Symantec Data Loss Prevention (DLP) E-mail Prevent
DLP Email prevent is unable to process Emails when working in conjunction with Cisco Ironport Message Transfer Agent In Reflecting Mode
Request processor logs show the following:
Nov 11, 2017 1:09:29 AM com.vontu.mta.rp.ESMTPRequestProcessorThread handlePeerDisconnect
WARNING: RPT(28): Disconnect from sending peer RPT(28)[9ff991ed-d557-4198-a7f4-768c094ce023|S:[/###.###.###.###:10025 -> /###.###.###.###:26880]
Nov 11, 2017 1:09:29 AM com.vontu.mta.rp.ESMTPRequestProcessorThread logSMTPError
INFO: {message=Message will be aborted. Sending peer disconnected. Sending error to sending peer., SMTPMessageHeaderId=Nil, UpstreamDisconnect=421 4.3.0 Fatal: Processing error. Closing connection., ConnectionSecurityType=NO_TLS, MessageUid=Nil, ConnectionId=ab98466d-b911-4f60-9da8-80065db02055}
Nov 11, 2017 1:09:29 AM com.vontu.mta.rp.ESMTPRequestProcessorThread logSMTPError
INFO: {message=Message will be aborted. Sending peer disconnected. Sending error to sending peer., SMTPMessageHeaderId=Nil, UpstreamDisconnect=421 4.3.0 Fatal: Processing error. Closing connection., ConnectionSecurityType=NO_TLS, MessageUid=Nil, ConnectionId=ab98466d-b911-4f60-9da8-80065db02055}
Analyzed the SMTP prevent operational logs we see:
11/Nov/17:01:26:06:269-0600 [SEVERE] (SMTP_CONNECTION.5205) Could not create listener (address=0.0.0.0:25 reason=java.net.SocketException: Permission denied)
11/Nov/17:00:28:08:218-0600 [INFO] (SMTP_CONNECTION.1201) Connection accepted (tid=29 cid=befc6736-9968-4ea7-8fa5-74871a9b0e50 local=###.###.###.###:10025 remote=###.###.###.###:45924)
11/Nov/17:00:28:08:241-0600 [SEVERE] (SMTP_CONNECTION.5210) All forward hosts unavailable (tid=29 cid=<> reason=Connection refused)
Scenario:-
Note: This can affect ALL versions of DLP.
When analyzing SMTP prevent operational logs we see permission denied in the error message.
Root Cause:- Relay permissions for Network Prevent for Email servers on Cisco Iron-port MTA servers were missing
After giving relay permissions for Network Prevent for Email servers on Cisco IronPort MTA servers, email started to flow.