Hey Johnny,

Johnny Wetlaufer · ‎11-17-2015

C170 with version 9.7.0-125 and valid certificate for TLS.

Our outgoing content filter which handles outbound email PXE encryption has the action set to "Encrypt and Deliver Now (Final Action)". Within this action, our encryption rule is set to "Only use message encryption if TLS fails". This works as expected and PXE encryption is skipped if the destination MTA supports TLS with ONE exception. Even when the destination MTA supports TLS, the PXE engine applies the message size limit to the email and will generate a "5.x.3 - PXE Encryption failure" if the message is over 7MB or so.

Why is the PXE encryption engine getting involved at all? The destination MTA supports TLS! This is frustrating. If the destination MTA supports TLS, then the global message size limit should apply. Not the PXE engine message limit!

Maybe I'm missing something?

Johnny

Mathew Huynh · ‎11-17-2015

Hey Johnny,

It looks like the behaviour of the content filter action Encrypt and Deliver now falls as per your findings, on the PXE encryption settings defined at GUI > Security Services > Cisco Ironport Email Encryption.

The TLS, while it's TLS -- as the action of the filter is basing off the PXE encryption settings, you would need to increase the limit of the PXE encryption to match the size you would like to allow (Note: 20MB is the limit)

Whereas to use the global mail limits, it would be to disregard the filter and use the destination controls for TLS requirement and there will be essentially no limit for the delivery from ESA side if it was allowed through at the HAT level (ICID).

Regards,

Matthew

ESA Outgoing Content Filter - Encrypt and Deliver