Technical Tip: AV scanning on SMTP traffic
Description
This article describes how to proceed when AV scanning seems to not be performed on SMTP traffic.
Scope
FortiGate.
Solution
This condition may be seen when deep-inspection is not enabled on the SMTP policy.
Even though only port 25 is being used for the traffic (no SMTPS on tcp/465) the traffic still can be encrypted (and hence needs the deep inspection profile) when protected server supports STARTTLS.
The solution is to enable Deep Inspection on SMTP traffic.
Whether mail server supports STARTTLS can be verified by telnet:
Even though only port 25 is being used for the traffic (no SMTPS on tcp/465) the traffic still can be encrypted (and hence needs the deep inspection profile) when protected server supports STARTTLS.
The solution is to enable Deep Inspection on SMTP traffic.
Whether mail server supports STARTTLS can be verified by telnet:
% telnet 10.98.2.90 25
Trying 10.98.2.90...
Connected to 10.98.2.90.
Escape character is '^]'.
220 gateway.internal.lab ESMTP Smtpd; Fri, 24 Apr 2015 10:27:49 +0200
ehlo test
250-gateway.internal.lab Hello [10.98.0.97], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 104857600
250-DSN
250-AUTH LOGIN PLAIN
**250-STARTTLS**
250-DELIVERBY
250 HELP
quit
221 2.0.0 gateway.internal.lab closing connection
Trying 10.98.2.90...
Connected to 10.98.2.90.
Escape character is '^]'.
220 gateway.internal.lab ESMTP Smtpd; Fri, 24 Apr 2015 10:27:49 +0200
ehlo test
250-gateway.internal.lab Hello [10.98.0.97], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 104857600
250-DSN
250-AUTH LOGIN PLAIN
**250-STARTTLS**
250-DELIVERBY
250 HELP
quit
221 2.0.0 gateway.internal.lab closing connection
Diagram:
Client ==(port2) FortiGate (port3)== MailServer
GUI configuration:
The same can be configured via the CLI.
SSL Inspection profile:
- Create SSL Inspection profile in Policy & Objects -> Policy -> SSL/SSH Inspection.
- Create an antivirus profile under Security Profiles -> Antivirus.
- Create firewall policy in Policy & Objects -> Policy -> IPv4.
CLI configuration:
The same can be configured via the CLI.
SSL Inspection profile:
config firewall ssl-ssh-profile
edit "AV_SMNP"
config https
set ports 443
set status disable
end
config ftps
set ports 990
set status disable
end
config imaps
set ports 993
set status disable
end
config pop3s
set ports 995
set status disable
end
config smtps
set ports 465
end
config ssh
set ports 22
set status disable
end
next
end
edit "AV_SMNP"
config https
set ports 443
set status disable
end
config ftps
set ports 990
set status disable
end
config imaps
set ports 993
set status disable
end
config pop3s
set ports 995
set status disable
end
config smtps
set ports 465
end
config ssh
set ports 22
set status disable
end
next
end
Antivirus profile:
config antivirus profile
edit "AV_SMNP"
set comment "Scan files and block viruses."
config http
set av-scan block
end
config ftp
set av-scan block
end
config imap
set av-scan block
set executables virus
end
config pop3
set av-scan block
set executables virus
end
config smtp
set av-scan block
set executables virus
end
next
end
Firewall Policy:
config firewall policy
edit "AV_SMNP"
set srcintf "wan1"
set dstintf "wan2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "SMTP"
set utm-status enable
set av-profile "AV-SMTP"
set profile-protocol-options "default"
set ssl-ssh-profile "AV_SMNP"
set nat enable
next
end
edit "AV_SMNP"
set srcintf "wan1"
set dstintf "wan2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "SMTP"
set utm-status enable
set av-profile "AV-SMTP"
set profile-protocol-options "default"
set ssl-ssh-profile "AV_SMNP"
set nat enable
next
end
Verification of Configuration and troubleshooting:
To verify that the policy is configured correctly and that the check is done on SMTP over TLS traffic, use the OpenSSL Tool.
Run the command as follows, and check in the output for 'issuer'.
If the policy is configured correctly, the certificate will show the certificate name of the CA certificate used in SSL Inspection profile (it is 'FortiGate CA' in cases using the default 'Fortinet_CA_SSLProxy').
% openssl s_client -connect 10.98.2.90:25 -starttls smtp
<--output omitted-->
-----END CERTIFICATE-----
subject=/C=CZ/ST=Czech Republic/L=Prague/O=Internal Lab CA/CN=gateway.internal.lab/emailAddress=ca@internal.lab
**issuer=/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FortiGate CA/emailAddress=support@fortinet.com **
---
No client certificate CA names sent
---
SSL handshake has read 2860 bytes and written 490 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.1
Cipher : ECDHE-RSA-AES128-SHA
Session-ID: 76B58A6EB015C95570FC002BC4D14776A8FD276AAEF4438F3CA4F8246C75B390
Session-ID-ctx:
Master-Key: E24C9FB50263CA341852D413DF5B0D78BA67ABFE8A3DE100CCE5778317BC571332E6AACF0165
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1429864243
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
250 HELP
quit
221 2.0.0 gateway.internal.lab closing connection
<--output omitted-->
-----END CERTIFICATE-----
subject=/C=CZ/ST=Czech Republic/L=Prague/O=Internal Lab CA/CN=gateway.internal.lab/emailAddress=ca@internal.lab
**issuer=/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FortiGate CA/emailAddress=support@fortinet.com **
---
No client certificate CA names sent
---
SSL handshake has read 2860 bytes and written 490 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.1
Cipher : ECDHE-RSA-AES128-SHA
Session-ID: 76B58A6EB015C95570FC002BC4D14776A8FD276AAEF4438F3CA4F8246C75B390
Session-ID-ctx:
Master-Key: E24C9FB50263CA341852D413DF5B0D78BA67ABFE8A3DE100CCE5778317BC571332E6AACF0165
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1429864243
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
250 HELP
quit
221 2.0.0 gateway.internal.lab closing connection
SWAKS can be used to confirm that the AV scan will be performed to send the mail and Eicar test file to trigger the AV alert.
% swaks --server 10.98.2.90 --from kb@internal.lab --to user@internal.lab -tls --attach ./eicar.com -n
=== Trying 10.98.2.90:25...
=== Connected to 10.98.2.90.
<- 220 gateway.internal.lab ESMTP Smtpd; Fri, 24 Apr 2015 10:41:37 +0200
-> EHLO client.internal.lab
<- 250-gateway.internal.lab Hello [10.98.0.97], pleased to meet you
<- 250-ENHANCEDSTATUSCODES
<- 250-PIPELINING
<- 250-8BITMIME
<- 250-SIZE 104857600
<- 250-DSN
<- 250-AUTH LOGIN PLAIN
<- 250-STARTTLS
<- 250-DELIVERBY
<- 250 HELP
-> STARTTLS
<- 220 2.0.0 Ready to start TLS
=== TLS started w/ cipher ECDHE-RSA-AES128-SHA
=== TLS peer subject DN="/C=CZ/ST=Czech Republic/L=Prague/O=Internal Lab CA/CN=gateway.internal.lab/emailAddress=ca@internal.lab"
~> EHLO client.internal.lab
<~ 250-gateway.internal.lab Hello [10.98.0.97], pleased to meet you
<~ 250-ENHANCEDSTATUSCODES
<~ 250-PIPELINING
<~ 250-8BITMIME
<~ 250-SIZE 104857600
<~ 250-DSN
<~ 250-AUTH LOGIN PLAIN
<~ 250-DELIVERBY
<~ 250 HELP
~> MAIL FROM:<kb@internal.lab>
<~ 250 2.1.0 <kb@internal.lab>... Sender ok
~> RCPT TO:<user@internal.lab>
<~ 250 2.1.5 <user@internal.lab>... Recipient ok
~> DATA
<~ 354 Enter mail, end with "." on a line by itself
~> 25 lines sent
**<~* 554 5.7.1 Dangerous Attachment has been Removed. The file "eicar.com" has been removed because of a virus. It was infected with the "EICAR_TEST_FILE" virus. File quarantined as: "".""**
~> QUIT
=== Trying 10.98.2.90:25...
=== Connected to 10.98.2.90.
<- 220 gateway.internal.lab ESMTP Smtpd; Fri, 24 Apr 2015 10:41:37 +0200
-> EHLO client.internal.lab
<- 250-gateway.internal.lab Hello [10.98.0.97], pleased to meet you
<- 250-ENHANCEDSTATUSCODES
<- 250-PIPELINING
<- 250-8BITMIME
<- 250-SIZE 104857600
<- 250-DSN
<- 250-AUTH LOGIN PLAIN
<- 250-STARTTLS
<- 250-DELIVERBY
<- 250 HELP
-> STARTTLS
<- 220 2.0.0 Ready to start TLS
=== TLS started w/ cipher ECDHE-RSA-AES128-SHA
=== TLS peer subject DN="/C=CZ/ST=Czech Republic/L=Prague/O=Internal Lab CA/CN=gateway.internal.lab/emailAddress=ca@internal.lab"
~> EHLO client.internal.lab
<~ 250-gateway.internal.lab Hello [10.98.0.97], pleased to meet you
<~ 250-ENHANCEDSTATUSCODES
<~ 250-PIPELINING
<~ 250-8BITMIME
<~ 250-SIZE 104857600
<~ 250-DSN
<~ 250-AUTH LOGIN PLAIN
<~ 250-DELIVERBY
<~ 250 HELP
~> MAIL FROM:<kb@internal.lab>
<~ 250 2.1.0 <kb@internal.lab>... Sender ok
~> RCPT TO:<user@internal.lab>
<~ 250 2.1.5 <user@internal.lab>... Recipient ok
~> DATA
<~ 354 Enter mail, end with "." on a line by itself
~> 25 lines sent
**<~* 554 5.7.1 Dangerous Attachment has been Removed. The file "eicar.com" has been removed because of a virus. It was infected with the "EICAR_TEST_FILE" virus. File quarantined as: "".""**
~> QUIT
If everything is configured correctly, after the Eicar file is sent, similar messages should be seen in the FortiGate's logs.
