Maximum encrypted message size

Answered Question
Apr 10th, 2012

Hi all,

What is the largest size message that can be encrypted by the IronPort ESA PXE engine?  Is this a configurable parameter?

Thanks very much,

- Steve

I have this problem too.
0 votes
Correct Answer by mkwilosz@pronet... about 2 years 6 days ago

Thanks Steve.  I actually received the same response yesterday also.  I'm fine with the change since we were definitely experiencing the lockup when someone tried to push an extremely large file through the DLP system.  My concern now is what to do if someone needs to send a file larger but the DLP policy is trying to trigger and encrypt the message.  I'm thinking of possibly creating a bypass message filter so if a certain keyword is found in the subject line the message immediately gets emailed without scanning for DLP.  Of course this brings up the concern of people sending out items they shouldnt be and bypassing the DLP policy.  I'm thinking I could CC our Management on any sensitive information that has been requested to be sent unencrypted to avoid it being taken advantage of.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
mkwilosz@pronet... Thu, 04/12/2012 - 15:31

I actually have the same question and I'm looking for an answer also.

I believe from the testing I've done that the current default PXE size is set to an encrypted size of 10MB. I believe this was put into place when version 7.6 of AsyncOS was rolled out.  I also assume the reason this was put into place was because of a common issue we were experiencing where customers of our would try to send out extremely large emails that required encryption and it would effectively make our Ironport become unresponsive to the point that we would have to manually hard power cycle them.  Also bringing up the question again of why don't our C370's have DRAC cards in them.  I am yet to figure out if there is a way to adjust this size.

I sent in a support case to ask for the same information.  If I receive a reply back I'll update you.

Thanks,

Mike

RSteveKadish Thu, 04/12/2012 - 17:31

Hi Mike,

Coincidentally, I got an answer on this just today from IronPort Support:

Starting with the 7.6.0-444 version, the size limit has been changed to 10MB as the previous size limit of 40MB was causing too many issues such as the encryption engine locking up so therefore the limit was reduced. For the 10MB size limit about 20% also needs to be accounted for MIME inflation so the actual limit is really about 8MB.

- Steve

Correct Answer
mkwilosz@pronet... Fri, 04/13/2012 - 07:34

Thanks Steve.  I actually received the same response yesterday also.  I'm fine with the change since we were definitely experiencing the lockup when someone tried to push an extremely large file through the DLP system.  My concern now is what to do if someone needs to send a file larger but the DLP policy is trying to trigger and encrypt the message.  I'm thinking of possibly creating a bypass message filter so if a certain keyword is found in the subject line the message immediately gets emailed without scanning for DLP.  Of course this brings up the concern of people sending out items they shouldnt be and bypassing the DLP policy.  I'm thinking I could CC our Management on any sensitive information that has been requested to be sent unencrypted to avoid it being taken advantage of.

RSteveKadish Fri, 04/13/2012 - 07:45

Mike, that's definitely a concern.  We are not doing any automatic encryption yet, but we will be in the future.  I did see one incident in our tracking logs where it looked like IronPort defaulted to TLS when a message was too large to be encrypted, but I'm not sure if that was by design.

pmphmo Fri, 07/06/2012 - 16:51

I came to this thread after one of my users had a message bounce that was only about 7.2MB.

I understand Cisco wants to cut down on support calls and costs but this seems like a drastic reduction.  We're a very small shop and rarely send out messages of any kind over 10MB but it's the big ones that are usually the most sensitive, yes?  I would very much like to see this limit at least somewhat configurable in the future, even if it's capped at, say, 20MB, or even maybe see it indexed on throughput but effectively cutting the limit of what can be protected by 75% or more puts a huge dent in the value argument for IronPort.  The ability to easily encrypt anything from any device is the prime reason we have IronPort versus numerous other options.

We renewed this year but if this is not addressed it will put a serious damper on our enthusiasm to spend the extra cash next year.

Actions

Login or Register to take actions

This Discussion

Posted April 10, 2012 at 12:09 PM
Stats:
Replies:5 Avg. Rating:5
Views:2293 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard