This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tony_Graham
Advisor
‎2021-06-23 08:28 AM
Jump to solution

Checkpoint MTA R80.40

Not sure if this is posting to the correct place but here is my issue.

I am working on deploying the Checkpoint MTA for anti-spam functionality.

I got it set up without any problems and mail is flowing. However, I have a specific

system that sends PDF reports. That system interacts with our main mail server which

sends the reports out on its behalf. Once those emails reach the firewall, they are getting

inspected and dropped as SPAM. I have set the MTA to inspect only on External interfaces

and I have tried all manner of exceptions but they are still getting flagged. Cannot seem

to find the magic clicky box to sort it out. Ideally I don't need it looking at emails going out

at all. Thanks.

 

**I should also mention this is R80.40

 

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
Authority
Authority
‎2021-06-23 12:08 PM
In response to Tony_Graham
Jump to solution

First of all, I think you enabled the MTA and the blade „Anti-SPAM and Email Security“.

If you don‘t understand my writing about the old SmartDashboard you did no configuration of the AntiSpam blade. These blade is one of the odd behaviour with some features they are still not available in SmartConsole. 
Maybe in version R100 or anything else all features will be configurable in only one GUI !

Follow these……

To configure a content Anti-Spam policy:

  1. In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard.

    SmartDashboard opens and shows the Anti-Spam & Mail tab.

  2. On the Overview page, under Content based Anti-Spam, click Settings.
  3. Use the slider to select an Anti-Spam policy protection level.
  4. Select flagging options.

There are too options to define exceptions for IPs or mail addresses. Detailed configuration options are find in the documentation:

Using Anti-Spam and Mail 

Your first log entry shows „Email Control: IP Reputation“. This means that the AntiSpam-blade does not drop this connection regarding the „IP reputation“ feature (blacklist check…) I think the same field in the second log (the drop log) shows something like „Email Control: Content AntiSpam“. Which means something of the content in the message is detected as spam.

Wolfgang

View solution in original post

11 Replies
Wolfgang
Authority
Authority
‎2021-06-23 10:13 AM
Jump to solution

@Tony_Graham 

a screenshot from the log entry would be helpful. There should be seen which feature (content, IP reputation etc.) block or flag the message.

Are you sure MTA is dropping these, AntiSpam feature will be configured outside of the ThreatPrevention profile via old SmartDashboard . There you can define exception for AntiSpam.

Wolfgang

0 Kudos
Tony_Graham
Advisor
‎2021-06-23 10:40 AM
In response to Wolfgang
Jump to solution

It says in the log,

Action:Reject

Blade: Anti-SPAM and Email Security

Drilling down into event---

Reason:Suspected SPAM Rejected

File direction: Internal to Internal

There is an Accept log entry before the Reject for the each connection. The Accept log for the connection

reads:

Description: Non Spam Accepted

Email Control: IP Reputation

There is also reference to Policy Rule 6, which is in reference to my allow SMTP connections from the originating server to the destination.

 

I do not  understand what this means:

" AntiSpam feature will be configured outside of the ThreatPrevention profile via old SmartDashboard ."

 

0 Kudos
Tony_Graham
Advisor
‎2021-06-23 11:01 AM
In response to Tony_Graham
Jump to solution

Is there not a simple way to say:

SRC: server A DST: server B Action: Accept

as an exception that will bypass the Anti-SPAM policy?

I can send PDF attachments out of the email server all day I just can't relay an

email that contains a PDF to the mail server. Bizarre.

0 Kudos
Wolfgang
Authority
Authority
‎2021-06-23 12:08 PM
In response to Tony_Graham
Jump to solution

First of all, I think you enabled the MTA and the blade „Anti-SPAM and Email Security“.

If you don‘t understand my writing about the old SmartDashboard you did no configuration of the AntiSpam blade. These blade is one of the odd behaviour with some features they are still not available in SmartConsole. 
Maybe in version R100 or anything else all features will be configurable in only one GUI !

Follow these……

To configure a content Anti-Spam policy:

  1. In SmartConsole, select Manage & Settings > Blades > Anti-Spam & Mail > and click Configure in SmartDashboard.

    SmartDashboard opens and shows the Anti-Spam & Mail tab.

  2. On the Overview page, under Content based Anti-Spam, click Settings.
  3. Use the slider to select an Anti-Spam policy protection level.
  4. Select flagging options.

There are too options to define exceptions for IPs or mail addresses. Detailed configuration options are find in the documentation:

Using Anti-Spam and Mail 

Your first log entry shows „Email Control: IP Reputation“. This means that the AntiSpam-blade does not drop this connection regarding the „IP reputation“ feature (blacklist check…) I think the same field in the second log (the drop log) shows something like „Email Control: Content AntiSpam“. Which means something of the content in the message is detected as spam.

Wolfgang

Tony_Graham
Advisor
‎2021-06-23 12:39 PM
In response to Wolfgang
Jump to solution

Thanks Wolfgang. I will take some time and digest what you have said.

Part of the problem also is I have been managing CP since version 2 and

I have a lot of 'cruft' information stored in my brain that is often irrelevant because

it has been superseded by newer processes. Still trying to wrap my head around this.

0 Kudos
Tony_Graham
Advisor
‎2021-06-23 04:04 PM
In response to Tony_Graham
Jump to solution

Okay so do I not need the MTA and the blade? I am a bit confused on that.

I do have the blade enabled and working and I can watch the traffic in the logs.

I have the MTA operating on another IP for testing purposes but as I said, not sure

if this is needed or desired to be used.

0 Kudos
Wolfgang
Authority
Authority
‎2021-06-23 11:17 PM
In response to Tony_Graham
Jump to solution

The clear answer of your question (Do I need the MTA?) "it depends...." 😉

If you want to have one of these features from the ThreatPreventionProfile you need to enable MTA.

Screenshot 2021-06-24 081541.png

Another point will be that a lot of the SMTP traffic is encrypted. Without MTA you can't analyze these messages.

Without MTA you can still use the "AntiSpam-EmailSecurity"-blade. IP reputation will work, and content scan for SPAM
will work for unencrypted message flow.

I prefer to use both but you have to be aware that now another MTA is involved in the message flow which has to be monitored.

0 Kudos
Tony_Graham
Advisor
‎2021-06-24 12:40 PM
In response to Wolfgang
Jump to solution

What about the items above where you have circled? It seems like they may be covered elsewhere at this point.

0 Kudos
Wolfgang
Authority
Authority
‎2021-06-24 11:50 PM
In response to Tony_Graham
Jump to solution

These are options in the ThreatPreventionProfile named "optimized". If you enable MTA, an automatic rulle is created as first rule in the ThreatPrvention policy with MTA-gateway as "protected scope".

Screenshot 2021.png

0 Kudos
Tony_Graham
Advisor
‎2021-06-25 11:20 AM
In response to Wolfgang
Jump to solution

So I am wondering how much overlap there is between the two products? MTA which enables TP, and Enabling the server Blade Anti-SPAM and email security, not to mention ThreatCloud monitoring. It's just not clear where one ends and one begins. Is there a chart?

0 Kudos
Wolfgang
Authority
Authority
‎2021-06-25 12:57 PM
In response to Tony_Graham
Jump to solution

@Tony_Graham  I agree with you. The mail security on a Check Point gateway is a little bit confusing. There is no overlapping feature between AntiSpam blade and ThreatPrevention Mail Security. But it‘s really confusing you have to configure mail security in different GUI tools with separate locations. All the features are described in the Threat Prevention documentation I mentioned earlier.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events