Description
Solution
This article describes how to proceed when AV scanning seems to not be performed on SMTP traffic.
Solution
This condition may be seen when deep-inspection is not enabled on the SMTP policy.
Even though only port 25 is being used for the traffic (no SMTPS on tcp/465) the traffic still can be encrypted (and hence needs the deep inspection profile) when protected server supports STARTTLS.
The solution is to enable Deep Inspection on SMTP traffic.
Whether mail server supports STARTTLS can be verified by telnet:
Diagram
Configuration GUI
1) Create SSL Inspection profile in Policy & Objects > Policy > SSL/SSH Inspection.
2) Create AV profile in Security Profiles > AntiVirus.
3) Create firewall policy in Policy & Objects > Policy > IPv4.
Configuration CLI
The same can be configured via CLI.
SSL Inspection profile
AV profile
Firewall Policy
Verification of Configuration and troubleshooting
To verify that the policy is configured correctly and that the check is done on SMTP over TLS traffic, the OpenSSL tool can be used (https://www.openssl.org/).
Run the command as follows, and check in the output for "issuer".
If the policy is configured correctly the CN will show CN name of the CA certificate used in SSL Inspection profile (it is "FortiGate CA" in case of the default "Fortinet_CA_SSLProxy".)
'swaks' (http://www.jetmore.org/john/code/swaks/) can be used to confirm that the AV scan will be performed to send the mail and Eicar test file (http://www.eicar.org/85-0-Download.html) to trigger the AV alert.
Even though only port 25 is being used for the traffic (no SMTPS on tcp/465) the traffic still can be encrypted (and hence needs the deep inspection profile) when protected server supports STARTTLS.
The solution is to enable Deep Inspection on SMTP traffic.
Whether mail server supports STARTTLS can be verified by telnet:
% telnet 10.98.2.90 25
Trying 10.98.2.90...
Connected to 10.98.2.90.
Escape character is '^]'.
220 gateway.internal.lab ESMTP Smtpd; Fri, 24 Apr 2015 10:27:49 +0200
ehlo test
250-gateway.internal.lab Hello [10.98.0.97], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 104857600
250-DSN
250-AUTH LOGIN PLAIN
**250-STARTTLS**
250-DELIVERBY
250 HELP
quit
221 2.0.0 gateway.internal.lab closing connection
Diagram
Client ==(port2) FortiGate (port3)== MailServer
Configuration GUI
1) Create SSL Inspection profile in Policy & Objects > Policy > SSL/SSH Inspection.
2) Create AV profile in Security Profiles > AntiVirus.
3) Create firewall policy in Policy & Objects > Policy > IPv4.
Configuration CLI
The same can be configured via CLI.
SSL Inspection profile
config firewall ssl-ssh-profile
edit "smtp-inspection"
config https
set ports 443
set status disable
end
config ftps
set ports 990
set status disable
end
config imaps
set ports 993
set status disable
end
config pop3s
set ports 995
set status disable
end
config smtps
set ports 465
end
config ssh
set ports 22
set status disable
end
next
end
AV profile
config antivirus profile
edit "AV-SMTP"
set inspection-mode proxy
config smtp
set options scan
end
next
end
Firewall Policy
config firewall policy
edit 1
set srcintf "port2"
set dstintf "port3"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "SMTP"
set utm-status enable
set av-profile "AV-SMTP"
set profile-protocol-options "default"
set ssl-ssh-profile "smtp-inspection"
set nat enable
next
end
Verification of Configuration and troubleshooting
To verify that the policy is configured correctly and that the check is done on SMTP over TLS traffic, the OpenSSL tool can be used (https://www.openssl.org/).
Run the command as follows, and check in the output for "issuer".
If the policy is configured correctly the CN will show CN name of the CA certificate used in SSL Inspection profile (it is "FortiGate CA" in case of the default "Fortinet_CA_SSLProxy".)
% openssl s_client -connect 10.98.2.90:25 -starttls smtp
<--output omitted-->
-----END CERTIFICATE-----
subject=/C=CZ/ST=Czech Republic/L=Prague/O=Internal Lab CA/CN=gateway.internal.lab/emailAddress=ca@internal.lab
**issuer=/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FortiGate CA/emailAddress=support@fortinet.com **
---
No client certificate CA names sent
---
SSL handshake has read 2860 bytes and written 490 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.1
Cipher : ECDHE-RSA-AES128-SHA
Session-ID: 76B58A6EB015C95570FC002BC4D14776A8FD276AAEF4438F3CA4F8246C75B390
Session-ID-ctx:
Master-Key: E24C9FB50263CA341852D413DF5B0D78BA67ABFE8A3DE100CCE5778317BC571332E6AACF0165
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1429864243
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
250 HELP
quit
221 2.0.0 gateway.internal.lab closing connection
'swaks' (http://www.jetmore.org/john/code/swaks/) can be used to confirm that the AV scan will be performed to send the mail and Eicar test file (http://www.eicar.org/85-0-Download.html) to trigger the AV alert.
% swaks --server 10.98.2.90 --from kb@internal.lab --to user@internal.lab -tls --attach ./eicar.com -nIf everything is configured correctly, after the Eicar file is sent, similar messages should be seen in the FortiGate's logs.
=== Trying 10.98.2.90:25...
=== Connected to 10.98.2.90.
<- 220 gateway.internal.lab ESMTP Smtpd; Fri, 24 Apr 2015 10:41:37 +0200
-> EHLO client.internal.lab
<- 250-gateway.internal.lab Hello [10.98.0.97], pleased to meet you
<- 250-ENHANCEDSTATUSCODES
<- 250-PIPELINING
<- 250-8BITMIME
<- 250-SIZE 104857600
<- 250-DSN
<- 250-AUTH LOGIN PLAIN
<- 250-STARTTLS
<- 250-DELIVERBY
<- 250 HELP
-> STARTTLS
<- 220 2.0.0 Ready to start TLS
=== TLS started w/ cipher ECDHE-RSA-AES128-SHA
=== TLS peer subject DN="/C=CZ/ST=Czech Republic/L=Prague/O=Internal Lab CA/CN=gateway.internal.lab/emailAddress=ca@internal.lab"
~> EHLO client.internal.lab
<~ 250-gateway.internal.lab Hello [10.98.0.97], pleased to meet you
<~ 250-ENHANCEDSTATUSCODES
<~ 250-PIPELINING
<~ 250-8BITMIME
<~ 250-SIZE 104857600
<~ 250-DSN
<~ 250-AUTH LOGIN PLAIN
<~ 250-DELIVERBY
<~ 250 HELP
~> MAIL FROM:<kb@internal.lab>
<~ 250 2.1.0 <kb@internal.lab>... Sender ok
~> RCPT TO:<user@internal.lab>
<~ 250 2.1.5 <user@internal.lab>... Recipient ok
~> DATA
<~ 354 Enter mail, end with "." on a line by itself
~> 25 lines sent
**<~* 554 5.7.1 Dangerous Attachment has been Removed. The file "eicar.com" has been removed because of a virus. It was infected with the "EICAR_TEST_FILE" virus. File quarantined as: "".""**
~> QUIT
