ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
Operation of the Messaging Gateway DLP Bypass feature
Article ID: 161883
When implementing the Data Loss Prevention (DLP) integration in Messaging Gateway (SMG) the DLP Bypass feature allows Messaging Gateway to deliver messages outbound when specific issues occur when attempting to deliver messages to DLP for processing. This prevents the accumulation of delayed messages on the SMG appliance in situations where the DLP infrastrucure is either unreachable or is may be overloaded.
DLP Bypass is triggered only under the following conditions:
SMG cannot establish a TCP connection to the DLP host and port configured in Content->DLP Connect for any reason including the following
DLP Servers are offline
No IP route to DLP is available
Firewall rules prevent a TCP connection to the configured host and port
DLP servers are running but not listening to the configured TCP port
A TCP connection is established to a configured DLP host but the SMTP session times out and no other configured DLP server can be connected to via TCP as mentioned above.
The following conditions will not trigger DLP Bypass
SMG can establish a TCP connection to the DLP host / hosts but the application level SMTP connection is deferred. This results in the message being queued on SMG for redelivery to DLP at a later time.
Email delivery to DLP results in an SMTP 4xx level response from the DLP server to any part of the SMTP conversation. This results in the message being queued on SMG for redelivery to DLP at a later time.
Email delivery to DLP results in an SMTP 5xx level response from the DLP server to any part of the SMTP conversation. This results in the message being bounced i.e. removed from the SMG queue and a delivery status notification sent to the sender.
A TCP connection is established to a configured DLP host but the SMTP session times out but another configured DLP host can be connected to via TCP.
Transport Layer Security (TLS) secured delivery to DLP is required but a TLS session cannot be negotiated between SMG and DLP