Messages are queued in the Messaging Gateway (SMG) Delivery queue for the DLP route with an SMTP status indicating that the SMTP session timeout has been exceeded:

421 4.4.2 Service timed out

When SMG is configured to relay messages through DLP Email Prevent in "reflect mode", Messaging Gateway attempts to route all outbound messages through DLP Prevent which proxies the SMTP connection back to the Messaging Gateway Outbound SMTP listener. When SMG connects to DLP Prevent, DLP Prevent immediately connects back to the Outbound SMTP listener. If it takes DLP longer than the Messaging Gateway Outbound SMTP session timeout (default 30 seconds) to scan the message, the Outbound SMTP listener will close the SMTP session with the service timed out response which is then proxied back through DLP to the Messaging Gateway Delivery MTA.

The central issue is that DLP Prevent is taking longer than the SMG SMTP session timeout to scan the message content.

This issue may be resolved by extending the SMG SMTP session timeout for both the Delivery MTA and for the Outbound SMTP listener:

1. Log into the SMG Control Center as an administrator
2. Increase the Outbound SMTP session timeout in Administration > Configuration > hostname > SMTP > Advanced Settings > Outbound > Session Timeout from the default of 30 seconds to 60 seconds.
3. Click Continue
4. Click Apply settings to all Scanners if more than one SMG scanner is processing outbound email
5. Click Save

If the issue continues after extending the SMG Outbound listener session timeout, the DLP Prevent server should be investigated to determine why DLP is taking longer than expected to scan some messages.