This article applies to:

• Trustwave MailMarshal (SEG)
• Trustwave ECM/MailMarshal Exchange

Symptoms:

• MailMarshal size-limit rules are not working as expected.
• Attachments, which Microsoft Windows shows as being under the blocked file size, are being blocked.
• MailMarshal is blocking attachments that are under the blocked file size.

Causes:

Details:

The following is a description of the three different size-limit rules that the MailMarshal engine uses.  Each rule arrives at a file size limit by different means and each rule has both pros and cons.

Total Message size - Where message size is greater than x KB
This rule condition relates to the size of the complete message file. Note that when attachments are encoded for SMTP transport (in MIME, Base64, or some other mechanism used to carry the attachment data) the resultant message is typically larger than the original attachment. When creating a Message Size rule, expect the message to be around 20% - 30% larger than the attachment itself. For example, an 18MB attachment will almost always trigger the condition Where message size is greater than 20480 KB.

• Pro: This size condition relates to the true bandwidth required to deliver the message.
• Con: End users might find it confusing that the rule does not relate directly to attachment size.

Individual attachment size - Where message attachment size is greater than x KB
This rule condition relates specifically to the maximum size of any single attachment within the message. MailMarshal evaluates the size of each attachment after all unpacking, unzipping, etc. is complete. An attachment size may therefore appear larger than the original due to decompression of archive files. In addition, this size condition applies to individual attachments only, and not the sum of all attachments.

• Pro: This size condition relates directly to attachment size.
• Con: This size condition does not relate to the bandwidth required to deliver the message.
• Con: This size condition applies to individual attachments only. For example, a message with six 9MB attachments would not trigger a 10MB limit, because each individual attachment is below the size limit.
• Con: MailMarshal unpacks zip files and checks the size condition against unpacked files. Thus the size condition could trigger on the unpacked file even when the attached zipped file is well within size limits. This can be overcome by adding the extra condition "Where attachment parent is not of type: 'ARCHIVE'".

Bandwidth required to deliver message - Where the estimated bandwidth required to deliver the message is greater than x KB.
This condition is a product of Total Message Size and the number of different domains / connections required to deliver the message. As such it is an entirely accurate estimate of the total bandwidth required to deliver the message. For example, a 4MB message sent to 6 different domains results in an estimated bandwidth of 24 MB.

• Pro: This is the most accurate means of determining the bandwidth needed to deliver the message over an Internet connection.
• Con: A smaller message can easily trigger a much larger bandwidth limit if that message is sent to many domains.
• Con: End users might find it confusing that the rule does not relate directly to attachment size.
• Con: With MailMarshal Exchange scanning internal traffic, the domain delivery is probably not relevant to local delivery.

This article was previously published as:

NETIQKB29556

Marshal KB364