topic IPS rejects encrypted mail in Spark Firewall (SMB) https://community.checkpoint.com/t5/Spark-Firewall-SMB/IPS-rejects-encrypted-mail/m-p/94774#M4080 <P>Hi,</P><P>For general awareness, as this might loose you e-mail if you're not looking at your smtp logs, if you have IPS set to <EM>strict</EM> and you expect to receive SMTP with opportunistic encryption (STARTTLS), IPS will drop certain SMTP connections.</P><P>I couldn't find a knowledge base article with a few quick searches, to here are the details.</P><P>Tested on 790 GW with R77.20.87 build 3004.</P><P>The protection <EM>"SMTP STARTTLS Command" (smtp_starttls_enable)"</EM> will be enabled on strict, or custom IPS settings that include it.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="set.png" style="width: 445px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/7731iBDC4384A630478FC/image-size/large?v=v2&amp;px=999" role="button" title="set.png" alt="set.png" /></span></P><P>The corresponding postfix log after setting the signature to detect, looks like the following</P><P>&nbsp;</P><LI-CODE>postfix/smtpd[25955]: Anonymous TLS connection established from XXXX[199.7.a.b]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)</LI-CODE><P>&nbsp;</P><P>You can set the IPS signature it to <EM>detect and log</EM> manually in case you need to correlate events.</P> Thu, 20 Aug 2020 16:19:54 GMT Michal_W_old 2020-08-20T16:19:54Z IPS rejects encrypted mail https://community.checkpoint.com/t5/Spark-Firewall-SMB/IPS-rejects-encrypted-mail/m-p/94774#M4080 <P>Hi,</P><P>For general awareness, as this might loose you e-mail if you're not looking at your smtp logs, if you have IPS set to <EM>strict</EM> and you expect to receive SMTP with opportunistic encryption (STARTTLS), IPS will drop certain SMTP connections.</P><P>I couldn't find a knowledge base article with a few quick searches, to here are the details.</P><P>Tested on 790 GW with R77.20.87 build 3004.</P><P>The protection <EM>"SMTP STARTTLS Command" (smtp_starttls_enable)"</EM> will be enabled on strict, or custom IPS settings that include it.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="set.png" style="width: 445px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/7731iBDC4384A630478FC/image-size/large?v=v2&amp;px=999" role="button" title="set.png" alt="set.png" /></span></P><P>The corresponding postfix log after setting the signature to detect, looks like the following</P><P>&nbsp;</P><LI-CODE>postfix/smtpd[25955]: Anonymous TLS connection established from XXXX[199.7.a.b]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)</LI-CODE><P>&nbsp;</P><P>You can set the IPS signature it to <EM>detect and log</EM> manually in case you need to correlate events.</P> Thu, 20 Aug 2020 16:19:54 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/IPS-rejects-encrypted-mail/m-p/94774#M4080 Michal_W_old 2020-08-20T16:19:54Z Re: IPS rejects encrypted mail https://community.checkpoint.com/t5/Spark-Firewall-SMB/IPS-rejects-encrypted-mail/m-p/94827#M4093 <P>Again a reason to not use the Strict IPS policy - in addition to not to use Strict Firewall Policy...</P> Fri, 21 Aug 2020 07:53:08 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/IPS-rejects-encrypted-mail/m-p/94827#M4093 G_W_Albrecht 2020-08-21T07:53:08Z