Some SMTP server, such as Microsoft Exchange Server, could enforce a connection from an SMTP client to be sent over TLS. The client could be another SMTP server or a mail client ? both are considered an SMTP client, when sending an SMTP message.
Example of the SMTP negotiation over TLS:
Server: 220 smtp.example.com ESMTP SmtpService
Client: HELO mail.company.com
Server: 250 Hello mail.company.com
Server: 250 STARTTLS
Client & Server: <Start a TLS session>
Client over TLS: EHLO mail.company.com
Server over TLS: 250 Hello mail.company.com
Client over TLS: MAIL FROM:<firstname.lastname@example.org>
Server over TLS: 250 Ok
Client over TLS: RCPT TO:<email@example.com>
Server over TLS: 250 Ok
When the connection is sent over TLS, it is encrypted and the Security Gateway cannot inspect the encrypted traffic, unless MTA is implemented.
The Mail Transfer Agent feature enables the Security Gateway to intercept the encrypted connection between the SMTP client and the SMTP server and to inspect that connection.
Scenario 2: Timeout for SMTP Traffic inspected by Threat Emulation
It is possible that during file emulation, the e-mail server cannot keep the connection open for the time that is necessary for full emulation.
When this happens, there is a timeout for the e-mail. A Threat Emulation (available since R77) deployment with an MTA avoids this problem - the MTA completes and closes the connection with the source SMTP client and then sends the file for emulation. After the emulation is completed, the MTA sends the email to the mail server in the internal network.
When an SMTP client is searching for the mail recipient's server address, the SMTP client is sending a DNS query for an MX (Mail eXchanger) record. The query is sent to a DNS server when trying to resolve the domain name that appears after the "@" sign in an email address (e.g., the example.com in firstname.lastname@example.org).
The MX record on DNS server contains the SMTP server address in a domain name format (e.g., smtp.example.com). The record should appear as follows: example.com MX preference = 10, mail exchanger = smtp.example.com
When the Mail Transfer Agent (MTA) feature is enabled on Security Gateway, the MX record should be changed to the Security Gateway's External IP address. This way, when an SMTP message is sent, the MX query will be resolved to the Security Gateway's IP address, and the message will be received by the Security Gateway.
When MTA is enabled, a Postfix service is enabled on the Security Gateway. The Postfix server on the Security Gateway enforces the TLS negotiation instead of the SMTP server and receives the message before the SMTP server. This allows the Security Gateway to inspect the message by the relevant Software Blades.
After inspecting the message, the MTA either forwards the message to the next-hop SMTP server, drops the message if it is malicious, or extracts the malicious file - according to the Software Blades configuration.
Configure on the DNS server an MX record that points to the Security Gateway's External IP Address.
In SmartDashboard, open the Security Gateway / Cluster object.
Enable either Threat Emulation blade (available since R77), or Anti-Spam & Email Security blade.
Go to Mail Transfer Agent pane - check the box Enable as a Mail Transfer Agent (MTA).
In the Mail Forwarding section, add one or more rules:
Click on the relevant button on the toolbar
Right-click in the Domain cell - select Edit...
Enter the domain for the SMTP traffic for this rule. The default setting is to use the wildcard (*) to send all traffic, but it is recommended to add the managed domain name instead of keeping the default *, to prevent the spam traffic.
Click in the Next Hop cell - select the node object that is represents the mail server for this rule.
Optional: Check the box Sign scanned emails - enter the message to add at the bottom of inspected e-mails.
If the mail server uses TLS inspection, follow these steps to configure the MTA to support it:
Refer to the SMTP/TLS section.
In Step 1, click on Import certificate for SMTP/TLS link.
The Import Outbound Certificate window opens.
Click Browse - select the certificate file.
Enter the Private Key password for the certificate.
In Step 2, check the box Enable SMTP/TLS.
Optional: In the Advanced Settings section, click on Configure Settings...button - configure the MTA interface and e-mail settings.