Error: "Abort message" entries in Message Audit Log (MAL)

book

Article ID: 177182

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

Some entries in the Message Audit Log (MAL) for Symantec Messaging Gateway (SMG) display "Abort message" as the Action, with no verdict.

Cause

This symptom occurs when a connection is interrupted during the message transmission, after the MAIL FROM, before completion of the DATA command within the SMTP conversation.

Possible underlying causes:

  • The SMTP conversation was disrupted by a firewall, router, or other upstream networking device. This is frequently due to upstream devices which perform filtering at the SMTP protocol layer. This can introduce errors and delays that exceed the configured constraints within Symantec Messaging Gateway.
  • The MTA portion of the product disconnected the SMTP connection before the end of the DATA command is reached. This is typically due to violation of a configured constraint within Symantec Messaging Gateway, such as maximum allowed message size.

Resolution

Contents

While you can resolve these symptoms in multiple ways, based on the underlying cause, Symantec recommends the order in which they appear.

Restart the SMG operating system

See Restarting the Symantec Messaging Gateway appliance from DRAC gracefully.

See Restarting the Symantec Messaging Gateway appliance with DRAC forcefully.

Disable firewall features which perform SMTP filtration or proxying

For directions specific to your firewall model, please contact your firewall manufacturer.

Increase connection timeouts and disable reverse lookups within SMG

Though not recommended, you may also try to resolve the issue by increasing the Connection Timeout value for the SMTP conversation.

Note: Symantec does not recommend setting the Connection Timeout higher than 5 minutes.

To change the Connection Timeout and Reverse DNS lookup behavior

  1. Log in to the Symantec Messaging Gateway console.
  2. Click the Administration tab.
  3. In the left menu, under Hosts, click Configuration.
  4. Select the host you want to modify, and click Edit.
  5. Click the SMTP tab.
  6. Click Advanced Settings.
    • For Inbound Messages:
      1. Click the Inbound tab
      2. Increase Session Timeout to 5 minutes (default is 30 seconds).
      3. Uncheck Enable Reverse DNS lookup.
      4. Apply the changes.
    • For Outbound Messages:
      1. Click Outbound tab
      2. Increase Session Timeout to 5 minutes (default is 30 seconds).
      3. Uncheck Enable Reverse DNS lookup.
      4. Apply the changes.
    • For Delivery Messages:
      1. Click the Delivery tab.
      2. Increase Connection Timeout to 5 minutes (default is 30 seconds).
  7. Click Continue.
  8. Click Save.

Additional technical information

Well-known examples of SMTP filtration features within non-Symantec firewall products include, but are not limited to:

  • Application Intelligence for SMTP within Checkpoint NG Firewall
  • Smart defense for SMTP within Checkpoint Firewalls
  • ESMTP Inspect on Cisco ASA 7.xx or later (enabled by default)
  • Mailguard and ESMTP Inspect within Cisco PIX

If the default timeout of 30 seconds is exceeded, the appliance's MTA terminates the SMTP conversation before the entire DATA portion of the message is received. This behavior results in partial entries in the Mail Audit Log.

Firewalls which scan or proxy SMTP traffic to ensure that the traffic is valid can hold the connection and cause it to fail. This issue is due to the timeout values built into the appliance MTA to prevent denial-of-service attacks. Firewall devices which do not support ESMTP commands may also cause disconnects.