Data Loss Prevention

 View Only

  • 1.  Email Prevent and IronPort as downstream MTA

    Posted Aug 27, 2014 03:50 PM

    Is anyone else seeing issues in DLP version 12.x with corrupted emails to recipients.  I am hearing that IronPort is "Cleaning" Bare CRLFs out of fragmented packets before reassembling them, which is breaking the message header.

    Proposed solution is to change a setting in IronPort to NOT clean BARE CRLF.

    Want to understand the risk in doing so.

    Thanks,

    Bob.



  • 2.  RE: Email Prevent and IronPort as downstream MTA

    Posted Sep 18, 2014 07:52 PM

    Hi bob_b,

    We are experiencing the same issue with version 11.6.2 and Ironport.  We've confirmed selecting "NOT clean BARE CRLF" fixes the issues, but it looks as though that option will be deprecated in the future. 

    Did you learn anything more about this in your research?  We'll be hitting up Ironport and Symantec regarding this issue.



  • 3.  RE: Email Prevent and IronPort as downstream MTA
    Best Answer

    Posted Sep 19, 2014 08:44 AM

    We were able to re-create and capture a trace when the error occured.  We worked with Syamantec and Cisco and Cisco is working on a hotfix scheduled to be released in early October, 2014. defect #CSCzv55504

     

    While it is a bug in Cisco's IronPort product, the trace also showed that Symantec is sometimes only sending 1 byte of data in a TLS packet which causes the issue.  This is not illegal according to the TLS specs, but it is not optimal.   They may be looking into that.

     

    Hope it helps.  I would make the setting to "Allow bare CR/LF" in IronPort in the meantime.

     

    Bob.



  • 4.  RE: Email Prevent and IronPort as downstream MTA

    Posted Sep 20, 2014 11:12 AM

    Thanks for that update!  Very helpful.