgrade, and a BIND 9.3.2 Sever Upgrade to BIND 9.4 Server. We are thrilled to be showcasing one of these latest features, Intrusion Prevention System (IPS).

TCPware - We are looking to beta test the next version of TCPware towards the end of the third quarter of this year. Features to be incorporated into this next release include IPS functionality and Ephemeral Port Randomization. There will also be updates to both Bind 9 update and SSH. If you have any enhancement requests, please send them to support@process.com.

PMDF - Currently, the next release of PMDF is in the planning stage. The features to be incorporated into this release include an updated look of the out-of-office notices and the addition of Domain Key (DKIM) as specified in RFC 4871. DKIM allows the owner of a domain to specify their mail sending policy. Also, the Berkley DB (aka Sleepycat database) will be replaced in the UNIX and Linux platforms. If you have any enhancement requests, please send them to support@process.com.

PreciseMail Anti-Spam Gateway - A beta test for V3.2 is in the planning stages for the end of the third quarter of this year. This version will also implement DKIM, in addition to Advanced Architecture phase 3. If you have any enhancement requests, please send them to support@process.com.

SSH - Updates to SSH for OpenVMS are scheduled for the end of the year. If you have any enhancement requests, please send them to support@process.com.

IPS - The IPS feature monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. This feature can be found in the latest version of MultiNet and will be added to the next release of TCPware. Please take a look at both the IPS case study and the whitepaper, “Using the Intrusion Prevention System in MultiNet V 5.3”. Both of these articles can be found at the following link: http://www.process.com/tcpip/casestudy.html

OpenVMS security webinar - Process Software held an OpenVMS security webinar this past spring. The webinar was conducted by Dan O’Reilly. Mr. O’Reilly is one of the chief engineers with Process Software and he reviewed various security features that Process Software offers in our TCPIP stack. This webinar can be found on our website. We encourage you to take a look at a replay of this event. The link to view this event is http://www.process.com/vmswebinar.html. If you have any questions or remarks upon viewing, please email us at support@process.com.

While we at Process Software strive to create and enhance our products in a high quality manner, occasionally bugs do occur causing us to release eco (or patch) kits. Sometimes, we will also release enhancements by way of eco kits in-between major product releases. A complete list of recommended patches and ecos for all of our products can be found at the following links:

http://www.process.com/techsupport/patches.html.

http://www.process.com/techsupport/eco.html.

You will find links for each product and can then find the patches that you may need.

TCPware and MultiNet ECO Databases

TCPware and MultiNet have searchable databases of the ecos:

TCPware: http://vms.process.com/eco.html

MultiNet: http://www.multinet.process.com/eco.html

Customers can search for ecos based on component, product version, severity, etc. For each eco, you can read the readme file with a full description of the eco. Please note that some ecos in the database may be obsolete or private. We release ecos privately to a specific customer if we can't reproduce the reported problem and can't verify the particular fix or for other special reasons. When the customer confirms that a private fix resolves their issue, we will make it public.

MultiNet

Q:I am running MultiNet 5.2 on OpenVMS Alpha V8.3. The NAMED_SERVER process on this system is a primary DNS server for various domains hosted by the system. It is also used by local clients for general DNS lookups. Is there a way I can tell NAMED_SERVER to flush the results of cached queries (e.q. queries for domains this server is not authoritative for)?

A: With Bind 9, you can use the rndc tool to flush the server's cache and you can specify specific domains if you wish:

 $ rndc flush <domain> 

Q:What is the difference between SFTP and FTPS?

A: SFTP is the name of a user application and file access protocol that works over SSH. It is a popular choice for exchanging files between systems when security is an issue. SFTP uses a single connection for control and data which can mean fewer problems dealing with firewalls. The initial (and most frequently implemented) versions of the protocol specified binary file transfer. Text mode file transfer was added to the draft specification, but there are few implementations. The SSH working group decided that they were not the correct group to pursue getting the draft to RFC status.

FTPS is an extension to FTP that uses SSL to provide security for user authentication and optionally for data transfers. FTPS is defined by RFC 4217 and requires use of a certificate that is signed by a certificate authority. FTPS operates with the existing FTP transfer modes which can make it easier to transfer files between dissimilar systems. FTPS can offer better performance as there are fewer I/O requests and processes involved in a transfer.

TCPware and MultiNet offer both SFTP and FTPS.

MultiNet/IPS

In reference to IPS, customers should install eco FILTER_SERVER-030_A053 (or later).

Q: When IPS is executing, processes occasionally notify me that events are being discarded. Why?

A: This is an indication that either the FILTER_SERVER process has exited for some reason; that the FILTER_SERVER process is hung in MUTEX state; or that the mailbox used to send events to the FILTER_SERVER process is too small.

If SHOW SYSTEM shows FILTER_SERVER, it is apparently executing properly. It’s mailbox is likely too small. The following logical name can be used to adjust the size of the mailbox (it must be defined using the /SYSTEM qualifier):

 MULTINET_FILTER_SERVER_MBX_MSGS 

This defines the number of event messages that can exist in the FILTER_SERVER mailbox at any time. The default is 400. If the mailbox becomes full, additional messages will simply be lost. Note that if the size of the mailbox is changed, the existing mailbox must first be deleted by running MULTINET:DELMBX.EXE and following the instructions it displays.

Q: I occasionally see the FILTER_SERVER process enter MUTEX state. What causes this?

A: This is caused by the FILTER_SERVER process running out of either TQELM or ASTLM quota. The FILTER_SERVER process can monitor the usage of these quotas, and set higher or lower values for them, by using the following logical names(these must be defined using the /SYSTEM qualifier):

 MULTINET_FILTER_SERVER_QUOTA_CHECK 

If defined (the value is ignored), the FILTER_SERVER process will check for remaining TQELM and ASTLM quotas. If these quotas are within 10% of being exhausted, a warning message will be sent to OPCOM. If these quotas become exhausted, the FILTER_SERVER process will likely enter MUTEX state and hang.

 MULTINET_FILTER_SERVER_QUOTA_CHECK_TIME 

Defines the frequency, in seconds, between quota checks. The default is 15 minutes (900 seconds).

 MULTINET_FILTER_SERVER_TQELM 

Defines the size of the TQELM quota with which the FILTER_SERVER process will be created. Default is 500.

 MULTINET_FILTER_SERVER_ASTLM 

Defines the size of the ASTLM quota with which the FILTER_SERVER process will be created. Default is 500.

Q: How do I determine the proper values for TQELM and ASTLM for the IPS FILTER_SERVER process?

A: The values for TQELM and ASTLM must be set and adjusted according to anticipated and measured traffic. When choosing values for TQELM, a good rule of thumb is to allocate TQELM as follows:

For ASTLM, it tends to be used at a slightly higher rate than TQELM, so plan accordingly.

VAM

Q: When using the LGI callouts, logout attempts result in an error message about a missing logical name, then the session terminates. How can I rectify this?

A: VAM must be started using the "LGI" keyword.  For example:

$ @sys$sysdevice:[vam]vam_startup lgi 

PMDF

Q:A vendor that we send mail to is requiring all SMTP connections from us to be authenticated. Can this be done in PMDF?

A: Yes, this ability was just implemented with PMDF version 6.4. You will have to make sure that you have upgraded to PMDF 6.4 before you can implement this ability. It is documented in the PMDF 6.4 release notes section 3.4

PreciseMail Anti-Spam Gateway

Q:How can I ensure that mail from my domain is not scanned by PreciseMail Anti-Spam Gateway?

A: If your PreciseMail Anti-Spam Gateway system receives mail from other internal systems, it's usually not desirable to have PMAS scan those messages. It's tempting to add an allowlist entry for "*@example.com", where "example.com" is your domain name, but such a rule is guaranteed to allow a lot of spam through, as one of the favorite spammer tricks is to forge the return address on messages so that it looks like the sender is someone in your domain.

The proper way to allow such messages is by checking for a particular message header that indicates that the message really was generated by some internal system.

If you are using PreciseMail Anti-Spam Gateway PTSMTP, one way around the problem is to ensure that all internal systems deliver mail to your system using whatever port on which your backend SMTP server is listening. If PMDF is your backend server and it's listening on port 2525, then configuring your internal systems to deliver mail to your PMAS system using port 2525 will bypass the PreciseMail Anti-Spam Gateway scans.

If that's not practical, then you can use the file PMAS_DATA:INTERNAL_IP.TXT to list all valid, internal IP addresses for your site. Any message received by PreciseMail Anti-Spam Gateway PTSMTP from a system listed in INTERNAL_IP.TXT will get a header like the following added to it:

 X-PMAS-Internal: yyz.example.com [192.1.2.3] (EHLO yyz.example.com) 

More importantly, mail received from an external system receives an X-PMAS-External: header:

 X-PMAS-External: abc.outside.com [212.3.2.1] (EHLO abc.outside.com) 

Because it's possible (though unlikely) that a spammer could forge the X-PMAS-Internal: header, the best way to allow messages from internal systems is to allow messages that do not have an X-PMAS-External: header:

 rule allow header:x-pmas-external noexists       

If you're not using PreciseMail Anti-Spam Gateway PTSMTP (though this also works for PTSMTP), then creating a rule to allow a particular Received: header format is the way to go. Messages received by your system (using, say, PMDF) will all get a Received: header that will look something like this:

 Received: from [10.1.1.20] by example.com (PMDF V6.3-x18 #31533) with ESMTPSA id 
 <01N9PTR5WFIKAOPJ13@example.com> for joeuser@example.com; Wed, 03 Jun 2009 11:30:09 -0400 (EDT) 

You can use a rule to allow any messages that have a Received: header indicating that the message was received by your system from a local system. For example, the following rule can be used to match this part of the Received: header shown above:

 from [10.1.1.20] by example.com (PMDF 

 rule allow received matches_regexp \ 
   "^from \[10\.\d+\.\d+\.\d+\] by example\.com \(PMDF.+" 

You may need to craft similar rules for different types of messages (i.e., messages generated locally using PMDF MAIL may have a slightly different Received: header, but the concept is the same: you want to allow based on a Received: header that indicates that your system received the message from a local (trusted) system.

 Received: from example.com by example.com (PMDF V6.3-x17 #36614) id <01N9QYZE8MV48WVZX3@example.com> 
 for joeuser@example.com (ORCPT joeuser@example.com); Thu, 04 Jun 2009 07:16:25 -0500 (CDT) 

 rule allow received matches_regexp \ 
   "^from example\.com by example\.com \(PMDF.+" 

If you need assistance constructing your allow rule, please contact Process Software support at support@process.com.

Contacting Process Software

E-mail:
info@process.com - General information
sales@process.com - Sales
international@process.com - International Sales information
support@process.com - Technical Support
careers@process.com - Human Resources
webmaster@process.com - Webmaster

Phone:
USA/Canada: (800)722-7770
International: (508)879-6994

Fax: (508)879-0042

Mailing:
Process Software
959 Concord Street
Framingham, MA 01701-4682

Home > Newsletters > Volume 14 Issue 2