This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nadav_Hellman
Participant
‎2020-01-06 08:22 AM

Mail trasfer agent configuration for outgoing mails

Hello guys !

I need your help kinda urgently ...

Im going tomorrow to a customer's site and I need to block outgoing mails from the exchange server to the internet with content awareness.

I tried creating a rule saying that the exchange server is the source and the internet is the destination(drop rule for a certain data type) and the firewall just didn't catch the traffic that it was supposed to catch(we tried sending test mails from the internal exchange to a gmail email).

To my understanding, I need to enable mail transfer agent so that the firewall could open up the mail completely and analyze it.

Can anyone help with how to configure the above scenario ?

 

0 Kudos
7 Replies
Wolfgang
Authority
Authority
‎2020-01-06 11:17 AM

Nadav,

first of all, I would prefer to ask such question a little bit earlier.

MTA on gateway is only for incoming mail traffic, no configuration for outgoing to the internet possible.

Why you don‘t block service SMTP from the mailserver to the whole Internet  or only some destination hosts?

 Wolfgang

0 Kudos
Nadav_Hellman
Participant
‎2020-01-06 10:14 PM
In response to Wolfgang

We don't want to block certain destinations, we want to block emails containing certain data types.
0 Kudos
Wolfgang
Authority
Authority
‎2020-01-06 11:20 PM
In response to Nadav_Hellman

Nadav,

you can do this with "content awareness" and a rule catching SMTP-traffic and as inline-layer block some file-types with content awareness.

But the problem is,if your connection is SMTPS (encrypted SMTP) you can't check anything inside the SMTP-connection.

For these you need a MTA to intercept the connection. This can't be done with the normal MTA for outgoing mails.

Wolfgang

0 Kudos
Nadav_Hellman
Participant
‎2020-01-06 11:41 PM
In response to Wolfgang

They don't use SMTPS.
They have a pineapp server acting as a mail relay.
We have tried setting up a rule with the source internal exchange server destination pineapp server(that's the traffic we're seeing in the logs) and service smtp. action drop and with the file types I want.
It still doesn't catch and drop the traffic. What do I need to enable to let the GW inspect the mail's content ?
0 Kudos
Wolfgang
Authority
Authority
‎2020-01-07 12:23 AM
In response to Nadav_Hellman

Nadav,

you have to enable "content awareness" on the gateway and on your policy layer.

Create a rule matching the traffic and in content awareness field add your file types to block.

That's all you need.

Please be sure that the SMTP traffic is really unencrypted. If you see in the logs something like "bypass" as action or "Encrypted session" in information field, your SMTP session is encrypted.

Wolfgang

0 Kudos
Nadav_Hellman
Participant
‎2020-01-07 12:42 AM
In response to Wolfgang

Yes, I see bypass in my logs.
How can I inspect the outgoing mails anyway ? Even if the session is encrypted, is there a way I can inspect the body of the mail and files attatched to the mail ?
0 Kudos
Wolfgang
Authority
Authority
‎2020-01-07 12:52 AM
In response to Nadav_Hellman

If you see bypass, the connection is encrypted.

I don't know a way to inspect an encrypted outgoing SMTP session on a CheckPoint gateway. If the session is encrypted they can't be inspected by any vendor. You need to send your messages without encryption going over your gateway or you have to choose another solution. Why don't need the PineApp solutions ? I'm not familiare with that but it sounds like a system to block content of messages.

Wolfgang

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top