@Lesley thanks for the detail explanation.

Is enabling MTA a must to use Anti spam and email security? And what are both the advantages and disadvantages of MTA enabling on a maestro? 

If email is transported with TLS, an MTA is required as we won't be able to see the mail content otherwise.

@gemechis MTA is not required for AntiSpam-Blade. Without MTA you have features like BlackList block, IP reputation and content spam check for messages they are not sent encrypted (mentioned by @PhoneBoy )

ThreatExtraction (SandBoxing, remove malicious content from file-attachments or convert to pdf) requires MTA.

As a hint....All features they must be configured in the old SmartDasboard can be used without MTA. All other configuration in the mail tab of ThreatPrevention-Profile needs MTA enabled.

@Wolfgang Thanks for the reply.

Today, I have tried to configure "Configuring a Content Anti-Spam Policy", "Configuring an IP Reputation Policy", "Configuring a Block List". From this 3, IP retutation is working. But we tried to block using domains but emails are arriving at our mailbox.

What could be the issue. I have not enabled MTA, 

Any help on this 

@Lesley @PhoneBoy @Wolfgang 

I have checked all MTA articles and found there are three (3) deployment methods for it.
1. Check Point MTA as the organization MX record
2. Check Point MTA as an internal MTA
3. Check Point MTA in BCC Mode

My question is that if we configure using option 3 which is "Check Point MTA in BCC Mode" How does the mail extraction and emulation going to be done? 

In BCC mode, a copy of the email is sent to emulation, but it is not prevented from reaching the end users inbox.
For full prevention, you need to deploy it with one of the other methods.

Hi @PhoneBoy 

Thanks for the reply.

Today, I have tried to configure "Configuring a Content Anti-Spam Policy", "Configuring an IP Reputation Policy", "Configuring a Block List". From this 3, IP retutation is working. But we tried to block using domains but emails are arriving at our mailbox.

What could be the issue. I have not enabled MTA, 

If SMTP is sent via TLS, then you will not be able to block by domain as there is no way to see what domains are involved in the email.
In this case, you will need to use MTA mode.

@PhoneBoy okay.

So,
      1. Which one's can I configure without enabling MTA?
      2. If enabling MTA is a must to, which mode do you recommend considering resource utilization.

Dear @gemechis all depends on what do you want to achieve...

You can configure to block a mail domain, but as @PhoneBoy mentioned this wil only work if the mail arrives without TLS. You can configure to block a mail by IP-address, this will be blocked with TLS or without.

The content of a mail-message can't be checked if send via TLS, you have to decrypt these messages to do any content scan.

You can enable MTA and all features of "Configuring a Content Anti-Spam Policy", "Configuring an IP Reputation Policy", "Configuring a Block List" will work with TLS and without.

If you want to get the most valuable, you have to enable MTA, the Content Anti-Spam Policy,   the IP Reputation Policy, the Block List and the ThreatExtraction features.

@Wolfgang thanks.

Is there any method in which i can enable MTA without changing my current architecture. To see the impacts 

I believe not. If you enable an additional MTA in the mailflow between Sender and recipients there is always an impact. If everything is configured correct the mail messages will be delivered. But it‘s the behavior of a MTA accepting the messages, doing some checks and then send them to the next hop.

Okay. So, to see all the impact on the gateway, I will configure MTA with a BCC mode and check the impact. 

@Wolfgang 

I am planning to configure MTA with third option of deployment of "MTA in Backward Compatibility Mode".  In that case what's the need of importing our mailboxes certificate to the checkpoint security gateway? 

Also, who is responsible for decrypting the incoming mail? Is that a mailbox or security gateway?

You have to have a certificate for the MTA on the Security Gateway to terminate SMTP over TLS.
This handles the transport layer encryption.
The message will be queued/scanned on the gateway and forwarded to the configured next-hop MTA.

Note content security can't be done on the message if it's encrypted (e.g. with S/MIME), but the headers should be fully visible.

@Wolfgang Thanks for the explanation. But If don't want to enable MTA is AntiSpam and IP-reputation the only option working without MTA? 

Who is responsible for analysing attachments?

What have you configured in the block list ip/domain/email?

Is anti-spam seeing SMTP TLS traffic (sk98973)?

Yes. It's encrypted. 

Would you mind send us some screenshots how this is configured? Just blur out the sensitive data.

Andy

@the_rock 

Below you can find the screenshots.

Looks right. I would confirm with TAC, but what Phoneboy said seems most logical.

Andy

@the_rock 

Ok. one thing i need to clarify. What are the possible configurations I can do with out enabling MTA?

@gemechisd 

Sorry for the delay mate, just saw this message, apologies. I really cant give you good suggestion on that, as Im not sure. I would verify with TAC.

Andy

@the_rock 

will wait for the response