Incoming email from one particular sender, with attachments timing out.

Question

I have a Sophos UTM sitting in front of a X-Wall SMTP server.
The Sophos has its anti-spam settings turned off, so it is just doing NATTING on port 25 through to the X-Wall.

Emails from (at least) one particular sender, with some PDF attachments are timing out every time.
All other emails (that I am aware of) are come through OK.

Here is the relevant log from the x-wall:

16-08-12 00:07:44 0005: Connection opened by mail-sy3aus01on0102.outbound.protection.outlook.com [104.47.117.102]
16-08-12 00:07:44 0005: > 220 (removed - our mail server) ESMTP XWall v3.52
16-08-12 00:07:44 0005: < EHLO AUS01-SY3-obe.outbound.protection.outlook.com
16-08-12 00:07:44 0005: > 250-(removed - our mail server)
16-08-12 00:07:45 0005: < MAIL FROM:<removed> SIZE=551655 BODY=7BIT
16-08-12 00:07:46 0005: > 250 2.1.0 originator <removed> ok
16-08-12 00:07:46 0005: < RCPT TO:<removed>
16-08-12 00:07:46 0005: > 250 2.1.5 recipient <removed> ok
16-08-12 00:07:46 0005: < BDAT 532861 LAST
16-08-12 00:10:46 0005: Error: Timeout in reading data [9]
16-08-12 00:10:46 0005: Connection closed with mail-sy3aus01on0102.outbound.protection.outlook.com [104.47.117.102]

so it times out after 3 minutes.

I initially contacted X-Wall support, they are confident it is what is sitting in front of the X-Wall (The Sophos UTM) that is causing the issue.
My gut feeling is the Application Control, but I am unsure where I would check in the logs to find an answer, or see if this is occurring to other emails...

Any help or suggestions would be greatly appreciated.

This thread was automatically locked due to age.

BAlfson · Accepted Answer

Thanks for closing the loop on your question, Daniel. Another option would be to disable SID 39380 on the 'Advanced' tab. 
 Cheers - Bob

DanielBarnes · Answer

Ok, I found the cause (for other peoples reference)

UTM is misclassifying what I am believe is legit email traffic (since it is from *.protection.outlook.com and I am expecting it and it looks legit to me)
as "Intrusion protection".

UTM Intrusion protection log:

2016:08:16-06:10:39 utm snort[21128]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="SERVER-OTHER Symantec MIME parser updateheader heap buffer overflow attempt" group="500" srcip="104.47.117.98" dstip="<local ip removed>" proto="6" srcport="10629" dstport="25" sid="39380" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"

2016:08:16-06:16:26 utm snort[21128]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="SERVER-OTHER Symantec MIME parser updateheader heap buffer overflow attempt" group="500" srcip="104.47.116.124" dstip="<local ip removed>" proto="6" srcport="17526" dstport="25" sid="39380" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"

2016:08:16-06:16:45 utm snort[21128]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="SERVER-OTHER Symantec MIME parser updateheader heap buffer overflow attempt" group="500" srcip="104.47.117.130" dstip="<local ip removed>" proto="6" srcport="65168" dstport="25" sid="39380" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"

As a work around I have configured an exception for Intrusion Prevention for any SMTP incoming traffic. Not perfect I know, but it is a work around that will get the email I need.