IBM(R) Lotus Protector for Mail Encryption Version 2.1.1 Release Notes

Thank you for using this IBM^(R) Corporation product. These Release Notes contain important information regarding this release of Lotus Protector for Mail Encryption. IBM Corporation strongly recommends you read this entire document.

IBM Corporation welcomes your comments and suggestions. Please use the information provided in Getting Assistance to contact us.

Product: Lotus Protector for Mail Encryption

Version: 2.1.1

About Lotus Protector for Mail Encryption

Lotus Protector for Mail Encryption provides your enterprise with secure messaging: it transparently protects your messages without user interaction. It automatically creates and maintains a Self-Managing Security Architecture (SMSA) by monitoring authenticated users and their email traffic. You can also send protected messages to addresses that are not part of the SMSA.

The Lotus Protector for Mail Encryption Server encrypts, decrypts, signs, and verifies messages, providing strong security through policies you control. PGP Universal Satellite provides security for email messages all the way to the computer of the email user, it allows external users to become part of the SMSA, and it gives end users the option to create and manage their keys on their own computer.

Lotus Protector for Mail Encryption Client provides IBM Lotus^(R) enterprise customers with an automatic, transparent encryption solution for securing internal and external confidential email communications. Lotus Notes^(R) offers a native encryption solution for secure messaging within an organization. While Lotus Protector for Mail Encryption Client can be used for internal-to-internal secure messaging, it is intended to secure the internal component of a message which is being delivered to an external recipient. With Lotus Protector for Mail Encryption Client, you can minimize the risk of a data breach and better comply with partner and regulatory mandates for information security and privacy.

What's Included in This File

• About Lotus Protector for Mail Encryption
• System Requirements
• Additional Information
• Getting Assistance
• Copyright and Trademarks

What's New in Lotus Protector for Mail Encryption 2.1.1

Lotus Protector for Mail Encryption 2.1.1 introduces the following new and improved features:

• X.509 certificates are available to your external users through the Protector for Mail Encryption Web Messenger interface. External users download the certificates, add them to their mail clients, and use them to communicate securely with users in your managed domain.
• You can now allow your external users to securely reply to PDF Messenger messages.
• The default mail policy includes the following changes:
  • New default mail policy no longer uses opportunistic encryption. Email is secured only if the sender specifies (such as by selecting the Encrypt button in the email client).
  • New default mail policy attempts to encrypt the mail if the subject line contains “PDF”, and is be delivered as a secure PDF message if the key is not found.
  • “Excluded Signed”, and “Excluded Unsigned” rules are removed as they are now part of opportunistic encryption.
  • Secure Reply option for PDF Messenger is enabled by default.
• Added compatibility with Microsoft Outlook 2010 (32- and 64-bit).

System Requirements

Lotus Protector for Mail Encryption Server Requirements

Lotus Protector for Mail Encryption Server is a customized Linux^(R) OS installation; it cannot be installed on a Windows^(R) server. Every Lotus Protector for Mail Encryption Server requires a dedicated system that meets the system requirements listed in the Server Certified Hardware list that follows. The installation process deletes all data on the system and reconfigures it as a Lotus Protector for Mail Encryption Server.

Lotus Protector for Mail Encryption Client Requirements

Microsoft^(R) Windows 2000 (Service Pack 4), Windows Server 2003 (Service Pack 1 and 2), Windows XP Professional 32-bit (Service Pack 2 or 3), Windows XP Professional 64-bit (Service Pack 2), Windows XP Home Edition (Service Pack 2 or 3), Microsoft Windows XP Tablet PC Edition 2005 (requires attached keyboard), Windows Vista (all 32- and 64-bit editions, including Service Pack 1 and 2), Windows 7 (all 32- and 64-bit editions).

Note: The above operating systems are supported only when all of the latest hot fixes and security patches from Microsoft have been applied.

Lotus Protector for Mail Encryption Server Certified Hardware List - Valid 01/14/2012 through 08/01/2012

You must obtain the latest version of this list for hardware purchasing decisions after 1/14/12.

The following systems are certified as the hardware for Lotus Protector for Mail Encryption:

• Dell PowerEdge R710 - Two Quad Core Intel XEON E5530 @ 2.4GHz - 8GB RAM
  Two 146 GB 15K RPM SAS - SAS 6/iR RAID
  Broadcom BCM5709 network controller
  Medium/large environment production unit, cluster member
• IBM BladeCenter HS22 - Two Intel XEON E5530 @ 2.4 GHz - 8GB RAM
  Two x 146 GB SAS 10K RPM - LSI Logic SAS1064E iR RAID
  Broadcom BCM5709S network controller
  Medium/large environment production unit, cluster member
• IBM System x3250 M3 - Intel XEON 3406 @ 2.8 GHz - 6GB RAM
  Two x 146 GB 10K 2.5" SAS - IBM ServerRAID-M5015
  Intel 82574L network controller
  Medium/large environment production unit, cluster member
• IBM System x3650 M3 - Two Intel Quad Core Intel XEON 5630@ 2.53 GHz - 16GB RAM
  Four x 300 GB SAS 10K RPM - IBM Server RAID-M5014
  Intel PRO/1000 Dual port server adapter with 82571EB chipset
  Medium/large environment production unit, cluster member
• HP Proliant DL120 G6 - Intel XEON X3440 2.53 GHz - 6GB RAM
  6 GB - 250 GB 3G SATA
  Broadcom BCM5723 network controller
  Small/medium environment production unit
• HP ProLiant DL380 G7- Two Intel XEON E5650 @ 2.67 GHz - 12GB RAM
  Two x 146 GB - SAS 15K RPM - HP Smart Array P410i RAID
  Broadcom BCM5709 network controller
  Medium/large environment production unit, cluster member
• VMware vSphere 4.1 Update 1 - Supported platform, non-hardware.
  Sufficient processing power equivalent to a 3 GHz Intel Xeon must be dedicated to the Lotus Protector for Mail Encryption virtual machine.
  VMware Tools must be installed and configured in the Lotus Protector for Mail Encryption operating system.
  VMware ESX 4.1 Update 1 is certified without vMotion.
  Disk space requirements:
  • Small/medium environment - 50 GB minimum allocated to the VMWare instance; 4 GB RAM dedicated to the VMWare instance.
  • Medium/large environment - 100 GB minimum allocated to the VMWare instance; 8 GB RAM dedicated to the VMWare instance.
• VMWare ESXi

Although a broad array of other hardware may work well with Lotus Protector for Mail Encryption, Lotus Protector for Mail Encryption has been tested with, and is compatible with, the systems in this list.

To qualify as Lotus Protector for Mail Encryption Certified Hardware, the server must be one of the versions listed and all components must be configured as specified. For Support purposes, if you change the sizes of hard disks in the same type of drive (for example, 36 GB SCSI to 73 GB SCSI), increasing memory configurations and processor speeds in the same type and family qualifies as the same system.

Email Client and Server Requirements

Lotus Protector for Mail Encryption Server and Protector for Mail Encryption Client are compatible with the following mailservers:

• Lotus Domino Server 8.5
• Lotus Domino Server 8.0.2
• Lotus Domino Server 7.0.3
• Microsoft Exchange Server 2007 SP1
• Microsoft Exchange Server 2003 SP3
• Microsoft Exchange Server 2010 SP1

Lotus Domino Server and Protector for Mail Encryption Client Client are compatible with the following email clients:

• Lotus Notes 7.0.3 (7.0.4)
• Lotus Notes 8.0.2 (Basic and Standard)
• Lotus Notes 8.5 (8.5.3) (Basic and Standard)
• Lotus Notes 8.5.2

Microsoft Exchange Server and Protector for Mail Encryption Client Client are compatible with the following email clients:

• Microsoft Outlook 2010 (32- and 64-bit)
• Microsoft Outlook 2007 SP1
• Microsoft Outlook 2003 SP3

Note: Support for Outlook is only with Exchange.

Protector for Mail Encryption Client supports the following messaging protocols:

• Notes RPC for Lotus Notes
• MAPI for Outlook

Protector for Mail Encryption Client does not support IMAP/SMTP/POP.

Lotus Protector for Mail Encryption Server supports the following messaging protocols:

• POP/POPS
• IMAP/IMAPS
• SMTP/SMTPS
• STARTTLS for POP/IMAP/SMTP

Lotus Protector for Mail Encryption Administrative Interface Web Browser Requirements

The Lotus Protector for Mail Encryption administrative interface has been fully tested with the following Web browsers:

Windows	Internet Explorer 6 and greater Firefox 3.6 and greater
Mac OS X	Safari 5.0 and greater Firefox 3.6 and greater

Although the administrative interface works with other Web browsers, we recommend these browsers for maximum compatibility.

Protector for Mail Encryption Web Messenger Web Browser Requirements

Windows	Internet Explorer 6 and greater Firefox 3.6 and greater
Mac OS X	Safari 5.0 and greater Firefox 3.6 and greater

PGP Universal Satellite for Windows Requirements

Note: We now support Microsoft Windows 7 operating systems in PGP Universal Satellite 3.0. As a result, we are ending PGP Universal Satellite support for Microsoft Windows 2000 Professional and Microsoft Windows 2000 Server & Advanced Server beginning with PGP Universal Satellite 3.1.

Before you install, you must verify that your system meets these minimum requirements:

• The following Microsoft Windows versions:
  • Windows 7 (all 32- and 64-bit editions, including Service Pack 1)
  • Windows Vista (32- and 64-bit editions)
  • Windows XP (Service Pack 2 or 3)
  • Windows Server 2003 (Service Pack 1)

    Note: The above operating systems are supported only when all of the latest hot fixes and security patches from Microsoft have been applied.

• 512 MB of RAM
• 64 MB hard disk space
• Internet Explorer 6 or greater
• Mozilla Firefox 1.0 and greater

PGP Universal Satellite for Mac OS X Requirements

• Apple Mac OS X10.5.x, 10.6.x, or 10.7.x (Intel)
• 512 MB of RAM
• 64 MB hard disk space

Supported External Authentication Products

Lotus Protector for Mail Encryption Server is compatible with the following LDAP directory products:

• Lotus Domino Directory 8.5
• Lotus Domino Directory 8.0.2
• Lotus Domino Directory 7.0.3
• Microsoft Active Directory 2010
• Microsoft Active Directory 2008
• Microsoft Active Directory 2003
• OpenLDAP 2.3.x
• PGP Global Directory

For directory synchronization, Lotus Protector for Mail Encryption supports:

• LDAPv2
• LDAPv3
• LDAPS

For Protector for Mail Encryption Web Messenger external authentication, Lotus Protector for Mail Encryption supports:

• LDAPv2
• LDAPv3
• RSA Radius Server with RSA Authentication Manager 7.1

Additional Information

The following sections provide information related to specific features of Lotus Protector for Mail Encryption.

Please see the PGP Universal Satellite Release Notes installed with PGP Universal Satellite for additional information about that product.

Installation

• When the Lotus Protector for Mail Encryption Client is uninstalled, the PME Client registry information under HKEY_CURRENT_USER is not removed. [NBN]
• When you try to join a node to a cluster, this node is locked by the ignition key. As a result, the status of this node in the sponsor node appears as Pending even after the join is complete. [30233]
• During a PUP update, some exceptions appear in the logs. These exceptions have been noted and can be safely ignored. After the PUP update is complete, all services should start up correctly, and no additional exceptions should occur. [31060]
• Internal user enrollment is not supported in DMZ node if the Host internal user private keys for Internal Users and Consumer Groups checkbox is not selected.[30166]
• When you select a location to save a backup, if you enter non-ASCII characters in the Backup Name field, an error message notifies you that your backup is invalid. Because different file systems treat multiple byte characters differently, your backup file name must consist only of alphanumeric characters. [30140, 18619]
• In the Cluster logs, when you join a node to a cluster, warning messages appear.

  An example of a warning message is:

  /usr/share/ovid/pgprep/rep-join-collect.py> pg_dump

  These warnings are intended to be informative, and no action is required. [29773]

• When joining a node to a cluster, if the sponsoring server is busy (for example, while the nightly key maintenance process is running) it can take a long time for the join process to complete. If Lotus Protector for Mail Encryption cannot complete the join at another time, you need to stop crond and possibly shut down the key maintenance process before starting the join. Contact Lotus Protector for Mail Encryption Technical Support for help. [27841]
• Upgrading to Lotus Protector for Mail Encryption 3.0 removes LDAP query customization. When you upgrade to Lotus Protector for Mail Encryption 2.1.1 and later, customized LDAP queries must be recreated as necessary. With the enhancements to LDAP support in Lotus Protector for Mail Encryption 2.1.1, LDAP query customization may no longer be needed. [27366]
• A SSH key created and saved as a file using the PuTTY utility (PuTTYgen) cannot be imported as an Administrator key using the Key File import function. (Select System > Administrators, click the administrator name, and click + to add an SSHv2 key.) Instead, you must copy the key block from the PuTTY Key Generator and paste it in Key Block. [27325]
• After you add a new member to a cluster, if the sponsoring cluster member fails to immediately contact the new joining cluster member, check the joining cluster member. If this cluster member is waiting for contact from the sponsor, click Contact and try again. [25751]
• Before you upgrade to Lotus Protector for Mail Encryption 2.1.1, ensure that you do not have internal and external user policies with the same name. If you do, after migration, users will not receive the correct consumer policy. [23885]
• When you back up data on one Lotus Protector for Mail Encryption and restore the data to a different Lotus Protector for Mail Encryption, the MAC address information is incorrect. The MAC address on the restored Lotus Protector for Mail Encryption is set to the MAC address of the backed up Lotus Protector for Mail Encryption. You must contact Technical Support to correct the MAC address. [19895]
• After PUP updates, the screen is formatted incorrectly. You must clear the cache or refresh the browser screen. [18011]
• Do not use international characters when you specify file names for backup files. [10834]
• Do not use the Windows Repair functionality to repair Lotus Protector for Mail Encryption on a client installed on a Spanish operating system. If you need to repair the client installation, use the Windows Modify functionality or reinstall the client. [2675288]

Deployment

• When a NIC is set to a custom link mode, rather than auto-negotiate, the network driver no longer advertises other link speeds. Lotus Protector for Mail Encryption Server requires access to the list of possible link speeds to populate the Network Settings Link Speed menu. If you want to change the Link Speed from a custom setting, and no other custom settings appear, select Auto from the menu. Restart Lotus Protector for Mail Encryption Server. After restart, the Link Speed menu is populated with all available options for the NIC. [19287]
• MAC ID, MTU, and Link Speed are not applicable to Lotus Protector for Mail Encryption Server hosted on VMWare because the ESX server controls the network settings. However, when you create a new virtual interface, those settings are automatically populated. If your Lotus Protector for Mail Encryption Server runs on VMWare and you want to create a new interface or edit an existing interface, you cannot save your changes until you clear the auto-populated MTU, MAC ID, and Link Speed settings. [19810]
• Organization Keys with Japanese passphrases cannot be imported. [18620]
• You cannot use spaces in the name of the backup FTP server. [15491]
• HTTP-based services do not support port numbers higher than 32767. [25784]
• Lotus Protector for Mail Encryption does not provide out-of-the-box support for LDAP synchronization in environments where multiple LDAP servers contain identical samAccountName values for different users. If your environment contains multiple LDAP domains with some users having identical samAccountName values, please contact PGP Support for guidance on how to deploy Lotus Protector for Mail Encryption into your environment. [25299]
• If you add Lotus Protector for Mail Encryption to its own keyserver list at Keys > Keyservers, you must add it using the IP address. If you add it using the Lotus Protector for Mail Encryption hostname, key lookups on that keyserver fail. [24698]
• To create a mail policy rule for expanding the To list for messages to mailing lists, make sure the conditions are in the correct order, or the rule is not applied. The correct order for the conditions must be:
  1. Recipient domain <is/contains/matches>.
  2. 'Recipient address is mailing list'
  3. 'Mailing list user count is' <greater than/fewer than>

  [23723]

• Sometimes, after you request the deletion of a cluster member, the deletion may not propagate fully around the cluster. In this case, it is safe to repeat the deletion action as necessary. [23694]
• With Microsoft Internet Explorer 8, security can be set to a HIGH state, which disables Javascript on most web pages. With Javascript disabled, Lotus Protector for Mail Encryption Server's management console (administrative interface) and Protector for Mail Encryption Web Messenger login will not function. Make security exceptions for Lotus Protector for Mail Encryption Server in IE 8's security settings, or use a different browser to access the administrative interface. [23688]

PGP Keys

• When you export a common certificate for an internal user and save the Zip file, only one .p12 file is saved. The other .p12 file is corrupted. We recommend that you export each certificate separately for each internal user. [30707]
• After an internal user submits public keys to the PGP Verified Directory, if you search for the user by Name, you cannot find the user. There are no issues when you search by Email or Name or Email. [30694]
• After you enroll an internal user to a configured certificate policy, although the enrollment completes without errors, the process results in the following:
  • A managed user without a managed key in Lotus Protector for Mail Encryption.
  • An untrusted user key in the PGP Desktop client. [30354]
• The Generate AD Group Keys dialog box in the Managed Keys page does not currently support selecting of Active Directory group names with non-ASCII characters. The operation will fail if a non-ASCII name is selected. [30000]
• When an external user performs a LDAP lookup against an internal user who has both the Lotus Notes and the SMTP address, the Lotus Notes address may be returned. This may result in some email clients refusing to encrypt to the returned X.509 certificate. [29293]
• After internal user A sends an email to an internal user B, if you revoke a non-SKM key for internal user A, the key displays as valid until after your regular cron job. After the cron job is complete, the key displays as revoked. There are no issues when you revoke SKM keys. [29026]
• On the Clustering page, if you deselect the Host private keys for internal users and Consumer Groups checkbox in the Add/Edit Member dialog box, and then reselect it, saving after each selection, the cluster member repopulates the Managed Key database with the private keys. However, the indices to the keys are erased and not rebuilt.

  Although the server can still perform functions, such as encrypting and decrypting email, it cannot display the existing managed keys. As a result, key lookup requests through the UI, VKD, or LDAP on that cluster node fail. This does not affect the key management features on other cluster members, and you can still display and search for keys on those nodes. On the Managed Key page, if a cluster node is unable to display the existing keys, we recommend that you remove the node from the cluster and add it back as soon as possible. [25906]

• Signature operations may download the private portion of the MAK key to the managed PGP Desktop, even if the key is SKM. These operations include signing a document and validating the signature on a document. Downloading the private portion of certain types of keys may be a security problem in some environments. [26106]
• On the Managed Keys page, the name associated with a managed key should be the primary email address associated with the key, not the last listed email address. [25115]
• Exporting or deleting tens of thousands of user keys at a time can take hours, or can fail. Export fewer keys at a time, or contact IBM Support for help. [15998]
• When making any changes that affect which TLS client certificates are permitted to access the keyserver service, you must disable, and re-enable the keyserver service for these changes to take effect. [6533]

Messaging

• To make the exported delivery receipts file for Certified Delivery display Japanese characters correctly, you must save the file as UTF-8:

  1. Export the CSV file.

  2. Open the file as UTF-8 with an editor that supports UTF-8 and click Save.

  The file converts to UTF-8 format. [24466]

• When an imported external user key is used to encrypt outgoing messages, the logs report that the key was found with in Internal User Keys, rather than External User Keys. [23757]
• Messages encrypted by Lotus Protector for Mail Encryption in this release are intended to maintain secure data privacy until the email is opened with decryption by the recipient. For this reason please note: An unopened encrypted message is not decrypted when dragged and dropped into Lotus Quickr and Lotus Connections. [NBN]
• In Lotus Protector for Mail Encryption Server 2.1.1, the server no longer returns an unverified key for encryption purposes when the key lookup request by clients is for a verified key. Administrators must select the unverified keys for their users, especially for external users using PGP Universal Satellite, and must manually trust these unverified keys by signing them with a key that the server trusts. [25836]
• Microsoft Outlook 2007 uses extensive processing time to handle extremely large HTML attachments. The connection with the Lotus Protector for Mail Encryption Server may time out before the message can be sent. [12545]
• Characters added in versions of Unicode after 3.0 are not supported in Lotus Protector for Mail Encryption Server Dictionaries. [10367]
• Some of the more obscure authentication methods for POP/IMAP/SMTP may not work through Lotus Protector for Mail Encryption Server. We recommend always activating SSL/TLS between your client machines and Lotus Protector for Mail Encryption Server. If you are also deploying PGP Universal Satellite internally, it will automatically probe for SSL/TLS on the server and upgrade mail connections to use it whenever possible. Plain, Login, MSN, NTLM, and CRAM- MD5 authentication are officially supported in this release. [NBN]
• Microsoft Outlook:
  • Microsoft Outlook: Messages that have been processed by PGP Desktop cannot be modified from the Microsoft Outlook Outbox. [20269]

  • MAPI/Exchange users and inline objects:

    If you are a MAPI/Exchange user, and you are sending messages containing embedded content in a proprietary format (inline objects), PGP Desktop will secure the complete message. This will cause inline objects to be readable/viewable only by recipients in a MAPI/Exchange environment. [5530]
• Lotus Notes:
  • Lotus Notes and disabled users: When a user has been disabled, email sent by the user is initially blocked. To work around this issue, send the email again and email is sent in the clear, as expected. [12234]
  • Lotus Notes and disabled users: When a user has been disabled, and then re-enabled, the user must restart Lotus Notes to send encrypted email. [12236]
  • When sending PGP encrypted email, there is a minor inconsistency in Russian text font conversions. [26719]

Protector for Mail Encryption Web Messenger

• Messages opened from the Sent messages cannot be deleted. To delete a message, select the message in the list and then click Delete. [2591979]
• If you create a Complete Customization template and name it so that it is inserted between two existing Simple Customized templates, the Download icon only appears for the Complete Customization template and the templates that appear after it. To download the Simple Customization templates that appear before the Complete Customization template, you must mouse over the Simple Customization template for download instructions. [30877]
• Depending on your Microsoft Windows version, opening files with non-Latin filenames directly from Protector for Mail Encryption Web Messenger may result in garbled filenames. To avoid this problem, save attachments to your desktop before opening them. [12011]
• Replies to Protector for Mail Encryption Web Messenger email messages may not work if a load balancer is directing traffic for the untrusted interfaces of a cluster of Lotus Protector for Mail Encryption Servers in gateway placement. A workaround is to disable any rules your hardware may enforce that prohibit traffic to a virtual server from a member of the load balancing pool. Check with your hardware vendor to determine if this is possible. [NBN]
• Protector for Mail Encryption Web Messenger mailbox quotas of up to 2 GB are supported for this release. [7986]
• Sending concurrent Mail Encryption PDF Messenger messages to large numbers of recipients is not recommended. Limit the number of concurrent recipients to 200 at a time. [17751]
• When a Mail Encryption PDF Messenger message with a large attachment is sent out of the mail stream, the connection to the Lotus Protector for Mail Encryption Server times out before the mail is sent. [15916]

Getting Assistance

For additional information about Lotus Protector for Mail Encryption and how to obtain support, see Lotus Protector for Mail Encryption.

Copyright

Copyright Information

Copyright © 1991-2012 by Symantec Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Symantec Corporation.

© Copyright IBM Corp 1994, 2013.

Trademark Information

Symantec, the Symantec Logo, PGP, Pretty Good Privacy, and the PGP logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at http://www.ibm.com/legal/copytrade.shtml.

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.