If Encryption Management Server is clustered and some cluster members have the Web Email Protection service enabled and some do not, the quota information for each user is not enforced properly.

This can result in Web Email Protection users being told they have no quota remaining even if they have an empty mailbox.

It can also result in Web Email Protection users going over their quota.

This occurs if the cluster members that have the Web Email Protection service disabled process outbound messages for Web Email Protection users.

Symantec Encryption Management Server 10.5 and above.

Quota usage is only replicated between cluster members that have the Web Email Protection service enabled and Message Replication set to All under Web Email Protection options.

Quota limits are set on a global basis in the administration console under Services / Web Email Protection / Options but the Storage Quota value can be overridden on a per user basis.

By clicking on the Web Email Protection user's account, you can choose the default quota or various values between 1 MB and 1 GB.

If just a few users are affected, raising the individual quotas is the easiest solution.

An additional problem with cluster members that process outbound email for Web Email Protection users but have the Web Email Protection service disabled is that those outbound email messages will be stored by the server for whatever the message retention period is set to (3 months by default). In a busy environment this can cause disk space issues.

To resolve the disk space issues as well as the quota issues, implement the offline_quota.sh script which is part of the product:

• On cluster members with Web Email Protection enabled, it saves the quota information and replicates the information to other cluster members.
• On cluster members with Web Email Protection disabled, it reads the quota information that has been saved by cluster members that have Web Email Protection enabled.
• On cluster members with Web Email Protection disabled it can also, optionally, delete Web Email Protection messages that are over 1 week old. This reduces disk space requirements.

To implement the script, please do the following.

On all cluster members that process Web Email Protection email, whether or not they have the Web Email Protection service enabled:

• Decide how frequently you need the script to run. Perhaps start by running it hourly and increase its frequency if required.
• To run the script hourly, ssh to each server and add a task to /etc/crontab.
• For example, to run the job hourly at 5 minutes past the hour from 6am to 6pm Monday to Friday, add this:

5 6-18 * * 1-5 root /usr/bin/offline_quota.sh  >& /dev/null

• Then restart crond:

pgpsysconf --restart crond

• On the second cluster member, add a similar entry but do not run it at precisely the same time.
• For example, run it at 15 minutes past the hour from 6am to 6pm Monday to Friday:

15 6-18 * * 1-5 root /usr/bin/offline_quota.sh  >& /dev/null

• Repeat this with all cluster members, ensuring that the job does not run at the same time on any cluster member.

Optionally, on all cluster members that process Web Email Protection email but have the Web Email Protection service disabled, purge messages older than 1 week by adding an additional entry to /etc/crontab:

• The script should be run daily. Decide what time of day you want to run it.
• For example, to run the purge job once a day at 5.10 am add this:

10 5 * * * root /usr/bin/offline_quota.sh purge >& /dev/null

• Then restart crond:

pgpsysconf --restart crond

After the cron job has run at least once, optionally check status with this command:

offline_quota.sh diag

Prior to upgrading Encryption Management Server, it is advisable to remove the script and then add it back after the upgrade. To remove the script, please do the following on each cluster member:

• Remove or comment out the relevant entries from /etc/crontab.
• Restart crond:

pgpsysconf --restart crond

• Run this command:

offline_quota.sh remove