Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 2 subscribers
  • Views 10579 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Oversized emails rejected but not logged

SIBTEL

Hi,

Sophos Utm 9.411-3 with smtp protection enabled.

The utm is acting as an antispam filter between ISP relay and our internal mail server.

We have mail size limit enabled in the internal mail server and in the utm (utm size limit is slightly higher)

Problem is that some emails are rejected due to large size but not logged in the utm smtp log, neither in the WebAdmin/Email Protection/Mail Manager/SMTP Log nor the exported text format log.

Is there a verbose logging, or such, I can enable to get a trace of the rejected emails in the smtp log?



This thread was automatically locked due to age.
Parents
  • 0

    Nothing in the log?  What leads you to conclude that the emails reach the UTM at all?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    Nothing in the log?  What leads you to conclude that the emails reach the UTM at all?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    BAlfson said:
    What leads you to conclude that the emails reach the UTM at all

    The Non Delivery Report returned to the sender contains the following :

    Action: failed
    Status: 5.0.0
    Remote-MTA: dns; [UTM_External_IP_Address]
    Diagnostic-Code: smtp;cannot send to [UTM_External_IP_Address]: message is too large for the receiving server

     

    In the smtp log downloaded from the UTM, the only trace I see that could be related to the message is a connection with our ISP relay that is opened then immediately closed :

    • SMTP connection from [ISP_Relay_IP_Address]:37119 (TCP/IP connection count = 1)
    • SMTP connection from [ISP_Relay_IP_Address]:37119 closed by QUIT

     

    Thank you for your help BAlfson.

  • +1 in reply to SIBTEL

    If a friend in France, monami@orange.fr, were to try to send me an email with a 60GB attachment, I would see the same thing in our logs.  In fact the orange.fr mail relay would close the connection immediately upon learning that our 'Max message size' is 50MB.  The conversation would look like the following with our Proxy's responses in red.

    220 mxusa.mediasoft.com ESMTP ready.
    EHLO orange.fr
    250-mxusa.mediasoft.com Hello smtp.orange.fr [193.252.22.84]
    250-SIZE 52428800
    250-8BITMIME
    250-PIPELINING
    250-STARTTLS
    250 HELP
    QUIT

    There is no further information sent by the orange.fr mail relay - no sender, no recipient, no subject, etc., so there's nothing more to log.

    I'm curious to know what happens when you set the 'Max message size' to 999 to allow the UTM to accept a message larger than your mail server will accept.  When your server refuses to accept it from the UTM, will the UTM then bounce the message? (it might take two days)

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thank you Bob,

    I didn't know that the size limit was exposed as part of the EHLO response.

    Now I know [:)].

Unfiltered HTML