cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.2-020
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.1.0-239
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

6015
Views
15
Helpful
4
Replies
Ian Fox
Beginner

Message header limits on Ironport

I am getting issues on a RELAY mail flow policy where messages are being aborted with the error "Message header too big."

What is the default limit for message header sizes and how can you change it for particular senders?

4 REPLIES 4
Libin Varghese
Cisco Employee

Hi Ian,

There is a known defect in email delivery after upgrade to Async OS 9.6 due to the graymail header as mentioned in the below defect.

https://tools.cisco.com/bugsearch/bug/CSCuw09558/?reffering_site=dumpcr

The cause has been found to be the Ironport-PHdr header exceeding the RFC 5322 https://tools.ietf.org/html/rfc5322 section 2.1.1 maximum number of characters 998. The suggested size is 78 characters and the maximum size is 998 characters. When a header of over 998 characters exists per section 2.2.3 of RFC 5322 the header needs to be folded, which is currently not occurring. The non RFC compliant header is causing delivery issues.

Disabling Graymail feature would fix the issue but for customers wanting to use Graymail can create a content filter to strip the header "IronPort-PHdr" or upgrade to one of the fixed releases, if issue is determined to be due to the mentioned defect.

Unfortunately, you cannot control the size of headers on the ESA itself. However, you can set up injection debug logs to capture the SMTP conversation and determine which header is causing issues in your particular scenario and try and strip that header as a workaround.

These logs can be configured from the WebUI under System Administration -> Log Subscriptions -> Log Type: Injection debug logs -> Sender IP.

Regards
Libin Varghese

Thanks for the response Libin.

I have not Graymail enabled so it is not the bug. I have enabled the debugging though and can see it is the "To:" header which is too long. The messages that are getting issues are journalled messages from Exchange and have expanded all the distribution lists so the TO field is huge. Is there anyway I can deal with these messages as stripping the To field is not an option.

Networks have rules; the internet has requests for comment.

See https://tools.ietf.org/html/rfc5322#section-3.5 onward. My understanding is if your Exchange server is breaking the RFC, your gateway will only be the first of several problems.

Hi Ian,

Currently there is no way to change the requested setting for accepting larger message headers. The Ironport keeps to strict RFC compliance on message header length. Here is the relevant information from RFC 2822 about message header size:

There are two limits that this standard places on the number of characters in a line. Each line of characters MUST be no more than 998 characters, and SHOULD be no more than 78 characters, excluding the CRLF.

There are good reasons for these rules. E-mail is read by a variety of programs, on a variety of systems; the "lowest common denominator" is considered to be an 80-column text-mode display. Limiting lines to 78 characters ensures that they fit on such a display without lines going off the right edge or wrapping awkwardly. Thus, the "SHOULD" clause in
the standard, describing what ought to be done if possible (though it can be ignored in special cases, for instance to include a long URL without breaking it in the middle). The "MUST" clause gives a "hard" upper limit of 998 characters, beyond which you stand a chance of filling the input buffer in some programs and causing serious problems.

For practical purposes, lines should be broken at even less than 78 characters, since when a message is quoted back in a reply it might have angle brackets prefixed to it. The netiquette guidelines in RFC 1855 suggest limiting lines to 65 characters. This is a very conservative value; some users don't go this far, and use 70 or 75 instead. A high number
could run into problems if the message is repeatedly quoted.

Your sending mail server in this case sent a non RFC compliant email, which was rejected. You would need to fix this problem with your sending mail server, and only send RFC compliant email. Normally this issue is caused by a piece of mail with a large number of recipients, causing the email to exceed RFC restrictions. You may need to have them break up the distribution lists into smaller chunks on limit the number of lists added on each email instance.

- Libin

Create
Recognize Your Peers
Content for Community-Ad