I have a user that was sent a 10mb attachment. They report that it was kicked back to the sender saying max message size exceeded. This domain doesn't have a max message size set, nor does the particular user, nor does he have a max MAILBOX size.
In the logs, I am seeing something very strange:
SMTPD (b07e000b01ca61ae) [64.4.56.32 (bay101-f22.bay101.hotmail.com) ] EHLO hotmail.com SMTPD (b07e000b01ca61ae) [64.4.56.32 (bay101-f22.bay101.hotmail.com) ] MAIL FROM:<[EMAIL PROTECTED]> SMTPD (b07e000b01ca61ae) [64.4.56.32 (bay101-f22.bay101.hotmail.com) ] RCPT TO:<[EMAIL PROTECTED]> SMTP (b07e000b01ca61ae) processing S:\imail\spool\Qb07e000b01ca61ae.SMD
There is about a 30 minute difference in the timestamps on the last two lines. These are ALL the lines containing the queue number.
That is unusual. There definitely should have been a "connect" line. Note, however, that if this was at the beginning of the day (~12:00AM to 12:05AM), it could be that the "connect" line was in the previous log file.
The log file seems incomplete, because on every incoming connection, I usually get first a "connect REMOTEIP (REMOTE_SERVER) port PORTNO" line, followed by the ehlo, mail from, rcpt to. Then I usually get a "spoolfilepath" line after the rcpt to. Then I usually get Imail's "performing antispam checks" before the "processing" line, even though I have completely disabled all of Imail's antispam features. So some lines seem to be missing.
That too is unusual -- from the information so far, I would normally suspect that IMail mishandled the E-mail, and didn't pass it on to Declude. But since there are Declude log file entries, Declude did indeed scan it.
After that is where it passes off to Declude, and Declude reports that its last action was "IGNORE" on this message (My logs are on HIGH, so I won't post the whole thing, just the last line, but all expected lines are there):
11/23/2004 17:19:08 Qb07e000b01ca61ae Last action = IGNORE.
How does this time compare to the IMail log file times? Was there a long delay in the Declude processing of the E-mail?
But there is no further mention of the queue number in the Imail logs. Did Declude bomb while passing back to Imail? Or did Imail drop the ball? How can I tell?
Unfortunately, it isn't easy to tell. The "Last action = IGNORE" *should* mean that Declude ended up successfully passing the E-mail to IMail. But there is a very slight chance that something could have gone wrong after Declude logged that entry and before Declude passed the E-mail to IMail.
You might want to try searching your hard drive for the Db07e000b01ca61ae.SMD file, to see if it is there somewhere. If Declude couldn't pass the E-mail on to IMail, the Db07e000b01ca61ae.SMD file should be in the \IMail\spool directory (but if that is the case, IMail should have delivered it within 1-2 hours later).
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.
---- This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
