Both the default firewall behavior and the manner of resolving this issue differ different depending upon the patch level of the firewall. In all cases the resolution involves adding an advanced option to change the firewall behavior. (See the section How to add an advanced option below if necessary.)

CAUTION: Extending the allowed header length to extreme sizes reduces security and could theoretically subject an email server to a buffer overrun. Please exercise caution when extending allowed header lengths.



When using Symantec Gateway Security 3.01 with bundle I or later

An example of a header length error message when using bundle I or later

Event: Invalid SMTP protocol (illegal length on message header)
Component: smtpd
Source:
Destination:
Rule:
Details: Invalid SMTP protocol (illegal length on message header), Source IP=, Destination IP=, Source Port=, Destination Port=25, Source Name=, Destination Name=, User=, Target=Content-Type: the_first_part_of_the_actual_header_contents_are_logged_here_and_can_be _quite_long_but_the_entire_contents_may_not_be_displayed To 1 recips, Detail=Actual length is :1049, Operation=To 1 recips, Source Interface=eth0, Destination Interface=eth1, Protocol=smtp, Rule=

The header name causing the error message can be seen in the log message under the "Target=" information. The length of the header is also logged with the information "Detail=Actual length is: xxxx". In the example above, the header name causing the error message is "Content-Type", and the length is 1049 characters.

Some long MIME header fields are "folded" onto more than one line. The maximum header line length restriction in smtpd applies to the total length of the header field, and not the individual lines. The log message reports the length of the first line of the header field; the actual length may be much longer.

The above error message format is used for the headers "Content-Type" or "Content-Dispostion" (and possibly some other headers as well). For other headers, other error messages may be logged instead. Other error message generally read "Invalid SMTP protocol (illegal length on message header)" in the event and detail information. The maximum default length configured in Symantec Gateway Security 3.0.x for the "Content-Type" and "Content-Disposition" Multipurpose Internet Mail Extensions (MIME) header fields is 200 characters. Most other headers have a longer allowed length by default (1024 characters), but other headers are less commonly seen.

You can increase the allowed length for individual header fields by entering advanced options for each header field name. The maximum length any header can be set to, by default, is 1024, but that maximum may be increased to 8192 by setting the "smtpd.max_header_line_length" advanced option.

Advanced options for SGS 3.0.1 Bundle I or later

Option name: smtpd.max_header_line_length
Possible values: Up to 8192 (default 1024)

Option name: smtpd.length.Content-Type
Possible values: Up to smtpd.max_header_line_length (default 200)

Option name: smtpd.length.Content-Disposition
Possible values: Up to smtpd.max_header_line_length (default 200)

Note: You can define similar "smtpd.length" options for any MIME header field name.

When using Symantec Gateway Security 3.01 with bundle H (build 40551) or earlier

An example of a header length error message when using bundle H or earlier

Event: Overly long message header field
Component: smtpd
Source:
Destination:
Rule:
Details: Overly long message header field: Source IP=, Destination IP=, Source Port=, Destination Port=25, Source Name=, Destination Name=, User=, Operation=To x recips, Source Interface=ethx, Destination Interface=ethx, Protocol=smtp, Rule=

The above error message format is used for the headers "Content-Type" or "Content-Dispostion" (and possibly some other headers as well). For other headers, other error messages may be logged instead. Other error message generally read "Invalid SMTP protocol (illegal length on message header)" in the event and detail information. The maximum default length configured in Symantec Gateway Security 3.0.x for the "Content-Type" and "Content-Disposition" Multipurpose Internet Mail Extensions (MIME) header fields is 200 characters. Most other headers have a longer allowed length by default (1024 characters), but other headers are less commonly seen.

It can be difficult to determine exactly what header has exceeded the default length, as the header name is often not logged. For some error messages, the header name will be logged after the "Target=" entry in the log. If this entry is not present, the header name can not be determined. If the header length must longer than 1024 characters, the email message cannot be passed using the SMTP proxy while using bundle H or earlier. The only available options for passing the email in this scenario would be to install bundle I (or later), or disable the use of the SMTP proxy.

When legitimate messages are blocked due to header length issues and the header name is unknown, it is recommended to try adding the advanced options listed below to the firewall. The maximum length any header can be set to is 1024. Generally it is only helpful to set the Content-Type or Content-Dispostion header lengths, as most other headers are already allowed the maxiumum length of 1024 characters by default . The suggested starting value is 400 if you make this change to extend the lengths of Content-Type or Content-Disposition headers. (If a length of 400 is not high enough, the value can be increased up to 1024.)

Advanced options for SGS 3.0.1 bundle H or earlier

Option name: smtpd.length.Content-Type
Possible values: Up to 1024 (default 200)

Option name: smtpd.length.Content-Disposition
Possible values: Up to 1024 (default 200)

How to add an advanced option in Symantec Gateway Security 3.01

1. In the left pane of the Security Gateway Management Interface, under System, click Administration.
2. In the right pane, on the Advanced tab, click New.
3. On the General tab of the Advanced Option Properties, in the Option name text box, type the parameters of the advanced option.
4. On the Value tab, in the Value text box, type the number for the number of characters to allow, and then click Add.
5. Click OK.
6. On the System menu, click Activate.
7. On the dialog that appears, click Yes to continue.
8. For most advanced options, you must restart the appliance to ensure that the advanced option takes effect. For SMTP header length options, a reboot is not required. However, it may take a few minutes for the header length advanced option to take effect.