Mail Server Required Configuration

DLP rules have different action settings.

Action	Description
Detect	The data transmission event is logged in the Logs & Monitor view. Administrators with permission can view the data that was sent. The traffic is passed.
Inform User	The transmission is passed, but the incident is logged and the user is notified.
Ask User	The transmission is held until the user verifies that it should be sent. A notification, usually with a remediation link to the Self Incident Handling portal, is sent to the user. The user decides whether the transmission should be completed or not. The decision is logged and can be viewed under the User Response category in a log entry. Administrators with full permissions or the View, Release, or Discard DLP messages permission can send or discard the message.
Prevent	The data transmission is blocked.
Watermark	Tracks outgoing Microsoft Office documents (Word, Excel, or PowerPoint files from Office 2007 and higher) by adding visible watermarks or invisible encrypted text.

When you set Data Owners to be notified, a mail server becomes a required component of the DLP system.

The DLP gateway sends mail notifications to users and Data Owners, therefore it is necessary for the gateway to access the mail server as a client.

Important -

• The mail server must be set to act as a mail relay. This lets users or administrators with permissions to release (Send) emails that DLP captured and quarantined on Ask User rules.
• You must configure the mail server to trust anonymous SMTP connections from the DLP gateway. Alternatively, if your environment requires it, configure your mail relay server to trust authenticated SMTP connections from the DLP gateway.

Configuring the Mail Relay

You can use the Data Loss Prevention Wizard to configure the settings for the mail relay. Use these procedures to configure these settings without the Wizard.

To open the DLP tab in SmartDashboard:

1. In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

   SmartConsole opens and shows the DLP tab.

2. From the navigation tree, click Additional Settings > Mail Server.

To configure the mail relay for anonymous SMTP connections:

1. Click Send emails using this mail server.
2. Select the mail server.

   If the mail server object does not exist, create it.

3. Click OK.

To configure the mail server object for authenticated SMTP connections:

1. Click Send emails using this mail server.
2. Select a mail server from the list.
3. If the mail server does not exist, create it.
4. Click Mail Servers.
5. Select the server from the list.
6. Click Edit.

   The Mail Server window opens.

7. Click Server Requires Authentication.
8. Enter the authentication credentials: User Name and Password.

To complete configuring the Mail Relay:

1. Click Save and then close SmartDashboard.
2. From SmartConsole, Install Policy.
3. On the mail server itself:

   Configure the mail relay to accept anonymous connections from the DLP gateway. For details, consult the vendor documentation. For example, on Microsoft Exchange Servers, configure the permissions of the default receive connector (or other relevant connector that handles SMTP traffic) for anonymous users.

Configuring a Dedicated DLP gateway and Relay on DMZ

To configure the DLP and mail relay in the DMZ:

1. In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

   SmartConsole opens and shows the DLP tab.

2. From the navigation tree, click My Organization.
3. In the Networks area, click Select specific networks and hosts and click Edit.

   The Networks and Hosts window opens.

4. Click Add.
5. If the Internal Mail Server is already defined as a Check Point network object, select it from the list.

   Otherwise, click New > Host.

6. Enter the settings for the Internal Mail Server Host and then click OK.
7. Click OK.
8. Repeat steps to add other Internal Mail Servers.
9. If users email clients are configured to work directly with the mail relay that is located in the DMZ using SMTP, add their networks.
10. Select user networks from the list (or click New to define these networks) and then click OK.
11. Click Save and then close SmartConsole.
12. From SmartConsole, Install Policy.

Recommended Deployment - DLP Gateway with Mail Relay

Item	Description
1	Internal mail server
2	DLP gateway
3	Mail relay in the DMZ

Make sure that the DLP gateway does NOT scan emails as they pass from the mail relay to the target mail server in the Internet.

To deploy the internal mail relay behind a DMZ interface of the DLP gateway:

1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

   The gateway window opens and shows the General Properties page.

2. Make sure that mails from the internal mail server (e.g. Microsoft Exchange) (1) arrive at the gateway using an internal Gateway interface.
   1. From the navigation tree, click Network Management.
   2. Double-click the gateway interface that leads to the internal mail server.
   3. From the General page, click Modify.
   4. In the Leads To section, click Override > This Network (Internal) > Network defined by the interface IP and Net Mask.
   5. Click OK and close the interface window.
3. Deploy the internal mail relay (2) behind a DMZ interface of the DLP gateway:

   In the Topology page of the DLP gateway object, define the gateway interface that leads to the Mail relay as Internal and also as Interface leads to DMZ.

4. In the Networks section of the My Organization page:
   1. Select Anything behind the internal interfaces of my DLP gateways
   2. Do NOT select Anything behind interfaces which are marked as leading to the DMZ

To configure the internal mail relay that is not behind a DMZ interface of the DLP gateway:

Note - If the DLP gateway interface leading to the internal mail relay is internal, and you cannot deploy the internal mail relay behind a DMZ interface of the DLP gateway.

1. In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

   SmartDashboard opens and shows the DLP tab.

2. From the navigation tree, click My Organization page.
3. In the Networks section, click Select specific networks and hosts.
4. Click Edit.
5. Select the networks that include the internal mail server, but do NOT include the relay server.
6. Click OK.
7. Click Save and then close SmartDashboard.
8. From SmartConsole, Install Policy.

Workarounds for a Non-Recommended Mail Relay Deployment

A non-recommended deployment is to have the DLP gateway scan emails as they are sent from an internal mail relay that is in My Organization to the target mail server in the Internet. In this deployment, the DLP gateway communicates with the target mail servers on behalf of the mail relay. If the target mail server does not respond, some mail relays (such Mcafee IronMail, postfix 2.0 or earlier and qmail) will not try the next DNS MX record, and so will not try to resend the email to another SMTP mail server in the same domain.

• The internal mail server (1) and the internal relay (2) are in My Organization

Item	Description
1	Internal mail server
2	Internal mail relay
3	DLP gateway

• The internal mail server (1) is in My Organization, and there is no other internal mail relay

Why Some Mail Relays Will Not Resend Emails

If the mail relay does not succeed in sending an email because the target mail server does not respond, the mail relay resends the email to another SMTP server in the same domain. The relay does this by sending the mail to the next DNS MX record.

Most mail relays try the next MX record if the target is unreachable, or if the target server returns a 4xx SMTP error. However, other mail relays (such as Mcafee IronMail, postfix 2.0 or earlier and qmail) do not try the next MX if the target server returns a 4xx error. They will therefore not send the email.

In these deployments, the DLP gateway communicates with mail servers in the internet on behalf of the mail relay. If the target mail server does not respond, the DLP gateway sends a 4xx response to the mail relay in behalf of the mail server. Therefore, if your mail relay does not try the next MX when the target server returns a 4xx error, the email will not be sent.

Workarounds for the Non-Recommended Deployments

• Configure your internal mail relay to re-send when it receives a 4xx error from the target mail server.
• If you cannot configure your mail relay in this way, deploy the DLP gateway between two internal mail servers. For example, put the DLP gateway in the DMZ with the relay server.
• If you cannot apply these workarounds, see sk58960.

Untrusted Mail Relays and Microsoft Outlook

If Outlook does not trust the mail relay server, it fails to correctly render the Send and Discard buttons in the violation notification email. The buttons render correctly only after the mail relay is trusted and a new email sent.

To avoid this issue, instruct users to add the mail relay address to Outlook's safe senders list.

TLS-Encrypted SMTP Connections

TLS-encrypted SMTP connections are not scanned by the DLP Software Blade. If an Exchange Server uses TLS to encrypt emails, you can use the Exchange Security Agent to inspect them.