Symantec Brightmail Gateway message audit log shows abort message entries.

Article:TECH85536  |  Created: 2007-01-07  |  Updated: 2012-02-07  |  Article URL http://www.symantec.com/docs/TECH85536
Article Type
Technical Solution


Issue



You notice a larger number of entries in the Message Audit Log showing "Abort Message".

 


Error



You are tracking messages using the message audit log feature and you see entries that are missing information.

 

  • In the Control Center of Symantec Mail Security Appliance versions 7.6 through Symantec Brightmail Gateway 8.0 the Actions is Abort Message.
  • In the Control Center of Symantec Mail Security Appliance version 7.5 or 5.0, only the fields "Time", "From" and "To" are displayed.
  • In the Control Center of Symantec Brightmail Gateway version 8.0.x or later you see the action as "Abort Message".

Cause



This symptom occurs when a connection is interrupted during the message transmission, after the MAIL FROM (verb) and before the completion of the DATA command within the SMTP conversation.

Possible underlying causes may be:

1. The SMTP conversation was disrupted by a firewall, router or other upstream networking device. This is most frequently due to the upstream device performing filtering at the SMTP protocol layer, which introduces errors and delays that exceed the configured constraints within the Symantec Mail Security or Symantec Brightmail Gateway product.

2. The MTA portion of the product disconnected the SMTP connection before the end of the DATA command is reached. This is typically due to violation of a configured constraint within the Symantec Mail Security or Symantec Brightmail Gateway product, such as maximum allowed message size.

3. If the message and all extracted attachments is larger than 5 MB, and the Appliance uptime is greater than 30 days, a cleanup process may have removed the temp folder for virus scanning.


Solution




These symptoms may be resolved in multiple ways, depending on the underlying cause.

Symantec recommends that you attempt the resolutions in the order in which they appear.
 

  • Restart the operating system of the Symantec Mail Security or Symantec Brightmail Gateway Appliance.
  • Disable firewall features which perform SMTP filtration or proxying.
  • Increase timeouts and/or other constraints within the Symantec Mail Security or Symantec Brightmail Gateway Appliance.
  • Verify that the network interface card speed and duplex are manually configured in the appliance as well as in the switch port.
  • Disable reverse lookups on the Symantec Mail Security or Symantec Brightmail Gateway Appliance.
  • On Symantec Brightmail Gateway 7.7, 8.0 and 9.x disable TCP Offload.


To disable SMTP filtration features within firewalls
For directions specific to your firewall model, please contact your firewall manufacturer.

To disable SMTPD proxy within Symantec Gateway Security (SGS) 2.x/3.x
Disable the SMTPD proxy
Create a Generic Service Parser protocol on port 25/TCP for SMTP.
For more information, please consult your Symantec Gateway Security (SGS) 2.x/3.x documentation.

To set the network interface speed and duplex on Symantec Mail Security versions 4.x through 5.0:

  1. Logon to the web interface.
  2. Click Settings.
  3. Select Hosts on the left-side menu.
  4. Click on the appropriate host that you want to change the value.
  5. Navigate to the Ethernet tab.
  6. Uncheck the field "Auto Negotiation"
  7. Set the proper "Speed" to 10/100 or 1000
  8. Set the proper "Duplex" to Full or Auto
    NOTE: The speed and duplex must match the switch port exactly.
  9. Click Save.
     

To set the network interface speed and duplex on Symantec Mail Security versions 7.5 through 8.0:

  1. Logon to the web interface.
  2. Click Administration.
  3. Select Configuration on the left-side menu.
  4. Click on the appropriate host that you want to change the value.
  5. Navigate to the Ethernet tab.
  6. Uncheck the field "Auto Negotiation"
  7. Set the proper "Speed" to 10/100 or 1000
  8. Set the proper "Duplex" to Full or Auto
    NOTE: The speed and duplex must match the switch port exactly.
    NOTE: On Symantec Brightmail Gateway 8.0 you can also disable TCP Offload using these steps.
  9. Click Save.


Though not recommended, you may also try to resolve the issue by increasing the Session Timeout value for the SMTP conversation:

To change Session Timeout and Reverse DNS lookup behavior on Symantec Mail Security versions 4.x through 5.0:

  1. Logon to the web interface.
  2. Click Settings.
  3. Select Hosts on the left-side menu.
  4. Click on the appropriate host that you want to change the value.
  5. Navigate to the SMTP tab.
  6. Click on Advanced Settings.
  7. Increase the field "Session Timeout" to 5 minutes. (default is 30 seconds).
    NOTE: Symantec does not recommend setting it higher than 5 minutes.
  8. Uncheck the boxes "Enable Reverse DNS lookup" for the Inbound and the Outbound instances
  9. Click Continue.
  10. Click Save.


To change Session Timeout and Reverse DNS lookup behavior on Symantec Mail Security versions 7.5 through 7.7:

  1. Logon to the web interface.
  2. Click Administration.
  3. Select Configuration on the left-side menu.
  4. Click on the appropriate host that you want to change the value.
  5. Navigate to the SMTP tab.
  6. Click on Advanced Settings.
  7. Increase the field "Session Timeout" to 5 minutes. (default is 30 seconds).
    NOTE: Symantec does not recommend setting it higher than 5 minutes.
  8. Uncheck the boxes "Enable Reverse DNS lookup" for the Inbound and the Outbound instances
  9. Click Continue.
  10. Click Save.


To change Session Timeout and Reverse DNS lookup behavior on Symantec Brightmail Gateway 8.0 and 9.x:

  1. Logon to the web interface.
  2. Click Administration.
  3. Select Configuration on the left-side menu.
  4. Click on the appropriate host that you want to change the value.
  5. Navigate to the SMTP tab.
  6. Click on Advanced Settings.
  7. Only on version 9.x, click Delivery tab.
  8. Increase the field "Session Timeout" to 5 minutes. (default is 30 seconds).
    NOTE: Symantec does not recommend setting it higher than 5 minutes.
  9. Uncheck the boxes "Enable Reverse DNS lookup" for the Inbound and the Outbound instances
  10. Click Continue.
  11. Click Save.




Technical Information
Well-known examples of SMTP filtration features within non-Symantec firewall products include, but are not limited to:

  • Application Intelligence for SMTP within Checkpoint NG Firewall
  • Smart defense for SMTP within Checkpoint Firewalls
  • Mailguard within Cisco PIX
  • esmtp inspect on Cisco ASA 7.xx or later (enabled by default)


If the default timeout of 30 seconds is exceeded, the MTA of the Appliance terminates the SMTP conversation before the entire DATA portion of the message has been received. This behavior results in partial entries in the Mail Audit Log. Firewalls which scan or proxy SMTP traffic to ensure that the traffic is valid can sometimes hold the connection and cause it to fail due to the timeout values built into the Appliance MTA to prevent denial of service attacks. Firewall devices which do not support ESMTP commands may also cause these sorts of disconnects.



Legacy ID



2007090713043654


Article URL http://www.symantec.com/docs/TECH85536


Terms of use for this information are found in Legal Notices