Barracuda Spam & Virus Firewall Release Notes


PLEASE READ BEFORE UPGRADING

*Before upgrading to newer versions, be sure to make a backup of your configuration and read all release notes that apply to versions more recent than the one currently running on your system.
*Before upgrading, BE SURE TO TAKE THE BARRACUDA SPAM & VIRUS FIREWALL OFFLINE. This will ensure that the inbound queue is emptied and all messages are scanned before the upgrade process begins. See the BASIC > Administration page for the Offline button.
*DO NOT MANUALLY REBOOT YOUR SYSTEM at any time during an upgrade, unless otherwise instructed by Technical Support. The update process typically takes only a few minutes after the update is applied. However the process can take up to 30 minutes for systems that have thousands of user accounts. If the process takes longer, please contact Technical Support to investigate.

Upgrading to Version 3.5

*Due to numerous internal changes, once you have installed a version of 3.5 on your system it is NOT recommended for you to revert to or otherwise re-apply any 3.4 (or earlier) firmware version. Doing so can cause you to lose Message Log data, message content and some historical information. Please contact Technical Support prior to any attempt to return to the 3.4 firmware series.
*Clustering between a 3.5 system and a non-3.5 system is not possible. If one of the machines in a cluster does not see the firmware as available, please contact Technical Support. All members of a cluster should be running the same build version to obtain best results.
*Before upgrading from a non-3.5 release, please take note of the following internal changes:
*The contents of any message that was in the Message Log of a 3.4 system at the time of upgrade will be visible on a 3.5 system. However, the data for any message that was already purged from the Message Log, as well as all Message Log data from 3.3 (and earlier) systems, will not be preserved upon the upgrade to 3.5.
*If upgrading from a release prior to 3.3, your Bayesian databases (both admin and user-specific) will not be preserved. Resetting the databases from time to time makes Bayesian filtering more effective and up-to-date with the latest spam patterns. To use Bayesian, you must start with a new dataset of at least 200 received messages marked as "spam'' and at least 200 marked as "not spam''. As with previous versions, Bayesian filtering will NOT take effect until 200 or more of each spam and not-spam messages are marked as such on the BASIC > Message Log page.
*As of version 3.5.10.016, all DNS queries are now done directly. This can cause delivery failures and lost mail if hostnames are used in the configuration that are only resolvable through internal DNS. If using such a configuration, after upgrading to 3.5.10.016 or higher, please go to the BASIC > IP Configuration page and set the Use Only These Servers setting to "Yes". This will force the Barracuda Spam & Virus Firewall to use the internal DNS servers.
*As of version 3.5.12, the following configuration changes will be made on ALL SYSTEMS upgrading from a pre-3.5.12 release. Because of this, it is HIGHLY RECOMMENDED that you create a new backup of your configuration after you upgrade to firmware version 3.5.12. Otherwise, restoring a backup made from a previous firmware version could inadvertently reverse these setting changes:
1Any spamhaus.org listing for sbl, xbl, or sbl-xbl that may currently be in your Custom External RBLs section will be REMOVED. If you wish to continue using any of these, you can manually re-enter them on the BLOCK/ACCEPT > IP Reputation page. Any other spamhaus.org entry that you may have added (such as zen or pbl) will remain in your settings and will not be affected.
2The Send Bounce option will be SET TO NO on all systems, regardless of your previous setting. If you wish notifications to go out to any sender whose email was blocked, you can re-enable this option from the BASIC > Spam Scoring page, in the Spam Bounce (NDR) Configuration section.

NEW TO VERSION 3.5

 3.5.12:
*Invalid Bounce Suppression. The Barracuda Spam & Virus Firewall can be configured to reject all Non-Delivery Receipts (NDRs) except those for messages verified to have been sent or relayed out from that particular Barracuda Spam & Virus Firewall or from a partnered Barracuda Spam & Virus Firewall.
*Character Set Blocking. Administrators can determine the action to take on a message based on the language and character set detected in the message itself.
*Reverse DNS Blocking. Administrators can determine the action to take on a message based on the originating country, as determined by a Reverse DNS query of the sender's IP address.
*Enhanced Intent Analysis. New improvements to the Intent Analysis engine includes the ability to specify additional URL patterns that should undergo Intent Analysis and the ability to exclude specific URLs.
*The Syslog, which includes data related to mail flow, gives the month, day and time of each event for all models except for the model 1000, which also includes the year in the date.
 3.5.11:
*Attachment filtering enhancements. All attachments which start with a leading 'dot' (e.g. ".exe") are only checked against filenames. Entries without the leading dot are checked against the file type as determined by content inspection. At this time, files within archives are still blocked only on content identification.
*DomainKeys. Support for DomainKeys including the ability to take action on incoming messages based on verification of DomainKeys.
*Native recipient validation. In addition to using standard recipient verification methods such as LDAP, recipient verification can now also be done by specifying a list valid email addresses directly on the Barracuda Spam & Virus Firewall.
*Remote POP account support. The Barracuda Spam & Virus Firewall can now scan email retrieved via POP3 or IMAP.
*Advanced Email Server handling. A failover email server can be designated on the Barracuda Spam & Virus Firewall, and individual domains can be assigned multiple email servers for load balancing.
*Manual Alias Linking. Specific domains on the Barracuda Spam & Virus Firewall can be treated as aliases of one domain, without needing to link all domains to the same one.
*Trusted forwarder exemptions. Allows internal mail relays located in front of the Barracuda Spam & Virus Firewall to be exempted from rate control, SPF sender authentication tests, and IP reputation checks (including the Barracuda Reputation Services and other external blacklists). If used in conjunction with Full Header Scanning, IP checks will be performed on only the last non-trusted relay that handled the incoming message.
 3.5.10 and earlier:
*Improved DNS lookups. Enable DNS caching by default for improved lookup times. Fall back to specified nameservers if unable to reach root nameservers. See warning above regarding this change in behavior.
*Barracuda Real-Time Protection. Also known as Zero-Hour protection, this real-time interaction with Barracuda Central for information on new virus signatures and spam fingerprints allows for the fastest possible response time to new virus and spam outbreaks.
*Improved Cluster Management. Enhancements include increased performance, encrypted connections, and sturdier synchronization of quarantine content.
*Longer Message Log history. The Message Log is now stored as a circular buffer constrained by disk storage rather than a fixed number of records, usually resulting in a significantly longer Message Log buffer.
*Journaling. The Barracuda Spam & Virus Firewall now has the ability to send a copy of all legitimate email to an archive such as the Barracuda Message Archiver.
*API updates. Enhancements to the API in the latest 3.5.10 releases include support for multiple simultaneous API calls, such as those for domain setting modifications.
*Multiple administrative conveniences. Based on user feedback, many small changes have been made to the Administrative interface, including the addition of the "Bulk Edit" button for certain fields; the ability to specify multiple syslog servers; and the ability to submit spam messages to Barracuda Central without affecting the global Bayesian database.

Version 3.5.12

Note: All systems upgrading to this release will be subjected to the configuration changes noted in the "Upgrading to Version 3.5" section above. If you do not wish to keep these changes, they can be reversed by going to the appropriate page and re-entering your desired values. After the new firmware has been applied, make sure to create a new backup of your configuration so that you will have a backup file with the setting modifications made by this firmware upgrade.

*Known Issues:

*Build 022:
*Enhancement: Support for disabling of low-grade encryption key ciphers (SSL).
*Fix: The "Reason" field in the Message Log and Message Viewer is now clearly displayed. [37234]
*Fix: Japanese language reports (GUI & Email) are now correctly rendered. [37317]
*Fix: The description of the Rate Control setting is now correct in the Web interface. [37725]
*Fix: Chinese characters are now displayed correctly in Header and Subject. [37559]
*Fix: Corrected NDR formatting for Full Outbound mode so that MS Exchange server can interpret bounce (NDR) messages properly. [25465]
*Fix: Quarantine usage is now updated correctly for all users.
*Fix: Various Japanese, Taiwanese and Chinese localization issues resolved.
*Fix: Static Routes now take effect properly.
*Fix: Resolved issue with port forwarding.
*Fix: Japanese "Action", "Reason", "Delivery" fields in the Message Log are now rendered accurately. [36935]
*Change to syslog output: The Web syslog shows high byte ASCII characters in octal and the mail syslog shows multi-byte characters as raw data.
*Build 014:
*Fix: Whitelisting now takes precedence over Spam Fingerprint filtering. [35288]
*Fix: Extra line breaks no longer added to plain text messages of over a certain size. [33810]
*Build 012:
*Enhancement: APC UPS devices via USB are now supported.
*Feature: Branding changes to reflect the product name change to Barracuda Spam & Virus Firewall in product logos, default database values, and standard email templates.
*Fix: Potential security issue in Barracuda Console Configuration tool resolved. Reported by Jon Oberheide <jon@oberheide.org>.
*Fix: APC UPS was not recognized by models 300/400 and model 800. [33060]
*Fix: Now honors outbound BASIC > Administration > 'SMTP host/Smarthost' for mail delivery when relaying (recipient domain is not on the box). Before this, the system would only deliver quarantine messages and bounce messages to the smarthost. [34421]
*Fix: In the API, config_set_bulk.cgi now works correctly for per-user settings (when the 'account' parameter is specified).
*Fix: Improved protection against cross site scripting (XSS) attacks. [33301]
*Build 010:
*Feature: The 'Check SPF for Bounce Recipients' has been enhanced. It will now only send the Spam bounce if there is an spf record for the sender and the spf record passes.
*Fix: The 'Envelope From' sender is now added as an X-Barracuda-Envelope-From header to the message [27011]
*Fix: In full outbound mode, BATV checks are no longer performed. BATV tags are still applied for outgoing messages. NDR's from trusted relays used to be rejected as 'invalid bounce' because the tag was missing [26007]
*Fix: Strict enforcement of SPF for backscatter prevention [13740, 22210]
*Fix: Spoof protection works differently for subdomains: when 'envelope-from' is 'x@subdomain.y.com' and recipient is 'x@y.com', mail will not be blocked [21552]
*Fix: BASIC > IP Configuration > Test Configuration returns correct results for the Default Mail Server test section [21309]
*Fix: "Success" or "Failed" messages will print when attempting to connect to Barracuda Central through the console configuration utility [26143]
*Fix: When attempting to send email reports, errors will now propagate to the ADVANCED > Task Manager page in the Web UI [27060]
*Fix: If there is a problem with the mail relay or it is improperly configured, the generated report emails will time out instead of waiting indefinitely [26135]
*Fix: While in offline mode, configuration changes will not cause MTA to restart [25982]
*Fix: Rate control violations will now always return a '421' SMTP error to the client, instead of sending a '5xx' error, after reaching twice the threshold set for rate control [10157]
*Fix: Additional help file updates and translations for Japanese language
*Build 007:
*Enhancement: Included Barracuda Plugin v2.2.0.0
*Fix: Addressed a minor RAID GUI display issue [23484]
*Fix: Improved performance of rate control process [62571]
*Fix: Fixed various translation and documentation issues
*Build 006:
*Fix: Addressed issue with intent analysis
*Fix: Improved support for EmailReg.org [19135]
*Fix: Addressed issue with processing large compressed attachments
*Fix: Improved multiple cryptography modules
*Build 005:
*Fix: Various model 1000 fixes [23588, 23344]
*Fix: Addressed issue with multi-level redirect in Intent Analysis
*Build 004:
*Fix: Various fixes for model 1000 RAID support
*Fix: Improved DNS queries and caching abilities
*Fix: Improved SMTP test feature [22681]
*Fix: Resolved issues with LED status lights [6579]
*Build 003:
*Fix: Fixed blocking precedence in Reverse DNS Blocking feature [22396]
*Fix: Fixed unneccesary restarts of recipient verify process [22464]
*Build 002:
*Feature: Full URL module added. [17518]
*Fix: Resolved issue where temporary files were not cleaned up
*Fix: Resolved issue with restoring list of valid recipients [20744]
*Fix: Resolved issue with BATV tag expiration [21754]
*Build 001:
*Feature: Invalid Bounce Suppression on Barracuda Spam & Virus Firewalls used for relaying outbound emails. Enabling this feature with a special password on the new "BLOCK/ACCEPT > Sender Authentication" page will cause all incoming NDRs to be rejected by the Barracuda Spam & Virus Firewall, except those for messages that originated from itself or another Barracuda Spam & Virus Firewall that uses the same special password.
*Feature: Ability to take action on a message based on its language, or character set. Configured on the "ADVANCED > Regional Settings" page, messages can be blocked, quarantined, or tagged on the basis of the characters detected in the message itself.
*Feature: Ability to take action on a message based on the originating country, as determined by a Reverse DNS query of the originating IP address. Configured on the new "BLOCK/ACCEPT > Reverse DNS" page, messages can be blocked, quarantined, or tagged on the basis of the country or TLD to which the source IP address resolves.
*Feature: Ability to specify full URLs to be exempted from Intent Analysis.
*Feature: Ability to specify URL patterns that should undergo Intent Analysis.
*Feature: Ability to configure a Loopback Adapter, useful when using the Barracuda Spam & Virus Firewall with a Barracuda Load Balancer in Direct Server Return.
*Enhancement: Ability to force SMTP/TLS connections for specific domain on models that support per domain settings. [20354]
*Enhancement: Weak SSL ciphers and SSLv2 for SMTP over TLS are disabled by default. [9572]
*Enhancement: Administrators will no longer be able to add any domain listed in the Domain Manager to the list of whitelisted Sender Domains. If you regularly have incoming messages from your own domains, the IP addresses of the sending mail servers should be whitelisted rather than the domain names. [18976]
*Fix: The "Reject Fake Sender Domain" feature was removed to avoid denial of service attempts in modern spam campaigns.
*Fix: Resolved issue that prevented a configuration backup from getting created on certain systems that did not have any Valid Recipients specified. [14649]
*Fix: Resolved issue with POP-based Single Sign-On accounts that in certain situations enabled administrator privileges to specific usernames. [11187]
*Fix: Message Log searches that include an escaped single quote will now return the expected results. [20124]
*Fix: Removed misleading "Outside Connectivity" test from the "Test Configuration" button. [19289]
*Fix: Resolved issue that prevented certain Japanese characters from being used in comments for certain entries. [18233]
*Fix: Removed case sensitivity from Valid Recipient listings. [20243]
*Fix: Updated various helpfiles.