cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12493
Views
15
Helpful
7
Replies

Maximum encrypted message size

RSteveKadish
Level 1
Level 1

Hi all,

What is the largest size message that can be encrypted by the IronPort ESA PXE engine?  Is this a configurable parameter?

Thanks very much,

- Steve

1 Accepted Solution

Accepted Solutions

Thanks Steve.  I actually received the same response yesterday also.  I'm fine with the change since we were definitely experiencing the lockup when someone tried to push an extremely large file through the DLP system.  My concern now is what to do if someone needs to send a file larger but the DLP policy is trying to trigger and encrypt the message.  I'm thinking of possibly creating a bypass message filter so if a certain keyword is found in the subject line the message immediately gets emailed without scanning for DLP.  Of course this brings up the concern of people sending out items they shouldnt be and bypassing the DLP policy.  I'm thinking I could CC our Management on any sensitive information that has been requested to be sent unencrypted to avoid it being taken advantage of.

View solution in original post

7 Replies 7

Mike Kwilosz
Level 1
Level 1

I actually have the same question and I'm looking for an answer also.

I believe from the testing I've done that the current default PXE size is set to an encrypted size of 10MB. I believe this was put into place when version 7.6 of AsyncOS was rolled out.  I also assume the reason this was put into place was because of a common issue we were experiencing where customers of our would try to send out extremely large emails that required encryption and it would effectively make our Ironport become unresponsive to the point that we would have to manually hard power cycle them.  Also bringing up the question again of why don't our C370's have DRAC cards in them.  I am yet to figure out if there is a way to adjust this size.

I sent in a support case to ask for the same information.  If I receive a reply back I'll update you.

Thanks,

Mike

Hi Mike,

Coincidentally, I got an answer on this just today from IronPort Support:

Starting with the 7.6.0-444 version, the size limit has been changed to 10MB as the previous size limit of 40MB was causing too many issues such as the encryption engine locking up so therefore the limit was reduced. For the 10MB size limit about 20% also needs to be accounted for MIME inflation so the actual limit is really about 8MB.

- Steve

Thanks Steve.  I actually received the same response yesterday also.  I'm fine with the change since we were definitely experiencing the lockup when someone tried to push an extremely large file through the DLP system.  My concern now is what to do if someone needs to send a file larger but the DLP policy is trying to trigger and encrypt the message.  I'm thinking of possibly creating a bypass message filter so if a certain keyword is found in the subject line the message immediately gets emailed without scanning for DLP.  Of course this brings up the concern of people sending out items they shouldnt be and bypassing the DLP policy.  I'm thinking I could CC our Management on any sensitive information that has been requested to be sent unencrypted to avoid it being taken advantage of.

Mike, that's definitely a concern.  We are not doing any automatic encryption yet, but we will be in the future.  I did see one incident in our tracking logs where it looked like IronPort defaulted to TLS when a message was too large to be encrypted, but I'm not sure if that was by design.

I came to this thread after one of my users had a message bounce that was only about 7.2MB.

I understand Cisco wants to cut down on support calls and costs but this seems like a drastic reduction.  We're a very small shop and rarely send out messages of any kind over 10MB but it's the big ones that are usually the most sensitive, yes?  I would very much like to see this limit at least somewhat configurable in the future, even if it's capped at, say, 20MB, or even maybe see it indexed on throughput but effectively cutting the limit of what can be protected by 75% or more puts a huge dent in the value argument for IronPort.  The ability to easily encrypt anything from any device is the prime reason we have IronPort versus numerous other options.

We renewed this year but if this is not addressed it will put a serious damper on our enthusiasm to spend the extra cash next year.

Any changes for this on version 10 ESA?  I'm getting bounced email at 27MB.  Can this be configured now?

I'm pretty sure the max is 25.

(taken from my help file on my 11.0 appliance)


Step 3

(Optional) Click Edit Settings to configure the following options:

* The maximum message size to encrypt. Cisco's recommended message size is 10 MB. The maximum message size the appliance will encrypt is 25 MB.
Note

Encrypting messages larger than the recommended 10 MB limit may slow down the performance of the appliance.If you are using the Cisco Registered Envelope Service, message recipients will be unable to reply to an encrypted message that has attachments larger than 10 MB.


* Email address of the encryption account administrator. When you provision an Encryption Profile, this email address is registered automatically with the encryption server.
* Configure a proxy server.