SMSMSE 6.5.2: Released Emails are Lost!
Hi all
I have a strange problem with SMSMSE 6.5.2 installed on two Exchange 2007 servers; one is the "Edge Transport" and the other is the "Mailbox" server. I have the following notes/questions:
1) When I release a quarantined email it will be delivered, but without the attachment (which triggered a content filtering rule). Why does this happen?
2) After some changes (I can't remember what exactly) released emails now never get delivered! What could have caused this?
3) Considering I have two Exchange servers as mentioned above, where it is best to set my Content Filtering rules?
4) How would I configure a rule that will block large attachments (e.g., 15 MB) and only based on the size, regardless of the sender, message body, etc.?
Many thanks in advance...
Comments
Hi Mohammad Some answers for
Hi Mohammad
Some answers for you below:
1.) When an item is quarantined, if it has an attachment, the attachment is quarantined as a seperate item. So for example if an email came in with 2 attachments, there would actually be 3 seperate items in the quarantine, 1 for the message body, and 2 attachments.
2.) This generally depends on why the item got quarantined in the first place. If the item was quarantined due to a content filtering rule, it should release with no problems. If it was quarantined due to a virus rule (unscannable and file filtering rules also fall under this category) the item will be quarantined again after releasing from quarantine. I refresh the quarnatine view and see if the items are actually still in the quarantine. It will disapeer from the view in this scenario until the quarantine view is refreshed, at which point it should show up again.
This may also be due to a change in the SMTP notification settings used for SMSMSE. See this document for helpful troubleshooting steps: http://www.symantec.com/docs/TECH98130
3.) This depends on what you are hoping to accomplish with the rules. If you primarily want to filter emails coming in from outside the network, configure the rules on the Edge server. If you want to stop emails inside the domain (from one user to another) or pull emails out of someones inbox after they have been received, configure the rules on the Mailbox server.
4.) This could be accomplished in SMSMSE using a rule similar to the following:
However, I would recommend configuring the size limit within Exchange itself. Here is a link to a Microsoft article on how to accomplish this: http://technet.microsoft.com/en-us/library/bb124345(EXCHG.80).aspx
Great Answers!
Hi GRoberts
Thank you for your valuable efforts. Actually, you have answered most of my concerns! (and that was an awesome screenshot by the way!!) From the details you have provided, I have some conclusions and also some other questions (please correct me where I am wrong):
- To release a message AND its associated attachment, I will have to select all related items from the list. But which one is the actual attachment; is it the one intercepted in the recepient's mailbox, or during "SMTP" transport?
- To block emails coming from an "external" domain, I must use Content Filtering rules on the Edge Transport server with the "Inbound" condition selected in the rule. Is it true that I MUST have the "Internal" option selected as well? What about emails going to an external domain? Should I also use the Edge server, or it is the Mailbox server that will come into play this time (with the "Outbound" option selected)?
- Regarding the rule shown in your screenshot, where does this have to be; Edge or Mailbox? Also, if I wanted to allow a specific sender to bypass this rule, can I simply add their SMTP email address on the "General" tab in the "Unless" box?
- If my domain is NewCompany.com.jo, would NewCompany.com.kw be treated as an internal domain or I would have to add it explicitly?
Finally, is there any document/article that provides best practices on what rules and/or configurations to set on each of the Exchange 2007/2010 roles?
Many many thanks!
Answers inline - To
Answers inline
- To release a message AND its associated attachment, I will have to select all related items from the list. But which one is the actual attachment; is it the one intercepted in the recepient's mailbox, or during "SMTP" transport?
This is really going to depend on the situation. If the rule fired on an "Inbound" message, the message will be quarantined during SMTP transport. If the rule is "Internal" or "Outbound" it's likely the message was quarantined from the users mailbox, but there are a number of exceptions. It really depends on 1. where the rule is configured 2. If the rule is set to inbound, outbound, internal, or some combination thereof 3. How the message came in (from one internal user to another, outbound from your domain, inbound to your domain).
Application event logs can be helpful in determining which item is the original. Whichever item was quarantined first will be the original, and be stamped with a unique idetifier (SYQ number) that you can use to cross reference the item in the quarantine.
- To block emails coming from an "external" domain, I must use Content Filtering rules on the Edge Transport server with the "Inbound" condition selected in the rule. Is it true that I MUST have the "Internal" option selected as well? What about emails going to an external domain? Should I also use the Edge server, or it is the Mailbox server that will come into play this time (with the "Outbound" option selected)?
I would recommend configuring all of your inbound and outbound rules on the Edge server, without checking the "Internal" option. For rules that should apply for one user to another, or strip content out of the users mailbox, these should be configured on the hub and mailbox servers, with only "internal" checked. This way you'll know exactly which rules triggered at what level based on which server the items where quarantined on.
- Regarding the rule shown in your screenshot, where does this have to be; Edge or Mailbox? Also, if I wanted to allow a specific sender to bypass this rule, can I simply add their SMTP email address on the "General" tab in the "Unless" box?
As shown in the screenshot, this rule would apply this size limit only to inbound messages, and not those sent from one user to another. In this scenario, the rule should be applied on the Edge server. You are correct in how you would configure exceptions for specific users.
All this said, I would still highly recommend configuring some size limits in Exchange, and not relying on SMSMSE to apply you size limits. There is a good reason for this recommendation, as SMSMSE can only apply a size limit after the message has been fully received by Exchange transport and then passed to the scanner. This means your Edge server is still having to receive and process messages of any size, including extremely large messages, even though they will not be delivered to the end users. This could impact performance on the Edge server if multiple large attachments are received. When a size limit is applied in Exchange, the SMTP connection will be severed based on the total number of bytes of the MIME encoded message, which can be done before the message is even fully received. This prevents someone from sending multiple large attachments and potentially stopping your transport queues.
- If my domain is NewCompany.com.jo, would NewCompany.com.kw be treated as an internal domain or I would have to add it explicitly?
You'll need to add all domain suffixes explicitly under Admin -> System settings -> List of internal domains. Anything past the @ symbol in your email addresses you consider internal should be added here.
Thanks
Thank you, GRoberts
I appreciate your kind efforts. But still I have one more favor. As you noticed, this Edge-Mailbox thing is driving me crazy. I wonder if there is any document that outlines best practices for Symantec Mail Security with Exchange 2007/2010 and the recommendations for settings to implement on each server role.
Rgds
Would you like to reply?
Login or Register to post your comment.