When DLP Email Prevent receives an email that triggers an incident and requires the SMTP Modify Response rule, two emails are being received by the recipient, one with the modified email and one without the modifications.

DLP 15.X, 16.X

DLP Email Prevent

Mimecast email gateway

By design, DLP Email Prevent immediately forwards the original email to the downstream MTA gateway without the ending DOT "." to complete communication.

If the email passes detection, then the DOT "." is sent to complete communication, the connection is closed and the downstream MTA sends the email to the recipient.

If the email triggers an incident and the SMTP Modify response rule is necessary, DLP Email Prevent closes the connection, begins a complete new connection and a new email is built with the modified information and then sent to the downstream MTA with the DOT "." at the end to complete the connection.

With this issue, the downstream MTA is sending the original email before receiving the DOT "." to complete the communication and sending the 2nd email with the modification as well, which is creating the duplicate emails.

The First email sent downstream without the DOT "." should not have been sent to the recipient.

The downsream MTA should have held it until DLP cancelled the connection and then discarded the email.

Then only the 2nd email with the modified headers should have been sent.

The downstream MTA vender needs to be contacted to troubleshoot the MTA gateway to prevent the server from sending the first email without the DOT "."

If the MTA vender needs it, here are the steps to provide proof.

1. Install Wireshark on the Email Prevent server.
2. Start a packet capture on the Email Prevent server.
3. Send an offending email.
4. Verify the recipient received two emails, one without modification and one with modification.
5. Stop the packet capture.
6. Open the packet capture.
7. Filter on SMTP protocol

There will be 3 TCP streams, one from the Upstream MTA to DLP and two from DLP to the Downstream MTA gateway.

8. Follow the TCP stream for the Upstream MTA to DLP.

It will show the original email with no additional headers and you will see the following at the end.

.
250 Requested mail action okay, completed
QUIT

9. Follow the First TCP stream from DLP to the Downstream MTA.

It will show the original email with one added header, X-CFilter-Loop:, which is the default header.
This proves that DLP touched the email and forwarded it downstream.
But there will be no DOT .  at the end.

10. Follow the 2nd TCP stream to the Downstream MTA.

It will show the email with the modified headers.
It will also show the following at the bottom.
.
250 Requested mail action okay, completed
QUIT
221 Service closing transmission channel