E-mail notification is not sent from Enforce. Notification Sent in incident history shows "Incident notification sent to null"
search cancel

E-mail notification is not sent from Enforce. Notification Sent in incident history shows "Incident notification sent to null"

book

Article ID: 374402

calendar_today

Updated On:

Products

Data Loss Prevention Data Loss Prevention Enforce

Issue/Introduction

E-mail notification configured as response rule is not received by the configured recipient. At the same time the incident history shows an entry for "Incident Sent" however in the details it says "Incident notification sent to null". Normally the same history entry should show "Incident notification sent to [email protected]"

Cause

There can be multiple reasons for this issue. This KB will focus on one of the scenarios which is that the message size limit on the MTA (f.e. Exchange) was set too low to accommodate the size of the e-mail notification sent by the Enforce server. The size limit can reached due to "Include Original Message" property enabled in the Response Rule, which will send the original violating file along with the notification message. If the violating file is large enough to exceed the limit of the MTA it will fail.

To determine the cause of the issue, here size of the message, it will be necessary to increase the logging on the Enforce server. The below configuration change increases the logging of mail events specifically.

 

1. Locate IncidentPersisterLogging.properties file on the Enforce server. It's located in the config directory of your Enforce installation directory, for example:

C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<VERSION>\Protect\config

2. Open the file in a text editor and add the below two lines to the end of the file:

com.symantec.dlp.incidentdomainservices.IncidentEmailService.level = FINEST
com.vontu.enforce.mail.MailClient.level = FINEST

3. In the same file find the below line:

java.util.logging.FileHandler.level = INFO

and change it to:

java.util.logging.FileHandler.level = FINEST

4. Restart the Symantec DLP Incident Persister service on the Enforce.

 

Once the service has been restarted trigger an event that would result in the failure in notification delivery. Next navigate to the logs directory on the Enforce server, by default:

C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\<VERSION>\logs\debug

Iterate through the SymantecDLPIncidentPersister.log files and look for "MessagingException" keyword. Along other lines in the log it should be possible to find the SMTP error code along with it's description next to the MessagingException" keyword. For example:

 

INFO   | jvm 1    | 2024/07/03 15:47:51 | 552 5.3.4 Message size exceeds fixed maximum message size
INFO   | jvm 1    | 2024/07/03 15:47:51 | DEBUG SMTP: got response code 552, with response: 552 5.3.4 Message size exceeds fixed maximum message size
INFO   | jvm 1    | 2024/07/03 15:47:51 | 
INFO   | jvm 1    | 2024/07/03 15:47:51 | RSET
INFO   | jvm 1    | 2024/07/03 15:47:51 | 250 2.0.0 Resetting
INFO   | jvm 1    | 2024/07/03 15:47:51 | DEBUG SMTP: MessagingException while sending, THROW: 
INFO   | jvm 1    | 2024/07/03 15:47:51 | com.sun.mail.smtp.SMTPSendFailedException: 552 5.3.4 Message size exceeds fixed maximum message size
INFO   | jvm 1    | 2024/07/03 15:47:51 | 
INFO   | jvm 1    | 2024/07/03 15:47:51 |     at com.sun.mail.smtp.SMTPTransport.issueSendCommand(SMTPTransport.java:2358)
INFO   | jvm 1    | 2024/07/03 15:47:51 |     at com.sun.mail.smtp.SMTPTransport.finishData(SMTPTransport.java:2110)
INFO   | jvm 1    | 2024/07/03 15:47:51 |     at com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java:1316)
INFO   | jvm 1    | 2024/07/03 15:47:51 |     at com.vontu.enforce.mail.MailClient.doSendEmail(MailClient.java:143)
INFO   | jvm 1    | 2024/07/03 15:47:51 |     at com.vontu.enforce.mail.MailClient.sendEmail(MailClient.java:273)
INFO   | jvm 1    | 2024/07/03 15:47:51 |     at com.vontu.enforce.mail.MailClient.sendEmail(MailClient.java:373)
INFO   | jvm 1    | 2024/07/03 15:47:51 |     at com.vontu.incidenthandler.command.enforce.IncidentNotifier.sendEmail(IncidentNotifier.java:127)
INFO   | jvm 1    | 2024/07/03 15:47:51 |     at com.vontu.incidenthandler.command.enforce.Notify.executeImpl(Notify.java:170)
INFO   | jvm 1    | 2024/07/03 15:47:51 |     at com.vontu.incidenthandler.command.enforce.Notify.execute(Notify.java:89)
INFO   | jvm 1    | 2024/07/03 15:47:51 |     at com.vontu.command.CommandRuntime.execute(CommandRuntime.java:844)
INFO   | jvm 1    | 2024/07/03 15:47:51 |     at com.vontu.command.CommandRuntime.executeInstructions(CommandRuntime.java:827)
INFO   | jvm 1    | 2024/07/03 15:47:51 |     at com.vontu.command.CommandRuntime.executeCommands(CommandRuntime.java:719)
INFO   | jvm 1    | 2024/07/03 15:47:51 |     at com.vontu.command.CommandRuntime.access$000(CommandRuntime.java:89)
INFO   | jvm 1    | 2024/07/03 15:47:51 |     at com.vontu.command.CommandRuntime$CommandExecutor.run(CommandRuntime.java:1224)
INFO   | jvm 1    | 2024/07/03 15:47:51 |     at edu.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:728)
INFO   | jvm 1    | 2024/07/03 15:47:51 |     at java.lang.Thread.run(Thread.java:750)
INFO   | jvm 1    | 2024/07/03 15:47:51 | QUIT

 

Once done revert the changes to the IncidentPersisterLogging.properties file.

 

Resolution

There are 2 alternatives to resolve the issue:

1. Increase the message size on the MTA side to allow the Enforce server to send larger e-mails.

2. Uncheck the "Include Original Message" property in the response rule. This will prevent the Enforce server from sending large notifications as the original files will not be provided along with the configured message.

Powered by Wolken Software