[SASAG] Decipher Exchange SMTP Logs

Eric Kahklen eric at kahklen.com
Mon Jan 26 14:46:49 PST 2009

Thanks for the great information.

I looked up their MX record and it looks like their load balancing with
two public servers.  I used telnet to connect and issued the ehlo command
and got:

220 mx1.example.com ESMTP
ehlo mail.me.com
250 SIZE 1048576

I forwarded this to their postmaster as suggested so hopefully some
actually reads that account :)

Thanks again!


> On 2009-01-26 13:02 -0800, Eric Kahklen chatted:
>> We are having a problem where an attachment over 1 MB is being denied by
>> the destination mail server.  They have told me they are not limiting
>> incoming email size.  They are able to receive email with an attachment
>> less than 1 MB from my users.  I've sent the same attachment from my
>> personal email account that is not using Exchange and have not yet
>> received a bound message yet, but have not heard from them if they got
>> the
>> message.  Is there a way to know what their mail server's message size
>> limits are?
> You can only know the first hop.  If they have mail go from your
> machine to their machine to one or more machines after their first,
> you have no idea what they'll accept.  But that first one you can
> usually infer size limits based on SMTP header.s
>> My smtp logs show <, 250 SIZE 1048576 which should be 1 MB.
> That looks like their SMTP header.  Try hitting their public
> mail server on port 25.  You can figure out where the mail should
> go via
>   $ host -t mx example.com
> then hit port 25 and issue an EHLO, e.g.
>   $ telnet their.mx.machine.example.com 25
>   220 their.mx.machine.example.com ESMTP InferiourMail
>   EHLO my.domain.example.com   < You type this
>   250-SIZE 10240000
>   250-ETRN
>   250-STARTTLS
>   250 8BITMIME
>   quit                         < You type this
>   221 Bye
>   Connection closed by foreign host.
> This shows what they're advertizing as a hard inbound message
> size in the 'SIZE' line.  If you can show them this says
> the 1048576 (1M) that you seem to have already found, this
> should help them.
> Note that to send an email with a 1MB attachment means encoding
> it in 7bit ascii, which bloats it up beyond 1MB.
> --
> Brian Hatch                  "I use pico on any Unix that
>    Systems and                didn't ship with vi."
>    Security Engineer         -- Francois Caen
> http://www.ifokr.org/bri/
> Every message PGP signed

Eric Kahklen
Mountlake Terrace, WA

More information about the Members mailing list