Configuring the Security Gateway as a Mail Transfer Agent

You can configure the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. as a Mail Transfer Agent Feature on a Security Gateway that intercepts SMTP traffic and forwards it to the applicable inspection component. Acronym: MTA. (MTA) to manage SMTP traffic.

When a Security Gateway scans SMTP traffic, sometimes the email client is not able to keep the connection open for the time that is necessary to handle the email. In such cases, there is a timeout for the email.

MTA prevents this problem. The MTA first accepts the email from the previous hop, does the necessary actions on the email, and then relays the email to the next hop.

The MTA scans SMTP/TLS encrypted traffic for the supported Software Blades.

Notes:

MTA is not supported in Autonomous Threat Prevention. To use MTA, enable Custom Threat Prevention in the Security Gateway / Cluster object.
MTA is supported on VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Gateways / VSX Clusters. The MTA configuration is the same for non-VSX Gateways / non-VSX Clusters.
You can configure MTA to only scan the emails and not forward them to the mail server (see Deploying MTA in Backward Compatibility Mode).

Enabling Mail Transfer Agent

Procedure

Step

Instructions

Connect with SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

From the left navigation panel, click Gateways & Servers.

Create one of these required objects, if such object does not exist yet (later, you select this object in the applicable MTA rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. as the Next Hop):

A Host object that represents the mail server.
A Domain object that represents the recipient domain.

This lets you use multiple mail servers based on a DNS name.

This DNS configuration allows load balancing and high-availability capabilities based on DNS configuration.

This configuration requires Security Gateways R80.20 and higher.

You can select only one object in each MTA rule.

Open the Security Gateway object.

From the navigation tree, click the General Properties page.

Enable the required Software Blades.

Mail Transfer Agent supports these Software Blades:

Threat Extraction (appears on the Threat Prevention (Custom) tab).
Threat Emulation (appears on the Threat Prevention (Custom) tab).
Anti-Spam and Mail Security (appears on the Network Security tab).

From the navigation tree, click the Mail Transfer Agent page.

Select Enable as a Mail Transfer Agent (MTA).

In the Mail Forwarding section, add one or more rules.

These rules configure the email traffic that the Security Gateway sends to the mail servers after it completed the scanning.

The Management Server automatically adds these MTA rules at the top of the Threat Prevention - Custom Policy.

In these rules:

The Name column contains "MTA traffic to Gateway <Name of Object>".
The Comment column contains "Automatic rule for MTA traffic".

Steps:

From the toolbar, click the applicable button to add a rule (above or below).
Right-click the Domain cell and select Edit.
Enter the domain FQDN for the SMTP traffic for this rule.

You can enter the wildcard * to accept all recipient domains.
Click OK.
Click the Next Hop cell and select the required Host / Domain object.
Optional: Right-click the Comment cell and select Edit > enter the description for this rule and click OK.

Optional: Select Add signature to scanned emails and enter the message to add to the end of the email body after the Security Gateway scans it successfully.

The SMTP/TLS section applies if the email server uses TLS inspection:

In Step 1, click Import.

The Import Outbound Certificate window opens.
Click Browse and select the required certificate file.
In the Private key password field, enter the password you configured for this certificate.
Click OK.
In Step 2, select Enable SMTP/TLS.

In the Implied Rule section, configure the implied rule.

By default, when you configure a Security Gateway as MTA, the Management Server automatically adds an implied rule at the top of the Access Control Policy.

This implied rule accepts traffic on the TCP port 25 that the network sends to the Security Gateway.

The default source in this implied rule is any IP address.

You can configure the source in this implied rule to allow traffic only from specific IP addresses.

To disable this implied rule, clear Create an implied rule at the top of the Access Control Policy.

Optional: In the Advanced Settings section, click Configure Settings.

In the Interfaces section, configure the interfaces on which the Security Gateway accepts the SMTP traffic:
- All interfaces - SMTP traffic from all the interfaces is sent for scanning.
- All external - SMTP traffic from the external interfaces is sent for scanning.
- Use specific - SMTP traffic from the list of specified interfaces is sent for scanning.
  
  To add an interface to the list, click the plus sign ( + ).
  
  To remove a selected interface from the list, click the minus sign ( - ).
In the Mail Settings section, configure the applicable email settings:
- Maximum delayed time - The maximum number of minutes that the MTA keeps emails.
- Maximum disk usage - Amount of free disk space that the MTA can use of storage (in percent or total number of megabytes).
- If limits are exceeded or in case of an error - Configure:
  
  What to do when the specified Mail Settings are exceeded:
  - Allow - The Security Gateway allows the SMTP traffic
  - Block - The Security Gateway blocks the SMTP traffic
  - None - The Security Gateway does not generate logs
  How to track it:
  - None - The Security Gateway does not generate logs
  - Log -The Security Gateway generates logs
  - Alert - The Security Gateway generates logs and sends the configured alert (see Menu > Global properties > )
In the Troubleshooting section, configure these settings:
- When mail is delayed for more than - Configure the maximum number of minutes that email is delayed in the MTA before the Security Gateway applies the configured track action.
- Track - configure on of these:
  - None - The Security Gateway does not generate logs
  - Log -The Security Gateway generates logs
  - Alert - The Security Gateway generates logs and sends the configured alert (see Menu > Global properties > )
Click OK to close the MTA Advanced Settings window.

Click OK to close the Security Gateway properties window.

Install the Access Control policy on the Security Gateway.

Install the Threat Prevention policy on the Security Gateway.

Change the network settings to send SMTP traffic from external networks to the Security Gateway.

Each organization has an MX record that points to the internal mail server, or a different MTA.

The MX record defines the next hop for SMTP traffic that is sent to the organization.

These procedures explain how to change the network settings to send SMTP to the Check Point MTA.

Important - If it is necessary to disable the MTA on the Security Gateway, change the SMTP settings or MX records first. Failure to do so can result in lost emails (see Disabling Mail Transfer Agent).

To configure an MTA for emails that are sent to the internal mail server:

Change the applicable DNS settings on the network servers.
Change the MX records, and configure the Security Gateway as the next hop.

To configure an MTA for emails that are sent to a different MTA:

Connect to the MTA that sends email to the internal mail server.
Change the SMTP settings and configure the Security Gateway as the next hop.

Disabling Mail Transfer Agent

Note - If the MTA queue is not empty, or if you disable the MTA first, it is possible to lose emails that are sent to the network.

Change the network settings to stop sending SMTP traffic from external networks to the Security Gateway.

Procedure

Step	Instructions
1	Change the MX records for the network, and configure the mail server as the next hop (instead of the Security Gateway).
2	Wait for 24 hours because your servers can save the MTA address in their cache.

Disable the MTA in the Security Gateway object.

Procedure

Step	Instructions
1	Connect with SmartConsole to the Management Server. From the left navigation panel, click Gateways & Servers.
2	Open the Security Gateway object.
3	From the navigation tree, click the Mail Transfer Agent page.
4	Clear Enable as a Mail Transfer Agent (MTA).
5	Click OK.
6	Install the Threat Prevention policy.

Deploying MTA in Backward Compatibility Mode

You can use the Check Point MTA to only monitor SMTP traffic - only scan the emails, but not to forward them to the mail server.

Note - Make sure that the mail relay on the network can send a copy of the emails to the Check Point MTA.

Procedure

Step	Instructions
1	Connect with SmartConsole to the Management Server. From the left navigation panel, click Gateways & Servers.
2	Create a new Host object with these settings: Name - Enter some name. For example: `No_Forward_MTA` IPv4 Address - Enter `0.0.0.0`
3	Open the Security Gateway object.
4	From the navigation tree, click the Mail Transfer Agent page.
5	Select Enable as a Mail Transfer Agent (MTA).
6	In the Mail Forwarding section, delete all current rules.
7	From the toolbar, click the applicable button to add a rule (above or below).
8	Right-click the Domain cell and select Edit. Enter the wildcard * to accept all recipient domains. Click OK.
9	Click the Next Hop cell and select the Host object you created earlier.
10	Optional: Right-click the Comment cell and select Edit > enter the description for this rule and click OK.
11	Click OK.
12	Install the Threat Prevention policy.

MTA Engine Updates

The Mail Transfer Agent Engine Update is an accumulation of new features and bug fixes to the MTA engine.

MTA updates are available for Security Gateways R80.20 and higher, and R80.10 with the R80.10 Jumbo Hotfix Accumulator Take 142 (and higher).

It is delivered in the form of a CPUSE Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself. For details, see sk92449. package and can be installed and upgraded manually through the CPUSE .The cpstop/cpstart or reboot are not required.

The updates do not conflict with the regular Jumbo Hotfix Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. Accumulators and can be installed independently.

For more information about the MTA engine updates, see sk123174.

To check the current version of Mail Transfer Agent Update, run this command in the Expert mode on the Security Gateway:

cat $FWDIR/conf/mta_ver

Monitoring MTA

There are three views for MTA monitoring in SmartView available for Security Gateways R80.20 and higher, and R80.10 with R80.10 Jumbo Hotfix Accumulator Take 142 (and higher).

Procedure

Step	Instructions
1	Connect with SmartConsole to the Management Server.
2	Make sure the required Software Blades are enabled on the Management Server / Log Server Dedicated Check Point server that runs Check Point software to store and process logs. object, to which the Security Gateways send their logs: From the left navigation panel, click Gateways & Servers. Open the Management Server / Log Server object. From the navigation tree, click the General Properties page. On the Management tab, select: Logging & Status Check Point Software Blade on a Management Server to view Security Logs from the managed Security Gateways. SmartEvent Server SmartEvent Correlation Unit Click OK. Click Menu > click Install database > select the servers > click Install.
3	Make sure the MTA Live Monitoring is enabled in the applicable Threat Prevention profiles: From the left navigation panel, click Security Policies. In the top middle panel, click Threat Prevention. In the bottom middle section Custom Policy Tools, click Profiles. Double-click the applicable profile. From the navigation tree, click the Mail section > General page. In the General section, select Enable MTA Live Monitoring. Click OK.
4	If the option Enable MTA Live Monitoring was cleared and you selected it in a profile, then install the Threat Prevention Policy.
5	From this point, you can monitor MTA in SmartConsole or SmartView: From the left navigation panel, click Logs & Monitor > Logs. At the top, click [+ ] to open a new tab. In the top section, click Views. In the top search field, enter: MTA Double-click the applicable MTA Monitoring view (see the details below): MTA Live Monitoring MTA Overview MTA Troubleshooting The views are based on logs that are updated with each email status change. You can customize the views, create new widgets, and export the views to Excel/PDF. For more information, see the R81.10 Logging and Monitoring Administration Guide.

View "MTA Live Monitoring"

This view shows the current status of the email traffic which passed through the MTA in these timelines:

Emails in Queue Timeline
Current Emails in Queue

These timelines shows the distribution of the emails in queue in a graph and a table.

If you right-click the Action column in the table, you can do these actions on the email:

Retry - Try to handle the email again.
Drop - Delete the email.
Bypass - Do not perform the security inspection and send the email to the next hop.

Additional widgets:

Current Emails in Queue
- Emails In Queue
- For More Than 1 Minute
- For More Than 3 Minutes
- Earliest Email in Queue Arrived
Emails Delivered
- Emails Delivered
Email Status
- Bounced - The MTA sent the Emails back to the sender.
- Deferred - A temporary failure occurred. The MTA will retry to perform the applicable action again.
- Dropped - The MTA did not transfer the emails to the next hop.
- Skipped - The MTA bypassed the emails. No performance was performed.

When you click a column in the diagram, a window opens with a list of the logs that the column is based on.

View "MTA Overview"

This view shows statistical data on the email traffic which passed through the MTA in these timelines:

Emails by Status Timeline
Email Content Timeline
Emails in Queue Timeline

You can use compare these timelines to identify trends in email traffic and analyze the root cause for all kinds of situations.

For example, if the emails in queue timeline shows many emails in the queue at a certain point in time, you can look at the other timelines to check the possible reasons for this.

If the content timeline shows many emails with links and attachments at the same point in time, this could explain it, because they take longer to scan.

Additional widgets:

Emails Additional Information
- Emails Delivered
- Unique Email Senders
- Unique Email Recipients
Emails Content
- Emails With Links
- Emails With Attachments