Details About the user address caching feature of Symantec Mail Security for Microsoft Exchange (SMSMSE)

Article:TECH142538  |  Created: 2010-10-22  |  Updated: 2014-02-12  |  Article URL http://www.symantec.com/docs/TECH142538
Article Type
Technical Solution


Issue



SMSMSE rules provide the ability to specify a content filtering rule with  an SMTP address user condition.

1.       Open the SMSMSE console.
2.       Click Policies > Content Filtering Rules.
3.       Make note of all enabled content filtering rules.
4.       Right click each enabled content filtering rule, one at a time and then click Edit rule…
5.       Click the Users tab.
6.       In the SMTP Addresses (one per line) box, if there are any addresses in the format <name>@<domain>.<suffix> (for example name@domain.com) than the conditions are met to use this feature.

See the following article for more details: Specifying the users and groups to which the rule applies.

When SMSMSE runs on an Exchange Mailbox role there are times when Exchange VSAPI passes email to SMSMSE where the recipient or from information is of the following form:

/O=SYMANTEC/OU=USSITE/CN=RECIPIENTS/CN=JDOE

This format for a user is tied to the Active Directory attribute LegacyExchangeDN. With SMSMSE 6.5.1 and earlier the product issued real-time queries to Active directory in the form of a Lightweight Directory Access Protocol (LDAP) query in order to resolve these addresses.  In some environments the LDAP query responses took a long time which caused threads in the product to be unavailable for mail scanning as described in this article:  Mail flow is very slow or stops entirely when a content filtering rule for Symantec Mail Security for Exchange with a user condition is enabled.
 

 


Solution



With SMSMSE 6.5.2 and later each SMTP user condition is evaluated and queries are issued to Active Directory to obtain all possible legacy addresses. The results are cached in the memory of the  SAVFMSESp.exe process.  The cache is filled and updated at the following times:

  • During process startup
  • When content filtering rules are changed

This cache is only used on an Exchange Mailbox role server.  It is not used on other Exchange role server because SMSMSE is passed a valid SMTP address from the other roles. Since real-time queries are not performed there is no latency or additional overhead when evaluating the content filtering rules.  This also results in reduced scan times for email.

Errors Reported During Cache Building

If SMSMSE fails to build this cache for some reason, then it will retry building this cache after some time (1 hour by default). It will try maximum up to certain number of times (5 by default) before giving up building this cache.  In this situation, SMSMSE will continue to evaluate content rules in the old way by issuing LDAP queries and thus will still be able to apply content filtering rules accurately according to your user conditions.

When the cache is unable to be built the first time (or subsequent times) the following event is reported in the Windows Application Event log:

Log Name:      Application
Source:        Symantec Mail Security for Microsoft Exchange
Date:          3/27/2012 12:26:46 PM
Event ID:      403
Task Category: ADQuery
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      WIN-P5723T9FPJQ.benexchange2010.internal
Description:
Failed to get LegacyExchangeDN to build User Address Cache for the following SMTP addresses:@foo.com; @benexchange2010.internal; .

SMSMSE will retry building this cache after 60 minutes

 

When the cache is unable to be built after all attempts the following event is reported in the Windows Application Event log:

Log Name:      Application
Source:        Symantec Mail Security for Microsoft Exchange
Date:          3/27/2012 12:29:58 PM
Event ID:      402
Task Category: ADQuery
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      WIN-P5723T9FPJQ.benexchange2010.internal
Description:
Failed to get LegacyExchangeDN to build User Address Cache for the following SMTP addresses:@foo.com; @benexchange2010.internal;

 

Controls for User Address Caching

Note: All registry entries are case sensitive
 
On an Exchange Mailbox role server, this feature is ON by default. However, you can disable this feature if you would like. If you disable this feature, SMSMSE uses the old method of issuing an LDAP query for each message processed in order to evaluate content filtering user conditions.

Disable address caching

1. Open the registry editor (Start -> Run, Regedit).
2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SMSMSE\6.5\Server\Components\NaveSp

3. Create a new DWORD value called UserAddressCacheEnabled.
4. Set the value to 0.
5. Restart the SMSMSE service.

Adjust the interval to build the cache

1. Open the registry editor (Start -> Run, Regedit).
2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SMSMSE\6.5\Server\Components\NaveSp
3. Create a new DWORD value called UserAdrCacheBuildRetryIntervalInMin.
4. Set the value (in minutes) for the retry interval.

Note: if no value is set, the default retry time is 60 minutes.

5. Restart the SMSMSE service.

Adjust the number of cache building retries before failing and reverting to LDAP queries

1. Open the registry editor (Start -> Run, Regedit).
2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SMSMSE\6.5\Server\Components\NaveSp
3. Create a new DWORD value called MaxRetryForUserAdrCacheBuild.
4. Set the value for the total number of retries.

Note: if no value is set, the default is 5 retries.

5. Restart the SMSMSE service.

 


Supplemental Materials

SourceETrack
Value2100369


Article URL http://www.symantec.com/docs/TECH142538


Terms of use for this information are found in Legal Notices