Some SMTP servers, such as Microsoft Exchange Server, force a connection from an SMTP client to be sent over TLS. The client can be another SMTP server or a mail client. Both are considered an SMTP client when sending an SMTP message.
Example of the SMTP negotiation over TLS:
Server: 220 smtp.example.com ESMTP SmtpService
Client: HELO mail.company.com
Server: 250 Hello mail.company.com
Server: 250 STARTTLS
Client & Server: <Start a TLS session>
Client over TLS: EHLO mail.company.com
Server over TLS: 250 Hello mail.company.com
Client over TLS: MAIL FROM:<firstname.lastname@example.org>
Server over TLS: 250 Ok
Client over TLS: RCPT TO:<email@example.com>
Server over TLS: 250 Ok
When the connection is sent over TLS, it is encrypted and the Security Gateway cannot inspect the encrypted traffic, unless MTA is implemented.
The Mail Transfer Agent allows the Security Gateway to intercept the encrypted connection between the SMTP client and the SMTP server and inspect the connection.
Scenario 2: Timeout for SMTP Traffic inspected by Threat Emulation
It is possible that during file emulation, the email server cannot keep the connection open for the time needed for full emulation.
When this happens, there is a timeout for the email. A Threat Emulation deployment with an MTA avoids this problem. The MTA completes and closes the connection with the source SMTP client and then sends the file for emulation. After the emulation is completed, the MTA sends the email to the mail server in the internal network.
When an SMTP client searches for the mail recipient's server address, the SMTP client sends a DNS query for an MX (Mail eXchanger) record. The query is sent to a DNS server when trying to resolve the domain name that appears after the "@" sign in an email address (for example, the example.com in firstname.lastname@example.org).
The MX record on DNS server contains the SMTP server address in a domain name format (for example., smtp.example.com). The record appears as follows: example.com MX preference = 10, mail exchanger = smtp.example.com
When the Mail Transfer Agent (MTA) is enabled on Security Gateway, the MX record is changed to the external IP address of te Security Gateway. This way, when an SMTP message is sent, the MX query is resolved to the IP address of the Security Gateway, and the message is received by the Security Gateway.
When MTA is enabled, a Postfix service is enabled on the Security Gateway. The Postfix server on the Security Gateway enforces the TLS negotiation instead of the SMTP server and receives the message before the SMTP server. This allows the Security Gateway to inspect the message by the relevant Software Blades.
After inspecting the message, the MTA either forwards the message to the next-hop SMTP server, drops the message if it is malicious, or extracts the malicious file. This depends on to the configuration of the Software Blades.
Configure on the DNS server an MX record that points to the external IP Address of the Security Gateway.
In SmartDashboard, open the Security Gateway or Cluster object.
Enable either the Threat Emulation blade, or Anti-Spam & Email Security.
Go to Mail Transfer Agent and select Enable as a Mail Transfer Agent (MTA).
In the Mail Forwarding section, add one or more rules:
Click the relevant button on the toolbar
Right-click the Domain cell and select Edit.
Enter the domain for the SMTP traffic for this rule. The default setting is to use the wildcard (*) to send all traffic. To prevent spam, we recommend adding the managed domain name instead of keeping the default * .
Click the Next Hop cell and select the node object that represents the mail server for this rule.
Optional: Check the boxSign scanned emailsand enter the message to add at the bottom of inspected emails.
If the mail server uses TLS inspection, follow these steps to configure the MTA to support it:
Refer to the SMTP/TLS section.
In Step 1, click Import certificate for SMTP/TLS link.
The Import Outbound Certificate window opens.
Click Browse and select the certificate file.
Enter the Private Key password for the certificate.
In Step 2, check the box Enable SMTP/TLS.
Optional: In the Advanced Settings section, click Configure Settings and configure the MTA interface and email settings.
Install the policy on Security Gateway or Cluster.