topic Re: Checkpoint MTA R80.40 in General Topics

Checkpoint MTA R80.40

Tony_Graham — Wed, 23 Jun 2021 15:32:24 GMT

Not sure if this is posting to the correct place but here is my issue.

I am working on deploying the Checkpoint MTA for anti-spam functionality.

I got it set up without any problems and mail is flowing. However, I have a specific

system that sends PDF reports. That system interacts with our main mail server which

sends the reports out on its behalf. Once those emails reach the firewall, they are getting

inspected and dropped as SPAM. I have set the MTA to inspect only on External interfaces

and I have tried all manner of exceptions but they are still getting flagged. Cannot seem

to find the magic clicky box to sort it out. Ideally I don't need it looking at emails going out

at all. Thanks.

**I should also mention this is R80.40

Re: Checkpoint MTA R80.40

Wolfgang — Wed, 23 Jun 2021 17:13:46 GMT

@Tony_Graham

a screenshot from the log entry would be helpful. There should be seen which feature (content, IP reputation etc.) block or flag the message.

Are you sure MTA is dropping these, AntiSpam feature will be configured outside of the ThreatPrevention profile via old SmartDashboard . There you can define exception for AntiSpam.

Wolfgang

Re: Checkpoint MTA R80.40

Tony_Graham — Wed, 23 Jun 2021 17:40:03 GMT

It says in the log,

Action:Reject

Blade: Anti-SPAM and Email Security

Drilling down into event---

Reason:Suspected SPAM Rejected

File direction: Internal to Internal

There is an Accept log entry before the Reject for the each connection. The Accept log for the connection

reads:

Description: Non Spam Accepted

Email Control: IP Reputation

There is also reference to Policy Rule 6, which is in reference to my allow SMTP connections from the originating server to the destination.

I do not understand what this means:

" AntiSpam feature will be configured outside of the ThreatPrevention profile via old SmartDashboard ."

Re: Checkpoint MTA R80.40

Tony_Graham — Wed, 23 Jun 2021 18:01:28 GMT

Is there not a simple way to say:

SRC: server A DST: server B Action: Accept

as an exception that will bypass the Anti-SPAM policy?

I can send PDF attachments out of the email server all day I just can't relay an

email that contains a PDF to the mail server. Bizarre.

Re: Checkpoint MTA R80.40

Wolfgang — Wed, 23 Jun 2021 19:09:09 GMT

First of all, I think you enabled the MTA and the blade „Anti-SPAM and Email Security“.

If you don‘t understand my writing about the old SmartDashboard you did no configuration of the AntiSpam blade. These blade is one of the odd behaviour with some features they are still not available in SmartConsole.
Maybe in version R100 or anything else all features will be configurable in only one GUI !

Follow these……

To configure a content Anti-Spam policy:

In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard.
SmartDashboard opens and shows the Anti-Spam & Mail tab.
On the Overview page, under Content based Anti-Spam, click Settings.
Use the slider to select an Anti-Spam policy protection level.
Select flagging options.

There are too options to define exceptions for IPs or mail addresses. Detailed configuration options are find in the documentation:

Using Anti-Spam and Mail

Your first log entry shows „Email Control: IP Reputation“. This means that the AntiSpam-blade does not drop this connection regarding the „IP reputation“ feature (blacklist check…) I think the same field in the second log (the drop log) shows something like „Email Control: Content AntiSpam“. Which means something of the content in the message is detected as spam.

Wolfgang

Re: Checkpoint MTA R80.40

Tony_Graham — Wed, 23 Jun 2021 19:39:42 GMT

Thanks Wolfgang. I will take some time and digest what you have said.

Part of the problem also is I have been managing CP since version 2 and

I have a lot of 'cruft' information stored in my brain that is often irrelevant because

it has been superseded by newer processes. Still trying to wrap my head around this.

Re: Checkpoint MTA R80.40

Tony_Graham — Wed, 23 Jun 2021 23:35:53 GMT

Okay so do I not need the MTA and the blade? I am a bit confused on that.

I do have the blade enabled and working and I can watch the traffic in the logs.

I have the MTA operating on another IP for testing purposes but as I said, not sure

if this is needed or desired to be used.

Re: Checkpoint MTA R80.40

Wolfgang — Thu, 24 Jun 2021 06:17:43 GMT

The clear answer of your question (Do I need the MTA?) "it depends...." 😉

If you want to have one of these features from the ThreatPreventionProfile you need to enable MTA.

Another point will be that a lot of the SMTP traffic is encrypted. Without MTA you can't analyze these messages.

Without MTA you can still use the "AntiSpam-EmailSecurity"-blade. IP reputation will work, and content scan for SPAM
will work for unencrypted message flow.

I prefer to use both but you have to be aware that now another MTA is involved in the message flow which has to be monitored.

Re: Checkpoint MTA R80.40

Tony_Graham — Thu, 24 Jun 2021 19:40:01 GMT

What about the items above where you have circled? It seems like they may be covered elsewhere at this point.

Re: Checkpoint MTA R80.40

Wolfgang — Fri, 25 Jun 2021 06:50:46 GMT

These are options in the ThreatPreventionProfile named "optimized". If you enable MTA, an automatic rulle is created as first rule in the ThreatPrvention policy with MTA-gateway as "protected scope".

Re: Checkpoint MTA R80.40

Tony_Graham — Fri, 25 Jun 2021 18:20:29 GMT

So I am wondering how much overlap there is between the two products? MTA which enables TP, and Enabling the server Blade Anti-SPAM and email security, not to mention ThreatCloud monitoring. It's just not clear where one ends and one begins. Is there a chart?

Re: Checkpoint MTA R80.40

Wolfgang — Fri, 25 Jun 2021 19:57:16 GMT

@Tony_Graham I agree with you. The mail security on a Check Point gateway is a little bit confusing. There is no overlapping feature between AntiSpam blade and ThreatPrevention Mail Security. But it‘s really confusing you have to configure mail security in different GUI tools with separate locations. All the features are described in the Threat Prevention documentation I mentioned earlier.