AsyncOS 15.0
Release Notes
Email Gateway (On-premises HW and Virtual) customers, please read and review the entire Release Notes for AsyncOS 15.0 for Cisco Secure Email Gateway. If you have an Email and Web Manger, Release Notes for AsyncOS 15.0 for Cisco Secure Email and Web Manager.
Cloud Gateway customers, please read and review the entire Release Notes for AsyncOS 15.0 for Cisco Secure Email Cloud Gateway, Release Notes for AsyncOS 15.0 for Cisco Secure
Email and Web Manager (Cloud)
What’s New In This Release
URL Retrospective Verdict and URL Remediation
The URLs with unknown reputation can turn malicious anytime, even after it has reached the user's mailbox. You can configure URL filtering on your email gateway to send alerts based on the URL retrospective verdicts received from Talos. You can also configure your email gateway to perform auto-remedial actions on the messages in user mailbox when the URL verdict changes from unknown to malicious.
For more information, see the “Protecting Against Malicious or Undesirable URLs” chapter in the user guide associated with this release.
Integrating Secure Email Gateway with Threat Defense
The Threat Defense Connector client connects the Secure Email Gateway with the Secure Email Threat Defense to scan messages for Advanced Phishing and Spoofing.
When you configure the Threat Defense Connector, the Secure Email Gateway sends a copy of the actual message as an attachment to the Threat Defense portal’s message intake address. The message gets delivered to the user inbox, and advanced scanning completes in the Threat Defense portal.
You can enable the Threat Defense Connector in any of the following ways:
- From the Security Services > Threat Defense Connector page of the web interface.
- Using the threatdefenseconfig command in the CLI.
For more information, see the “Integrating Secure Email Gateway with Threat Defense” chapter in the user guide or the CLI Reference Guide associated with this release.
Customizing Graymail Unsubscribe Banner
You can customize the following settings of the Graymail Unsubscribe banner based on your organization’s requirements:
- Position of the banner
- Color of the banner
- Text color of the banner message
- Contents of the banner message
The banner message supports the following languages: English (United States), Italian, Chinese, Portuguese, Spanish, German, French, Russian, Japanese, Korean, and Chinese (Taiwan).
Note: There is no CLI support for the feature in this release.
For more information, see the “Customizing Graymail Unsubscribe Banner based on Organizational Requirements” section in the “Managing Spam and Graymail” chapter of the user guide associated with this release.
File Reputation Service Enhancement
From AsyncOS 15.x release onwards, the email gateway uses a new version of the AMP engine. This new AMP engine uses HTTPS (port 443) instead of TCP to ensure secure communication between your email gateway and Secure Endpoint Cloud.
Note [For Secure Endpoint Private Cloud users only]: Before you upgrade to this release, make sure you have met all the prerequisites for the new File Reputation service activation. For more information, see the Prerequisites for File Reputation Service Activation - Secure Endpoint Private Cloud sub-section under the “Pre-Upgrade Note” section of this document.
Note [For Secure Endpoint Private Cloud users only]: If you skipped the instructions on File Reputation service activation during the upgrade, see the Activating File Reputation Service for Secure Endpoint Private Cloud sub-section under the “Post-Upgrade Notes’ section of this document on how to activate the File Reputation Service after the upgrade.
For more information, see the “File Reputation Filtering and File Analysis” chapter of the user guide associated with this release.
Removal of Old Splunk Database for Email Tracking Data
When you upgrade to Secure Email Gateway 15.0 and later, and if the email tracking data is contained in the Splunk database, the system deletes the Splunk database if you proceed with the upgrade.
During the upgrade, a warning message indicating that the system will delete the Splunk database is displayed in the CLI or the web interface of your email gateway.
Following is a sample warning message displayed at the time of the upgrade:
From Secure Email Gateway 12.1.x version onwards, we have moved
to a newer storage system for email tracking data. Generally,
the old data is replaced with new data in the new storage system
automatically. However, in some scenarios (for example, 'late
upgrades', 'low mail flow' and 'tracking data', and so on),
there could be traces of old data still present in the old
storage system that is no longer supported.
In your case it is, 7.1 MB, which was last updated in 01 Jul 2022.
If you proceed with this upgrade process, the data in the old storage
will be removed.
You can choose to proceed with the upgrade or abort the upgrade.
Do you want to proceed with the upgrade?[Y]"
Note: The debug sub menu used to collect debug information for the Splunk database is removed from the Diagnostic > Tracking sub command in the CLI.
Deleting Log Files from Email Gateway
You can now delete log files stored in the /data/pub/directories path of your email gateway.
You can use the logconfig > deletelogfile sub command in the CLI to delete the log files.
Note: You can delete log files only if your email gateway is a standalone machine.
For more information, see the “Example- Deleting Log Files” section of the CLI Reference Guide associated with this release.
FIPS Certification
Cisco Secure Email Gateway is FIPS certified and has integrated the following FIPS 140-2 approved cryptographic module: Cisco Common Crypto Module (FIPS 140-2 Cert. #4036).
For more information, see the “FIPS Management” chapter of the user guide associated with this release.
Generation 2 Deployment Support for Hyper-V Models
From AsyncOS 15.0 release onwards, Secure Email Gateway supports Generation 2 deployment for Hyper-V models.
Note: The supported model for Hyper-V Generation 2 deployment is C600V only.
Note: Currently, there is no support for “Secure Boot” and “Trusted Platform Module (TPM)” technologies in Generation 2 deployment.
For more information, see the Cisco Content Security Virtual Appliance Installation Guide from: https://www.cisco.com/c/en/us/support/security/email-security-appliance/products-installation-guides-list.html
Microsoft Hyper-V Server 2019 Support
Secure Email Gateway 15.0 supports Microsoft Hyper-V Server 2019.
For more information, see the Cisco Content Security Virtual Appliance Installation Guide from: https://www.cisco.com/c/en/us/support/security/email-security-appliance/products-installation-guides-list.html
Supported Model for AWS Deployment
From AsyncOS 15.0 release onwards, the supported model for AWS deployment is C600V only.
For more information, see the Cisco Content Security Virtual Appliances on AWS EC2 Installation Guide from: https://www.cisco.com/c/en/us/support/security/email-security-appliance/products-installation-guides-list.html
Generation 2 Deployment Support for Azure
From AsyncOS 15.0 release onwards, Secure Email Gateway supports Generation 2 deployment for Azure.
Note: The supported model for Azure Generation 2 deployment is C600V only.
Note: The Generation 2 Image does not boot after you deploy it on the Azure platform. You must reboot the virtual machine after you deploy the Generation 2 image.
For more information, see the Cisco Secure Email Virtual Gateway and Secure Email and Web Manager Virtual on Azure Deployment Guide from: https://www.cisco.com/c/en/us/support/security/email-security-appliance/products-installation-guides-list.html.
New RAM Values for Secure Email Gateway Virtual Appliance Models
From AsyncOS 15.0 release onwards, there are new RAM values for the following Secure Email Gateway virtual appliance models deployed through KVM or VMWare ESXi:
- C100V
- C300V
- C600V
For details on the new RAM values applicable for each virtual appliance model, see the Cisco Content Security Virtual Appliance Installation Guide, available from: https://www.cisco.com/c/en/us/support/security/email-security-appliance/products-installation-guides-list.html
New Note for Removal of Weak Algorithms during System Upgrade
[Applicable to FIPS and non-FIPS modes]: During the system upgrade to AsyncOS 15.0 and later, a new Note statement is added to inform you that the system removes all weak algorithms in Ciphers, Keys, KEX, and MAC (if configured) after the upgrade process.
New DLP Policy Pre-defined Classifiers
The following new DLP policy pre-defined classifiers are added in the Mail Policies > DLP Policy Manager > Add DLP Policy > Custom Policy > Add > Policy Matching Details page of your web interface:
- Bank Account Numbers (Austria IBAN)
- Bank Account Numbers (Belgium IBAN)
- Bank Account Numbers (Bulgaria IBAN)
- Bank Account Numbers (Croatia IBAN)
- Bank Account Numbers (Cyprus IBAN)
- Bank Account Numbers (Czech Republic IBAN)
- Bank Account Numbers (Denmark IBAN)
- Bank Account Numbers (Estonia IBAN)
- Bank Account Numbers (Finland IBAN)
- Bank Account Numbers (Greece IBAN)
- Bank Account Numbers (Hungary IBAN)
- Bank Account Numbers (Ireland IBAN)
- Bank Account Numbers (Latvia IBAN)
- Bank Account Numbers (Lithuania IBAN)
- Bank Account Numbers (Luxembourg IBAN)
- Bank Account Numbers (Malta IBAN)
- Bank Account Numbers (Poland IBAN)
- Bank Account Numbers (Portugal IBAN)
- Bank Account Numbers (Romania IBAN)
- Bank Account Numbers (Slovakia IBAN)
- Bank Account Numbers (Slovenia IBAN)
- Bank Account Numbers (Spain IBAN)
- Cambodia National ID
- Cyprus National ID
- Finland National ID
- Malta National ID
- Myanmar National ID
- Portugal National ID
- Vietnam National ID
ECDSA Certificates Support for SSL Communication
You can now use the Elliptic Curve Digital Signature Algorithm (ECDSA) certificates that allow the combination of Elliptic Curve Diffie Hellman Ephemeral (ECDHE) algorithm for Key Exchange and ECDSA authentication to configure the following SSL services:
- GUI HTTPS
- Inbound SMTP
Changes in Behavior
Sender Domain Reputation Filtering - Domain Exception List Changes
[Before this Release]: When you disabled the "Match Domain Exception List based on Domain in Envelope From:" option, the message is matched against the Domain Exception list, only if the domains in the "Envelope From:," "From:," and "Reply-To:" headers of the message are the same and in the Domain Exception List.
[From this Release onwards]: When you disable the "Match Domain Exception List based on Domain in Envelope From:" option, the message is matched against the Domain Exception list, even if the domains in the "Envelope From:," "From:," and "Reply-To:" headers of the message are different and any of the domains in the "HELO:," "RDNS:," "Envelope From:," "From:," and "Reply-To:" are in the Domain Exception List
New condition to categorize messages as Unscannable due to RFC violation
[Before this Release]: When a MIME part of the message contained more than one "Content-Transfer-Encoding" header, the content scanner would not categorize the message as "Unscannable" due to an RFC violation.
[From this Release onwards]: When a MIME part contains more than one "Content-Transfer-Encoding" header, the content scanner categorizes the message as "Unscannable" due to an RFC violation. The action configured under Security Services > Scan Behavior > Action when a message is unscannable due to RFC violations is applied to the message.
Syslog Message Changes [Before this Release]: A Syslog message would display the configured IP address of the email gateway.
[From this Release onwards]: The Syslog message does not display the IP address but now shows the configured FQDN or host name of the email gateway.
[Upgrade Scenario]: SSH Server and Client Configuration Changes
The following SSH Server and Client Configuration changes are applicable when you upgrade your email gateway from a lower AsyncOS version to AsyncOS 15.0 version and later.
[For Non-FIPS mode only]: Following are the SSH Server and Client Configuration changes applicable when your email gateway is not in the FIPS mode:
[SSH Server Configuration Changes]:
- The following cipher algorithms, MAC methods, KEX algorithms, and host key algorithm are removed from your email gateway by default:
- Cipher algorithms - 3des-cbc and [email protected]
- MAC methods - hmac-md5, [email protected],hmac-ripemd160, [email protected], hmac-sha1-96, and hmac-md5-96
- KEX algorithms - diffie-hellman-group-exchange-sha256 and diffie-hellman-group-exchange-sha1
- Host key algorithm - rsa1
- The “Minimum Server Key” option is removed from the CLI of your email gateway by default.
- The host key algorithm - rsa-sha2-256 is added to your email gateway by default.
[SSH Client Configuration Changes]:
- The following cipher algorithms - arcfour256 and arcfour128 are removed from your email gateway by default.
- The host key algorithm - rsa-sha2-256 is added to your email gateway by default.
[Upgrade Scenario]: SSH Server and Client Configuration Changes (contd.)
[For FIPS Mode only]: Following are the SSH Server and Client Configuration changes applicable when your email gateway is in the FIPS mode:
[SSH Server Configuration Changes]:
- The following cipher algorithm, KEX algorithms, and host key algorithm are non-FIPS compliant and removed from your email gateway.
- Cipher algorithms - 3des-cbc
- KEX algorithms - diffie-hellman-group-exchange-sha256 and diffie-hellman-group-exchange-sha1
- Host key algorithm - ssh-rsa
- The “Minimum Server Key Size” option is removed from the CLI of your email gateway because it is non-FIPS compliant.
- The host key algorithm - rsa-sha2-256 is added to your email gateway by default.
- The host key algorithm - ssh-dss is removed from your email gateway by default (if configured using the logconfig > hostkeyconfig sub command in the CLI).
[SSH Client Configuration Changes]:
- The Cipher algorithm - 3des-cbc is non-FIPS compliant and removed from your email gateway.
- The host key algorithm - rsa-sha2-256 is added to your email gateway by default.
[New Install Scenario]: SSH Server Configuration Changes
The following SSH server configuration changes are only applicable when you install AsyncOS 15.0 for Cisco Secure Email Gateway for the first time.
[For non-FIPS mode only]: The following cipher algorithms, MAC method, KEX algorithms, and host key algorithms are supported in your email gateway:
- Cipher algorithms - aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, aes192-cbc, and aes256-cbc
- MAC method - hmac-sha1
- KEX algorithms - diffie-hellman-group14-sha1, ecdh-sha2-nistp256, ecdh- sha2-nistp384, and ecdh-sha2-nistp521
- Host key algorithms - rsa-sha2-256, ssh-rsa, and ssh-dss (disabled by default)
Note: You need to manually enable the "ssh-dss" cipher algorithm using the shconfig > sshd > setup sub command in the CLI.
[For FIPS mode only]: To enable FIPS mode, make sure you first disable the following cipher algorithm and host key algorithm that are non-FIPS compliant using the sshconfig > sshd > setup sub command in the CLI.
- Cipher algorithm - aes192-ctr
- Host key algorithm - ssh-rsa
Note: The host key algorithm - rsa-sha2-256 is newly added and is enabled by default on your email gateway.
SPF Email Verification Changes
[Before this Release]: The email gateway would perform the Sender Policy Framework (SPF) email verification process based on the SPF and TXT records per the RFC 4408 (Section 4.4) standard.
[From this Release onwards]: The email gateway performs the SPF email verification process based on only the TXT records per the new RFC 7208 (Section 4.4) standard.
Changes to CEF Field Names for Consolidated Event Logs
From this release onwards, the following Common Event Format (CEF) field names are changed for the Consolidated Event logs:
- 'endTime' to 'end'
- 'startTime' to 'start'
- 'sourceAddress' to 'src'
- 'sourceHostName' to 'shost'
Changes in uploading HTML and Octet-stream Files for File Analysis
[Before this release]: The email gateway could only upload HTML and Octet-stream files (mime type - application/octet-stream and text/html) to the File Analysis server if the file extensions were selected for file analysis.
[From this release onwards]: The email gateway can now upload the HTML and Octet-stream files to the File Analysis server for file analysis, even if the file extensions are not selected for file analysis.
Note: As the number of files uploaded to the File Analysis server may increase, the email gateway could potentially reach the file upload limit of the file analysis server quickly.
Changes in uploading Archived Files for File Analysis
[Before this release]: When the AMP engine failed to extract the archive files (including password-protected archived attachments) from a message, the attachments would not be uploaded to the File Analysis server.
[From this release onwards]: When the AMP engine fails to extract the archive files (including password-protected archived attachments) from a message, the attachments are now uploaded to the File Analysis server for file analysis.
Note: As the number of files uploaded to the File Analysis server may increase, the email gateway could potentially reach the file upload limit of the file analysis server quickly.
Support for importing ECDSA and EDDSA certificates
From this release onwards, support for the x509 certificates with ECDSA and EDDSA algorithms is introduced.
Cipher configuration changes
Non-compliant/weak TLS cipher suites are now disabled on Inbound SMTP, Outbound SMTP, GUI, LDAP and updater by default.
Non-compliant CSDL Key SSH algorithms like ssh-dss is now disabled on SSH server by default but allowed to be configured.
Support to choose the signature algorithm while creating self-signed certificates
From this release onwards, you can choose the signature algorithm (sha256withRSAEncryption, sha384withRSAEncryption, or sha512withRSAEncryption) while generating self-signed/self-signed SMIME certificates in both CLI & GUI.
Changes in signature algorithms for x509 certificates
The following signature algorithms for peer certificates in TLS services Inbound SMTP, Smart Licensing transport URL server, Enrollment Client , SSE server, Talos client, Syslog server, ECS client, and Cisco Security Awareness cloud server) are not supported:
'sha1withrsaencryption', 'sha224withrsaencryption', 'dsawithsha1', 'ecdsa-with-sha1', 'ecsda-with-sha224', 'md2withrsaencryption', 'md4withrsaencryption', 'md5withrsaencryption', 'ripemd128withrsaencryption', 'ripemd160withrsaencryption', 'ripemd256withrsaencryption', 'ripemd128withrsa', 'ripemd160withrsa', 'ripemd256withrsa'
The following curves for peer certificates with the ECDSA signature algorithm in TLS services ( Inbound SMTP, Smart Licensing transport URL server, Enrollment Client , SSE server, Talos client, Syslog server, ECS , and Cisco Security Awareness cloud server) are not supported:
'secp224r1', 'secp192r1', 'brainpoolP160r1', 'brainpoolP192r1', 'secp160r1', 'secp160r2', 'prime192v1', 'secp192k1', 'secp224k1', 'secp256k1', 'sect163k1', 'sect163r2', 'sect193r1', 'sect193r2', 'sect233k1', 'sect233r1', 'sect239k1', 'sect283k1', 'sect283r1', 'sect409k1', 'sect409r1', 'sect571k1', 'sect571r1'
Expiry of Service Password
From the 15.0 release onwards, a remote access account created using the techsupport > sshaccess command remains active for 7 days. After that, you need to re-enable the remote access.
Additional Information
Cisco Secure Email Gateway Documentation
- Release Notes
- User Guide
- CLI Reference Guide
- API Programming Guides for Cisco Secure Email Gateway
- Open Source Used in Cisco Secure Email Gateway
- Cisco Content Security Virtual Appliance Installation Guide (includes vESA)
Secure Email Cloud Gateway Documentation
Cisco Secure Email and Web Manager Documentation
- Release Notes and Compatibility Matrix
- User Guide
- API Programming Guides for Cisco Secure Email and Web Manager
- Cisco Content Security Virtual Appliance Installation Guide (includes vSMA)
Cisco Secure Product (Rebranding) Documentation
Updated about 1 year ago