Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » KMS 6.7.2 + McAfee Email Web Security Appliance EWSA = no 4.4.2 Connection Lost error (When sending large attachments (8mb+) getting Connection Lost Error, and messages are staying in queue, for re-sending)
  •  
d.

Messages: 169
Karma: 0
Send a private message to this user
Hi Kerio Folks.

We've got a McAfee Email Web Security appliance (EWSA) and it transparently scans incoming / outgoing traffic on our network, for nasties etc.

The Kerio Mail Server and the McAfee appliance work well together OK, except we've noticed that large attachments (e.g. 8mb+) result in a 4.4.2 Connection Lost error, and the message ends back up in the mail sending queue on the KMS box, for resending. I.e. the large message doesn't completely send.

We've stopped the KMS box, and upped the SMTP and SMTPS time limits (from 120 secs, to high numbers such as 5 or 10 minutes worth), and re-started the services, but still no joy. Large messages don't send.

After 2 minutes of attempting to send, the Connection Lost 4.4.2 outcome occurs.

Removing the McAfee appliance from the setup (or setting up a transparent rule to avoid scanning that particular destination) works, but then no extra scanning occurs Smile. Kinda defeats the purpose of having the appliance in place.

Does anybody else have a similar setup, or had a similar time-out of around 2 minutes / 120 seconds, when doing some extra security scanning / extra hops in their network?

Any assistance greatly appreciated...
Cheers,
D.

PS. Kerio Mail Server v6.7.2, Mac OS X 10.5.8 Server, Intel XServe 4GB RAM etc.
  •  
freakinvibe

Messages: 1529
Karma: 60
Send a private message to this user
Can you switch on "SMTP client" in the KMS debug log, send a big attachment and post the relevant content here? I don't have this appliance but I know that appliances can clash with mail servers when they try to be extra clever.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
d.

Messages: 169
Karma: 0
Send a private message to this user
Yes, certainly. Here is one I prepared earlier... (Domain names changed to protect the innocent).

Problem happens with any large attachments, to any recipients. (The example below is to a "me.com" address, but the same would occur to any other address that accepts 8mb+ messages).

Cheers,
D.

[09/Nov/2009 05:13:45][2982948864] {smtpc} Connected to smtp-mx003.me.com
[09/Nov/2009 05:13:46][2982948864] {smtpc} Received greeting: 220 appliance.domain.com EWSA3100/SMTP Ready.
[09/Nov/2009 05:13:46][2982948864] {smtpc} Sending EHLO
[09/Nov/2009 05:13:46][2982948864] {smtpc} Sent MAIL command
[09/Nov/2009 05:13:46][2982948864] {smtpc} Got reply: 250 2.5.0 Address Ok.
[09/Nov/2009 05:13:46][2982948864] {smtpc} Sent RCPT TO: <customer-name<_a.t_>me.com>
[09/Nov/2009 05:13:46][2982948864] {smtpc} Got reply: 250 2.1.5 customer-name<_a.t_>me.com OK.
[09/Nov/2009 05:13:46][2982948864] {smtpc} Sent DATA command
[09/Nov/2009 05:13:46][2982948864] {smtpc} Got reply: 354 Enter mail, end with "." on a line by itself.
[09/Nov/2009 05:13:46][2982948864] {smtpc} Sending message body...
[09/Nov/2009 05:15:47][2982948864] {smtpc} SMTP connection closed while reading SMTP reply
[09/Nov/2009 05:15:47][2982948864] {smtpc} Connection to SMTP server smtp-mx003.me.com lost: (35) Resource temporarily unavailable
[09/Nov/2009 05:15:47][2982948864] {qproc} SEND_MX: Result for recipient customer-name<_a.t_>me.com: delayed, Status: 4.4.2 Connection lost
[09/Nov/2009 05:15:47][2982948864] {qproc} SEND_MX: Batch of 1 recipients for domain me.com processed, totally processed 1 recipients
[09/Nov/2009 05:15:47][2982948864] {qproc} SEND_MX: Delivery to domain me.com finished, 1 recipients processed
[09/Nov/2009 05:15:47][2982948864] {qproc} SEND_MX: Delivery finished
[09/Nov/2009 05:15:47][2982948864] {qproc} SEND_MX: Queue run finished
[09/Nov/2009 05:15:47][2982948864] {qproc} SEND_FWD: No outgoing messages in queue
[09/Nov/2009 05:15:47][2982948864] {qproc} End of mail queue processing
[09/Nov/2009 05:15:47][2982948864] {qproc} Starting ETRN download session...
[09/Nov/2009 05:15:47][2982948864] {qproc} No ETRN download set
[09/Nov/2009 05:15:47][2982948864] {smtpc} Connected to relay server mail.isp-domain.net
[09/Nov/2009 05:15:47][2982948864] {smtpc} Received greeting: 220 appliance.domain.com EWSA3100/SMTP Ready.
[09/Nov/2009 05:15:47][2982948864] {smtpc} Sending EHLO
[09/Nov/2009 05:15:47][2982948864] {smtpc} Sent MAIL command
[09/Nov/2009 05:15:47][2982948864] {smtpc} Got reply: 250 2.1.0 Ok
[09/Nov/2009 05:15:47][2982948864] {smtpc} Sent RCPT TO: <customer-name<_a.t_>me.com>
[09/Nov/2009 05:15:47][2982948864] {smtpc} Got reply: 250 2.1.5 Ok
[09/Nov/2009 05:15:47][2982948864] {smtpc} Sent DATA command
[09/Nov/2009 05:15:47][2982948864] {smtpc} Got reply: 354 Enter mail, end with "." on a line by itself.
[09/Nov/2009 05:15:47][2982948864] {smtpc} Sending message body...
[09/Nov/2009 05:17:05][2993655808] {smtpc} SMTP connection closed while reading SMTP reply
[09/Nov/2009 05:17:05][2993655808] {smtpc} Connection to SMTP server mail.isp-domain.net lost: (35) Resource temporarily unavailable
[09/Nov/2009 05:17:05][2993655808] {qproc} SEND_RELAY: Result for recipient customer-name<_a.t_>me.com: delayed, Status: 4.4.2 Connection lost
[09/Nov/2009 05:17:05][2993655808] {qproc} SEND_RELAY: Starting transaction
[09/Nov/2009 05:17:06][2993655808] {smtpc} Received greeting: 220 appliance.domain.com EWSA3100/SMTP Ready.
[09/Nov/2009 05:17:06][2993655808] {smtpc} Sending EHLO
[09/Nov/2009 05:17:06][2993655808] {smtpc} QUIT sent, got reply: 221 Closing connection.
[09/Nov/2009 05:17:06][2993655808] {qproc} SEND_RELAY: Transaction finished
[09/Nov/2009 05:17:06][2993655808] {qproc} SEND_FWD: No outgoing messages in queue

  •  
freakinvibe

Messages: 1529
Karma: 60
Send a private message to this user
How is that exactly working, have you configured KMS so the appliance is the relay host? Or is the appliance working as a gateway and just inspecting the traffic in transit?

The most probable cause seems to be that the appliance is holding back the mail body until the full body is sent so it can inspect the attachment as a whole. If the receiving mail server doesn't get anything for longer than two minutes, it will cut off the connection.

Have you checked all the settings of the appliance? Any timeouts, keep-alive settings you can change?

Also, does it produce any logs you could post here?

It would also be interesting to see the logs of the receiving server. Can you send me a mail with a huge attachment to mail at wdr dot org. I can then analyse the log and see why the connection is cut off.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
d.

Messages: 169
Karma: 0
Send a private message to this user
Hi there.

The KMS can't get to the outside world without going through the appliance. But the appliance is transparent to the KMS (doesn't know it's there). So, the appliance is inspecting the traffic on the way through.

Yes, it seems that if the receiving mail server isn't getting enough data, then it appears to be cutting the connection.

Yes, been going through the appliance with a fine-tooth comb (and working with McAfee Support too). Trying everything from time-out settings, to obscure settings (on appliance, in KMS config file). The appliance logs are a little tricky to get at. The McAfee support people have also noted that the connection gets cut at the magic 2 minute / 120 second mark.

We generally use our ISP's mail server as a relay for sending mail. We've also been trying without this setting (in KMS -- so that KMS sends directly using MX records).

Test email on it's way...

Cheers,
D.

[Updated on: Wed, 11 November 2009 00:31]


  •  
freakinvibe

Messages: 1529
Karma: 60
Send a private message to this user
Got your mails, but my debug log was configured wrongly. I corrected that. Can you send again?

Thanks,

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
d.

Messages: 169
Karma: 0
Send a private message to this user
Yes, certainly... On it's way.

I'm also checking with KMS Support, re the "final dot" of when a message is sent. Traffic analysis is apparently showing that the KMS is sending the "final dot" at exactly 2 minutes (120 seconds) after the message was initiated.

So, it could be that this time-out for the final dot might be the culprit.

Cheers,
D.

  •  
freakinvibe

Messages: 1529
Karma: 60
Send a private message to this user
Thanks for sending a big test mail. On the receiving end I see the following error in the log:

Command DATA failed: Connection closed by remote host x.x.x.x prematurely.

I guess the appliance never gets the end of the data command, so it can't pass the DATA on to the receiving server. I don't know why the appliance doesn't detect the end of data properly, which must be <CRLF>.<CRLF>

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
d.

Messages: 169
Karma: 0
Send a private message to this user
Hi Folks.

Yes, it looks as though the connection is terminating early -- not all the data is being sent. I'll keep following up with Kerio support re a time-out setting on the KMS for sending the final dot.

Cheers,
D.

  •  
d.

Messages: 169
Karma: 0
Send a private message to this user
An update for everyone...

KMS support kindly offered a work-around to the KMS 2 minute time-out issue. There is a setting in the KMS config file, which is the overall TCP time-out (default 2 minutes).

By upping this value, it does raise all your TCP time-out values. But it also updates your SMTP final dot time-out.

So, if you put this TCP time-out value (listed near the very start of your KMS Config file), that appears to fix the problem of the Connection Lost message after 2 minutes.

KMS support have raised a bug report for this (i.e. to make a specific SMTP final dot time-out setting). But for now, this does the trick.

(Once it's fully fixed, just remember to set back the TCP Time out to 2 minutes).

Now, if only I could get more of my major client's server admins to have larger incoming thresholds (e.g. 20mb messages!)

Cheers,
D.

  •  
kurashige

Messages: 26
Karma: 0
Send a private message to this user
hi, the default value of tcp timeout at my Kerio webmail 6.7.2 is 2 is it seconds or minutes? so i should change it to 120 that is equal to 2 minutes?
  •  
d.

Messages: 169
Karma: 0
Send a private message to this user
Hi there.

The default time-out should be two minutes, and is represented in seconds. E.g. "120".

If your server config says "2", then thats a mighty short time-out. That's barely enough time for a hand-shake, let alone anything else.

Yes, 120 should be a minimum. Increase it further (higher) if you have security appliances that scan traffic indepth before sending on the full message. Otherwise, the recipient's server will time-out thinking that you've finished sending / gone off the air. And your messages won't send.

Exact value will vary, but as a guide, if you are scanning a 50mb file, and other traffic, you're going to need more than 2 minutes (e.g. try 500, 750 or 1000 seconds), especially if the security appliance is trickling data to the external server, or, if you, or the destination server, are on a slow internet link.

Cheers,
D.

  •  
kurashige

Messages: 26
Karma: 0
Send a private message to this user
Hi dy-e! thanks for that quick response!

I would like to confirm before I proceed with the change...

I will change TcpTimeout from 2, change to, 1000 (example variable)...

and not the RecvTimeout and/or SendTimeout, for a specific service, that is set to 120 (seconds) at default.

  •  
d.

Messages: 169
Karma: 0
Send a private message to this user
Howdy kurashige and forum folks.

Thanks for specifying the exact fields you are looking to change... That makes a big difference.

OK, TcpTimeout. My primary server is set to 15. Could well be seconds. Other settings are. But I'm under the impression now that that field is in minutes.

There are also "RecvTimeout" and "SendTimeout" settings... I have 1500 for those (e.g. under SMTP, SMTPS), but 240 for IMAP. (We use IMAP, and no POP).

Just to check... Are you looking to change these values because of a security appliance issue (messages timing out)? Or are you attempting to resolve some other issue?

Cheers
D.

kurashige

Messages: 26
Karma: 0
Send a private message to this user
actually I'm into message timing out, having connection lost after failed attempts to send a message under Message Queue Processing. I already disabled the the virus scanning, still having some problems sending the file (with attachment), like to Yahoo. Although, proper Reverse DNS and SPF were already set by ISP provider and into Domain. To others, we have no problem. So I'm having thoughts on tweaking some of the timeouts to observe and somehow know why sending seems unending to yahoo.

EDITED: we are using SMTP and POP3. there is no problem with internet connection. we have 1 server both for SMTP and POP3.

[Updated on: Wed, 28 April 2010 06:46]

Previous Topic: Mailbox Folders keep dissapearing...
Next Topic: [solved] Archive folder compression
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Sep 22 01:02:24 CEST 2017

Total time taken to generate the page: 0.00568 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.