AsyncOS 14.0.2

📘

Release Notes

Please read and review the entire Release Notes for AsyncOS 14.0 for Cisco Email
Security Appliances
(MD).

What's New In This Release

Caching for Syslog Push Log Subscriptions

You can now configure a local disk buffer for a syslog push log subscription to allow email gateway to cache log events when the remote syslog server is unavailable. When the syslog server becomes available, the email gateway sends all the data in the buffer for that log subscription to the syslog server.

You can configure the disk buffer parameters in the following ways:

  • System Administration > Log Subscription page in web interface. For more information, see 'Log Retrieval Methods' section in the 'Logging' chapter of the user guide.
  • logconfig command in CLI. For more information, see 'Logging and Alerts' section in the 'The Commands: Reference Examples' chapter of the CLI Reference Guide.

Detecting Smart Identifier with or without Prefix

The email gateway now detects a smart identifier with or without the keyword ('credit,' 'ssn,' 'cusip,' or 'aba') added as a prefix in the message content.

You can configure the content filter condition or message filter rule to detect the smart identifier with or without the keyword added as a prefix in the following ways:

  • Use the Contains smart identifier prefix option in the content filter condition for Message Body, Message Body or Attachment, and Attachment Content. For more information, see the 'Content Filter Condition' section in the 'Content Filter' chapter of the user guide.
  • Use the prefix syntax in the message filter rule. For more information, see the 'Smart Identifier Syntax' section in the 'Using Message Filters to Enforce Email Policies' chapter of the user guide.

Changes in Behavior in AsyncOS 14.0.2

DANE Verification Changes

Prior to this release, if your email gateway was in the FIPS mode, you could only use 2048-bit or a higher value of RSA key size to configure Domain Name System Security (DNSSEC) for DANE verification of outgoing messages.

After you upgrade to this release, if your email gateway is in the FIPS mode, you can now use RSA key size of a value less than or greater than 2048-bit to configure DNSSEC for DANE verification of outgoing messages.

You can configure DNSSEC for DANE verification of outgoing messages with RSA key size of a value less than 2048-bit using the CLI in any one of the following scenarios:

  • [Enabling FIPS mode in email gateway]: Type 'Yes' for the "Do you want to minimize FIPS restriction on SMTP DANE in the email gateway? [N]>" statement in the fipsconfig > setup sub command.
  • [FIPS mode already enabled in email gateway]: Type 'Yes' for the "Do you want to enforce FIPS restriction on SMTP DANE email traffic in the email gateway? [N]>" statement in the fipsconfig > minimizedata sub command.

For more information, see CLI Reference Guide for AsyncOS 14.0.2 for Cisco Secure Email Gateway - MD (Maintenance Deployment).

Certificate Validation Changes in Non-FIPS Mode

From this release onwards, if your email gateway is in the non-FIPS mode, and you add or upload a self-signed or signed certificate, the email gateway now validates the required certificate

Mail Logs and Tracking Logs Changes

Prior to this release, the information in the subject of ‘Mail Logs’ and ‘Tracking Logs’ was not enclosed in quotes.

After you upgrade to this release, the information in the subject of the ‘Mail Logs’ and ‘Tracking Logs’ is now enclosed in double quotes

Changes in Enabling Feature Keys for Newly Added Features

Prior to this release, when you add new feature keys, you had to accept the End-user License Agreement (EULA) page manually to enable the features on your email cloud gateway.

After you upgrade to this release, the email cloud gateway accepts the EULA page automatically when new feature keys are added.

CA Certificates Validation During System Upgrade

From this release onwards, when you upgrade your email gateway, the existing CA certificate is upgraded only if the CA certificate is active (not expired) and the CA flag in the certificate is set to true. The email gateway rejects expired certificates and the CA certificate with the CA flag set to false during system upgrade. Also, when you load configuration file on your email gateway, the CA certificate with CA flag set to false and expired certificates are removed.