Hi and thanks for the answer.

The ironport giving me the error is reported on the error given back in this form:

Remote-MTA: dns; mx20.xxxxx.it. (xx.xx.xx.xxx, the server for the domain xxxxx.it.)
Diagnostic-Code: smtp; 552 size limit exceeded

so i know which of the ironport is giving me this message.

i modified every value of every field into mail flow policies taking it up to 30M but nothing changes.

And i do have only one listener.

Thanks again

The size of the actual email may be different from the size of the attachment being sent based on encoding and header information.

I would recommend testing by sending attachments of varying sizes to confirm after what point the email is being rejected.

- Libin V

Tried different sizes.

The only one that passes is 21.504KB (21MB)

22,23,24 are rejected

thanks!!

Can you share the mail_logs for the email that was rejected?

- Libin

i cannot find an evidence into the mail_log on my ironport about that error.

i assume i must look for the ironport that gives me back the error and so:

Remote-MTA: dns; mx20.xxxxx.it. (xx.xx.xx.xxx, the server for the domain xxxxx.it.)
Diagnostic-Code: smtp; 552 size limit exceeded

in this case the appliance regarding the mx20.

But if i send an email at 14.00 i cannot still find the mail_log for the 14.00, maybe there is still the 13.30 or 13.40, but not the one containing (maybe) the error.

You can try searching the mail_logs for the sending server IP, and then review individual ICID's for the mentioned time frame.

- Libin

i send the email from gmail.com, so it is not a private sender with a single ip address.

it is impossible to check this with ip address

The sending server hostname may contain ".google.com" which you can use to narrow down your search.

- Libin 

Hi,

i've gone through all logs file for today and i cannot find the:

552 size limit exceeded

seems like it is not being logged.

the option of logging rejected messages is on since we use ironport

The mail_logs accessed through the CLI should log all connections (accepted and rejected) by default. Enabling logging of rejected connections only affects the message tracking.

If a connection was rejected by the ESA then it should definitely show up in the mail_logs.

There is a possibility that the large sized email was rejected by another hop before the ESA such as the firewall and the bounce back email was generated by the ESA on its behalf.

- Libin

i usually download the mail_logs from the appliance and investigate them, is it the same of doing via CLI?

our fist public hop is the ironport infrastructure with mx records with internal nat.

this is the complete error:

Final-Recipient: rfc822; account@xxxxx.it
Action: failed
Status: 5.0.0
Remote-MTA: dns; mx20.xxxx.it. (9x.xx.xx.xxx, the server for the domain xxxx.it.)
Diagnostic-Code: smtp; 552 size limit exceeded
Last-Attempt-Date: Wed, 31 May 2017 05:10:18 -0700 (PDT)

You can grep the mail_logs for the CLI for the mentioned time frame.

No mail_logs corresponding to that connection would suggest the connection was not rejected by the ESA.

I do not see any other configuration apart from the mail flow policy which would restrict the email size.

- Libin V

Hi,

i've aligned the configuration on all 3 appliances, under "hat overiew --> accepted, throttled, all" and now everyhting works fine.

thanks for all your support, this case is closed