SMTP

Copyright © www.ine.com
 SMTP Overview
Text-based standard (RFC 5321) for electronic mail communication
Client-Server architecture
Server
TCP port 25
Client
Mail User Agent (MUA) or Mail Transfer Agent (MTA)
Command-Response model
SMTP Conversation/Transaction is initiated by a client
Sends commands & data
Server replies with a Code & text
Never used to „pull” emails

Copyright © www.ine.com
 Email Structure
An email consists of two main portions
Envelope
Used for email delivery
Data
Header
Body/Message

Common Header Fields

From, Date
Mandatory
To, Subject, CC

Copyright © www.ine.com
 Email Delivery
Emails are delivered based on the destination domain
E.g. [email protected] -> cisco.com
The process heavily relies on DNS
A domain should be configured with at least one „MX” record
Priority + FQDN
Multiple entries can exist for redundancy and/or load balancing
Lower number -> higher priority
The domain „A” record acts as a fallback

Copyright © www.ine.com
 SMTP Commands
SMTP Commands are documented in RFC 5321
HELO/EHLO
Client greeting
MAIL FROM
Envelope Sender address
RCPT TO
Envelope Recipient address
DATA
Beginning of Headers & Body
STARTTLS
QUIT

Copyright © www.ine.com
 SMTP Response Codes
Represented in a 3-digit format (xyz)
2yz/3yz -> success
4yz/5yz -> error

Common Response Codes

250 (command accepted)
354 (OK but waiting for more data)
421 (temporary rejection at the connection level)
452 (temporary rejection at the recipient level)
550 (fatal error, e.g. recipient does not exist)

Copyright © www.ine.com
 SMTP Conversation Example
1 220 esa.example.com ESMTP
2 HELO sdomain.com
3 250 esa.example.com
4 MAIL FROM: <[email protected]>
5 250 sender <[email protected]> ok
6 RCPT TO: <[email protected]>
7 250 recipient <[email protected]> ok
8 DATA
9 354 go ahead
10 Subject: Example Message
11
12 Text of an example message.
13 .
14 250 ok: Message xxxx accepted
15 QUIT
16 221 esa.example.com

Copyright © www.ine.com
 Introduction to Cisco ESA

Copyright © www.ine.com
 Cisco ESA Overview
Advanced email filtering solution
Protection, security & control

Key Features
Email traffic & content control
Malware protection
Data Loss Prevention
Authentication & Encryption

Copyright © www.ine.com
 ESA Platforms
Physical
C1xx (SMB), C3xx (Medium Office) & C6xx (Large Enterprise)
Disk Space, CPU & RAM

Virtual
ESXi & UCS
C000v, C100v, C300v & C600v

Copyright © www.ine.com
 ESA Interfaces & Deployment
ESA includes two or more ports labeled as „Data”
Support data & management traffic
Additional „Management” port is available on most platforms (M1)
Same as data ports

ESA is commonly deployed behind a firewall

Internet Edge
DMZ
Requires appropriate firewall rules

Copyright © www.ine.com
 ESA CLI

Copyright © www.ine.com
 ESA Initialization
Basic ESA setup is performed using Setup Wizard
First-time login (GUI) or systemsetup (CLI)
Physical appliances are preconfigured with a default IP 192.168.42.42 (/24)
ESA listens on TCP port 80 (HTTP) and 443 (HTTPS)

Management-related settings can be easily changed with the CLI

SSH
Console

Copyright © www.ine.com
 ESA CLI
ESA runs on AsyncOS
AsyncOS CLI is partially similar to the IOS equivalent
Command completion (Tab), process termination (CTRL+C), etc.
Many commands use the “Interactive Mode”
Configuration changes must be approved (commit) to take effect

Copyright © www.ine.com
 Useful CLI Commands
Basic Setup
etherconfig
L1/L2 interface settings – duplex, speed, VLANs & more
interfaceconfig
L3 interface settings – IP address, mask, etc.
routeconfig
Static IP routes
To add a default route use setgateway instead
ntpconfig
NTP Server(s)

Copyright © www.ine.com
 Useful CLI Commands
DNS
dnsconfig
DNS Server(s)
dnsflush
Clear cache
nslookup, dig
Testing
nslookup cisco.com
dig @1.2.3.4 cisco.com

Copyright © www.ine.com
 Useful CLI Commands
Verification & Troubleshooting
ping, traceroute, telnet
Basic connectivity
tail
ESA logs
packetcapture
TCP Dump
mailconfig
Test email

Copyright © www.ine.com
 Useful CLI Commands
Verification & Troubleshooting
status [detail]
RAM/CPU/Disk utilization, uptime, licensing
Counters (soft/hard bounces, rejected recipients, etc.)
hoststatus
Monitoring information for a specific recipient host
topin
Large volume senders
trace
Test message emulation
diagnostic -> network -> smtpping
Remote SMTP server testing

Copyright © www.ine.com
 The Listener

Copyright © www.ine.com
 ESA Listener
SMTP deamon required to process email traffic
Controls connection setup & major ESA features
Host Access Table (HAT), Recipient Access Table (RAT)
A number of Listeners used depends on the organization
One may not be enough (management, bandwidth)
Public & Private Listeners can be used in the same time
Typically each bound to a separate ESA interface
Blackhole Listener can be created for troubleshooting

Copyright © www.ine.com
 ESA Workflow

Copyright © www.ine.com
 Email Workflow
ESA processes emails in three phases
Recepit
Work Queue
Delivery

Copyright © www.ine.com
 Email Pipeline
Copyright © www.ine.com
 ESA Operations

Copyright © www.ine.com
 ESA Basic Session Processing
ESA starts flow processing at the TCP level
Double DNS lookup
Reverse (connecting IP address) & Forward (returned FQDN)
If any lookup fails or results don’t match, Sender is deemed unverified
SenderBase Reputation Score (SBRS) lookup
Sender’s IP i checked against the SenderBase

The SBRS, IP & FQDN (optional) information is then used by HAT

Copyright © www.ine.com
 Host Access Table (HAT) Overview
A set of rules controlling email Senders
Who can connect & how
Rules consist of Sender Groups (conditions) & Mail Flow Policies (results)
Top-down first-match processing
Sender Group conditions are processed as logical OR
The Default Rule allows everyone (ALL) to connect (ACCEPTED)

Copyright © www.ine.com
 HAT Components
Sender Group
SBRS
IP address, IP range
FQDN, domain
Only if the Sender is verified (double DNS lookup match)
Unverified Senders

Mail Flow Policy

Controls SMTP conversation
Message & recipient limits, SPAM & virus protection, encryption & more
Classifies messages as incoming or outgoing

Copyright © www.ine.com
 HAT Components
Mail Flow Policy Actions
Continue
Accept
Connection is accepted & treated as incoming
Email acceptance is limited according to RAT
Relay
Connection is accepted & treated as outgoing
RAT is not used
TCP Refuse
Reject

Copyright © www.ine.com
 Recipient Access Table (RAT)
Overview
Destination-based email filtering mechanism
Emails can be accepted or rejected based on the recipient address (RCPT TO)
No processing & forwarding messages sent to invalid recipients
Saves resources, no bounce messages
Stops ESA from acting as an Open Relay

RAT checks don’t apply to Private Listeners

Copyright © www.ine.com
 RAT Components
RAT supports few types of entries
Domain or partial domain
E.g. domain.com or .domain.com
User
E.g. [email protected] or user@
IP address
LDAP lookups may be enabled for additional verification

The Default RAT Rule rejects all emails

Most/all custom rules will be configured with “Accept”
Top-down first-match processing

Copyright © www.ine.com
 Further Processing
ESA’s authentication and/or encryption services are optional
Successful HAT & RAT check normally allows Senders to continue with DATA

Copyright © www.ine.com
 Message Filters

Copyright © www.ine.com
 Message Filters Overview
Powerful filtering engine used for advanced email handling
Dropping, bouncing, archiving, altering & more
Executed before Security Policies
Apply to the entire mail flow

Message Filters can be only configured from the CLI

filters
Takes strict programming-language–like syntax
Use notepad
Fallback to GUI (Content Filters) if in trouble

Copyright © www.ine.com
 Message Filter Structure
A Message Filter consists of three components
Name
Ends with “:”
Rule(s)
If ( condition1 AND/OR condition2 … ) { action }
“else” is optional
Action(s)
Final
drop(); bounce(); encrypt(); & skip-filters();
Non-final
notify(); bcc(); log(); drop-attachments-by-name(); & more

Copyright © www.ine.com
 Message Filter Examples
Example #1

SPM:
if (subject == “^SPAM.*”) AND (rcpt-to == “[email protected]”) {
notify(“[email protected]”);
drop();
}

Copyright © www.ine.com
 Message Filter Examples
Example #2

DSPOOF:
if (mail-from == “ndtrainings\.com$”) {
drop();
}
else {
no-op();
}

Copyright © www.ine.com
 ESA Policies Overview

Copyright © www.ine.com
 ESA Policies Overview
Used to satisfy different security needs of users and/or groups

Configuration Steps
Policy Engine activation
Mail Policy definition
Incoming
Messages handled by HAT “ACCEPT” policy
Outgoing
Messages handled by HAT “RELAY” policy
Policy settings configuration

Copyright © www.ine.com
 Policy Engines

Copyright © www.ine.com
 Mail Policies
Evaluated based on message address(es)
Sender
Envelope Sender (MAIL FROM)
Message Header (“From:”, “Reply-To:”)
Recipient
Envelope Recipient (RCPT TO)
Final address only (i.e. after all previous processing)
Messages sent to more than one recipient may be Splintered
Occurs if all recipients don’t match the same Policy

The Policy Table is evaluated from the top to the bottom

Copyright © www.ine.com
 Implementing ESA Policies

Copyright © www.ine.com
 Anti-SPAM & Anti-Virus

Copyright © www.ine.com
 Anti-SPAM
ESA uses a special scoring system to detect unwanted messages
Relies on SenderBase & 100,000+ message attributes
Who, what, how, where, etc.
Score & thresholds classify a message as legitimate, or positive/suspected
SPAM

Configuration
Engine activation
Security Services -> IronPort Anti-Spam
Settings & actions
Mail Policies

Copyright © www.ine.com
 Graymail
Graymail refers to email traffic users signed up for
Newsletters, mailing list subscriptions, social media notifications, etc.
Graymails can be not only filtered, but also securely “turned off”
Unsubscribe Service
Requires Anti-SPAM to be enabled

Configuration
Engine activation
Security Services -> Detection and Safe Unsubscribe
Policy actions
Mail Policies

Copyright © www.ine.com
 Anti-Virus
ESA includes two local AV scanning engines : Sophos & McAfee
Multi-layer scans are possible
First McAfee, then Sophos

Configuration
Engine activation
Security Services -> McAfee
Security Services -> Sophos
Scanning actions
Mail Policies

Copyright © www.ine.com
 Content Filters

Copyright © www.ine.com
 Content Filters Overview
Advanced scanning of incoming and/or outgoing messages
Filtering, alteration, encryption, notifications & more
Similar to Message Filters with few exceptions
GUI support
Mail Policies -> Incoming Content Filters
Mail Policies -> Outgoing Content Filters
Processed after Anti-SPAM/Virus, AMP & Graymail but before OF & DLP

Copyright © www.ine.com
 Content Filters
Configuration Steps
Supporting Features (optional)
Filter Condition(s) (optional)
Otherwise affects all messages matching the associated Mail Policy
Filter Action(s)
Non-final
BCC, Quarantine, Strip Attachment & more
Final
Drop, Bounce, Skip, Encrypt & S/MIME Sign/Encrypt
Action Variables (optional)

Copyright © www.ine.com
 Outbreak Filters

Copyright © www.ine.com
 Outbreak Filters (OF)
Responsible for real-time detection of new emerging threats
Viral
Never-before-seen virus attachments
Non-viral
Messages with links to external malware/phishing/scam websites
Don’t impose any final action on the message
Delay
Outbreak Quarantine
Redirect
Cloud-based Proxy
Modify

Copyright © www.ine.com
 Outbreak Filters Operations
Outbreak Filters are composed of two types of rules
Outbreak
Global data
Frequent updates (“real time”)
Adaptive
Signature-based local scanning

OF rules are scanned by Context Adaptive Scanning Engine (CASE)

Message score is mapped to a Threat Level
0 (no risk) through 5 (extreme risk)
Used to determine an action based on configured Policy thresholds

Copyright © www.ine.com
 Outbreak Filters Configuration
Pre-requisites
Anti-SPAM
Non-viral threats
Anti-Virus (optional)

Configuration
Engine activation
Security Services -> Outbreak Filters
Settings & tuning
Mail Policies

Copyright © www.ine.com
 • Other ESA Features

Copyright © www.ine.com
 ESA Policies Overview
Identification Profiles are used for transaction classification
Group client requests based on common criteria to simplify the Access Policy
Subnet, Protocol, Port, User Agent & URL Category
Control authentication requirements
Visibility

Copyright © www.ine.com
 ESA Policies Overview
Identification Profiles are used for transaction classification
Group client requests based on common criteria to simplify the Access Policy
Subnet, Protocol, Port, User Agent & URL Category
Control authentication requirements
Visibility

Copyright © www.ine.com
 ESA Policies Overview
Identification Profiles are used for transaction classification
Group client requests based on common criteria to simplify the Access Policy
Subnet, Protocol, Port, User Agent & URL Category
Control authentication requirements
Visibility

Copyright © www.ine.com
 ESA Policies Overview
Identification Profiles are used for transaction classification
Group client requests based on common criteria to simplify the Access Policy
Subnet, Protocol, Port, User Agent & URL Category
Control authentication requirements
Visibility

Copyright © www.ine.com
 ESA Policies Overview
Identification Profiles are used for transaction classification
Group client requests based on common criteria to simplify the Access Policy
Subnet, Protocol, Port, User Agent & URL Category
Control authentication requirements
Visibility

Copyright © www.ine.com