QRadar Network Security (XGS) does not send SMTP 541 response for blocked email traffic

Troubleshooting

Problem

QRadar Network Security (XGS) does not send SMTP 541 response for blocked email traffic in some instances

Symptom

For some SMTP clients and larger email attachments, a block response from the XGS appliance on SMTP traffic will block the traffic but does not send the expected SMTP 541 response to end the email attempt. The XGS resets the connection like a standard TCP connection. The client may continue sending the email attempt, instead of considering the attempt as failed per server response.

Resolving The Problem

Ensure you have XPU 3806.21192 or later installed
Add the following tuning parameter to the XGS appliance, in the Tuning Parameters policy:

Name: pam.email.block_large

Value: on

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFSVP","label":"IBM QRadar Network Security"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips

QRadar Network Security (XGS) does not send SMTP 541 response for blocked email traffic

Troubleshooting

Problem

Symptom

Resolving The Problem

Document Location

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?