Why the Ironport ESA/SMA cannot record the log of the exceed mail size message from the Gmail?

waynebccs · ‎11-06-2015

Why the Ironport ESA/SMA cannot record the log of the exceed mail size message from the Gmail?
The Gmail account was received the reject message because the mail size limit exceeded, but I cannot find the tracking log in the Ironport.

Mathew Huynh · ‎11-09-2015

Hello Wayne,

There is two forms of rejection by size.

If gmail was rejected by the SIZE while negotiating the SMTP session, you will not see the results on the message tracking unless you enabled Message Tracking Rejection Handling (GUI > Security Services > Message Tracking > Enable Connection Rejection Handling) but this can be resource intensive.

If the email is rejected while data transfer as it exceeded the size limits, then you will see it in the message tracking.

You can find both instances in the mail_logs though.

Example of mail rejection can happen while Data transfer then size limits met, connection is cut, or at the negotiation part:

SMTP connection negotation Rejection (cannot be seen in the message tracking until enabled to)

Escape character is '^]'.
220 C680.esa.lab ESMTP
EHLO test.com
250-C680.esa.lab
250-8BITMIME
250-SIZE 20971520
250 STARTTLS
mail from:<matt@testlab.com> SIZE=20971521
552 size limit exceeded

Other one you'll see in tracking when Sender + recipient defined, and it eventually gets rejected due to size. This occurs when the original message size is not announced at the mail-from portion so the ESA accepts the email and counts the size as it comes in and rejects it at the end if it exceeded size.

To check the mail_logs it would be:

Tue Nov 10 12:47:30 2015 Info: New SMTP ICID 451 interface Management (11.1.1.12) address 10.1.1.12 reverse dns host unknown verified no
Tue Nov 10 12:47:30 2015 Info: ICID 451 ACCEPT SG UNKNOWNLIST match sbrs[none] SBRS rfc1918
Tue Nov 10 12:47:47 2015 Info: MID 0 ICID 451 Receiving Failed: Message size exceeds limit

Rejected after entire mail transfer is done and exceeded size (seen in message tracking)

Tue Nov 10 12:51:02 2015 Info: New SMTP ICID 452 interface Management (10.1.1.12) address 11.1.1.12 reverse dns host unknown verified no
Tue Nov 10 12:51:02 2015 Info: ICID 452 ACCEPT SG UNKNOWNLIST match sbrs[none] SBRS rfc1918
Tue Nov 10 12:51:09 2015 Info: Start MID 547 ICID 452
Tue Nov 10 12:51:09 2015 Info: MID 547 ICID 452 From: <matt@testlab.com>
Tue Nov 10 12:51:13 2015 Info: MID 547 ICID 452 RID 0 To: <mat@cisco.com>
Tue Nov 10 12:51:16 2015 Info: MID 547 ICID 452 Receiving Failed: Message size exceeds limit
Tue Nov 10 12:51:16 2015 Info: Message aborted MID 547 Receiving aborted
Tue Nov 10 12:51:16 2015 Info: Message finished MID 547 aborted

Regards,

Matthew

waynebccs · ‎11-12-2015

Hello Matthew,

The Ironport has enabled "Rejected Connection Handling" feature.
I had tested from Gmail, but it still not record log.
What step I missed？

Thanks

Wayne

Mathew Huynh · ‎11-12-2015

Hey Wayne,

The log is recorded from my testing, but to actually locate it is the issue i believe. As there is no searchable criteria and you'll need to review the entire tracking query based on time-frame.

Regards,

Matthew

slicciardola · ‎05-30-2017

Hi,

in my case i find the logs and the error, but dunno why.

I've set an accept size limit on mail flow policy of about 40M but the problem still occours.

I cannot understand why if i even set a limit of 50M i can only receive files under 20M

any help would be really appreciated