Introduction
This document describes messages rejected and bounced due to large headers on the Cisco Email Security Appliance (ESA).
Bounce Messages with "552 #5.3.4 message header size exceeds limit"
When a host tries to send mail with a large header, the ESA may reject it. The end-user may see one of the following error messages:
"552 #5.3.4 message header size exceeds limit"
"500 #5.5.1 command not recognized"
"421 Exceeded bad SMTP command limit"
In other cases, the host may keep retrying the same message.
There is a 1000-line limit for the message header. When the header length exceeds 1000 lines, the ESA sends the message "552 #5.3.4 message header size exceeds limit" to the sending host.
Some hosts may ignore this message and continue to send data. The ESA interprets this data as SMTP commands, and returns, "500 #5.5.1 command not recognized" for each line.
After surpassing the limit of 4 bad SMTP commands, the ESA then returns the message, "421 Exceeded bad SMTP command limit", and drops the connection.
This setting can be changed on the CLI only:
myesa.local> listenerconfig
Currently configured listeners:
1. listener_myesa.local (on Management, 192.168.0.199) SMTP TCP Port 25 Public
Choose the operation you want to perform:
- NEW - Create a new listener.
- EDIT - Modify a listener.
- DELETE - Remove a listener.
- SETUP - Change global settings.
[]> setup
Enter the global limit for concurrent connections to be allowed across
all listeners.
[50]>
Listener istener_myesa.local Policy $TRUSTED max concurrency value of 300
will be limited to 50 by this concurrency setting.
Enter the global limit for concurrent TLS connections to be allowed across
all listeners.
[100]>
Concurrent TLS connections value of 100 will be limited to 50 by the global
limit for concurrent connections.
Enter the maximum number of message header lines. 0 indicates no limit.
[1000]>
Enter the rate at which injection control counters are reset.
[1h]>
Enter the timeout for unsuccessful inbound connections.
[5m]>
Enter the maximum connection time for inbound connections.
[15m]>
What hostname should Received: headers be stamped with?
1. The hostname of the Virtual Gateway(tm) used for delivering the message
2. The hostname of the interface the message is received on
[2]>
The system will always add a Message-ID header to outgoing messages that don't
already have one. Would you like to do the same for incoming messages? (Not
recommended.) [N]>
By default connections with a HAT REJECT policy will be closed with a banner
message at the start of the SMTP conversation. Would you like to do the rejection
at the message recipient level instead for more
detailed logging of rejected mail? [N]>
If any changes or updates are made, please return to the main CLI prompt and run commit to save and implement the changes.
Related Information
Feedback