Configuring the Security Gateway as a Mail Transfer Agent
You can configure the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. as a Mail Transfer Agent Feature on a Security Gateway that intercepts SMTP traffic and forwards it to the applicable inspection component. Acronym: MTA. (MTA) to manage SMTP traffic.
When a Security Gateway scans SMTP traffic, sometimes the email client is not able to keep the connection open for the time that is necessary to handle the email. In such cases, there is a timeout for the email.
MTA prevents this problem. The MTA first accepts the email from the previous hop, does the necessary actions on the email, and then relays the email to the next hop.
The MTA scans SMTP/TLS encrypted traffic for the supported Software Blades.
|
Notes:
|
Enabling Mail Transfer Agent
Step |
Instructions |
||
---|---|---|---|
1 |
Connect with SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.. From the left navigation panel, click Gateways & Servers. |
||
2 |
Create one of these required objects, if such object does not exist yet (later, you select this object in the applicable MTA rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. as the Next Hop):
You can select only one object in each MTA rule. |
||
3 |
Open the Security Gateway object. |
||
4 |
From the navigation tree, click the General Properties page. |
||
5 |
Enable the required Software Blades. Mail Transfer Agent supports these Software Blades:
|
||
6 |
From the navigation tree, click the Mail Transfer Agent page. |
||
7 |
Select Enable as a Mail Transfer Agent (MTA). |
||
8 |
In the Mail Forwarding section, add one or more rules. These rules configure the email traffic that the Security Gateway sends to the mail servers after it completed the scanning. The Management Server automatically adds these MTA rules at the top of the Threat Prevention - Custom Policy. In these rules:
Steps:
|
||
9 |
Optional: Select Add signature to scanned emails and enter the message to add to the end of the email body after the Security Gateway scans it successfully. |
||
10 |
The SMTP/TLS section applies if the email server uses TLS inspection:
|
||
11 |
In the Implied Rule section, configure the implied rule. By default, when you configure a Security Gateway as MTA, the Management Server automatically adds an implied rule at the top of the Access Control Policy. This implied rule accepts traffic on the TCP port 25 that the network sends to the Security Gateway. The default source in this implied rule is any IP address. You can configure the source in this implied rule to allow traffic only from specific IP addresses. To disable this implied rule, clear Create an implied rule at the top of the Access Control Policy. |
||
12 |
Optional: In the Advanced Settings section, click Configure Settings.
|
||
13 |
Click OK to close the Security Gateway properties window. |
||
14 |
Install the Access Control policy on the Security Gateway. |
||
15 |
Install the Threat Prevention policy on the Security Gateway. |
||
16 |
Change the network settings to send SMTP traffic from external networks to the Security Gateway. Each organization has an MX record that points to the internal mail server, or a different MTA. The MX record defines the next hop for SMTP traffic that is sent to the organization. These procedures explain how to change the network settings to send SMTP to the Check Point MTA.
To configure an MTA for emails that are sent to the internal mail server:
To configure an MTA for emails that are sent to a different MTA:
|
Disabling Mail Transfer Agent
|
Note - If the MTA queue is not empty, or if you disable the MTA first, it is possible to lose emails that are sent to the network. |
-
Change the network settings to stop sending SMTP traffic from external networks to the Security Gateway.
ProcedureStep
Instructions
1
Change the MX records for the network, and configure the mail server as the next hop (instead of the Security Gateway).
2
Wait for 24 hours because your servers can save the MTA address in their cache.
-
Disable the MTA in the Security Gateway object.
ProcedureStep
Instructions
1
Connect with SmartConsole to the Management Server.
From the left navigation panel, click Gateways & Servers.
2
Open the Security Gateway object.
3
From the navigation tree, click the Mail Transfer Agent page.
4
Clear Enable as a Mail Transfer Agent (MTA).
5
Click OK.
6
Install the Threat Prevention policy.
Deploying MTA in Backward Compatibility Mode
You can use the Check Point MTA to only monitor SMTP traffic - only scan the emails, but not to forward them to the mail server.
|
Note - Make sure that the mail relay on the network can send a copy of the emails to the Check Point MTA. |
Step |
Instructions |
---|---|
1 |
Connect with SmartConsole to the Management Server. From the left navigation panel, click Gateways & Servers. |
2 |
Create a new Host object with these settings:
|
3 |
Open the Security Gateway object. |
4 |
From the navigation tree, click the Mail Transfer Agent page. |
5 |
Select Enable as a Mail Transfer Agent (MTA). |
6 |
In the Mail Forwarding section, delete all current rules. |
7 |
From the toolbar, click the applicable button to add a rule (above or below). |
8 |
Right-click the Domain cell and select Edit. Enter the wildcard * to accept all recipient domains. Click OK. |
9 |
Click the Next Hop cell and select the Host object you created earlier. |
10 |
Optional: Right-click the Comment cell and select Edit > enter the description for this rule and click OK. |
11 |
Click OK. |
12 |
Install the Threat Prevention policy. |
MTA Engine Updates
The Mail Transfer Agent Engine Update is an accumulation of new features and bug fixes to the MTA engine.
MTA updates are available for Security Gateways R80.20 and higher, and R80.10 with the R80.10 Jumbo Hotfix Accumulator Take 142 (and higher).
It is delivered in the form of a CPUSE Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself. package and can be installed and upgraded manually through the CPUSE .The cpstop/cpstart
or reboot are not required.
The updates do not conflict with the regular Jumbo Hotfix Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. Accumulators and can be installed independently.
For more information about the MTA engine updates, see sk123174.
To check the current version of Mail Transfer Agent Update, run this command in the Expert mode on the Security Gateway:
|
Monitoring MTA
There are three views for MTA monitoring in SmartView available for Security Gateways R80.20 and higher, and R80.10 with R80.10 Jumbo Hotfix Accumulator Take 142 (and higher).
Step |
Instructions |
---|---|
1 |
Connect with SmartConsole to the Management Server. |
2 |
Make sure the required Software Blades are enabled on the Management Server / Log Server Dedicated Check Point server that runs Check Point software to store and process logs. object, to which the Security Gateways send their logs:
|
3 |
Make sure the MTA Live Monitoring is enabled in the applicable Threat Prevention profiles:
|
4 |
If the option Enable MTA Live Monitoring was cleared and you selected it in a profile, then install the Threat Prevention Policy. |
5 |
From this point, you can monitor MTA in SmartConsole or SmartView:
The views are based on logs that are updated with each email status change. You can customize the views, create new widgets, and export the views to Excel/PDF. For more information, see the R81.20 Logging and Monitoring Administration Guide. |
This view shows the current status of the email traffic which passed through the MTA in these timelines:
-
Emails in Queue Timeline
-
Current Emails in Queue
These timelines shows the distribution of the emails in queue in a graph and a table.
If you right-click the Action column in the table, you can do these actions on the email:
-
Retry - Try to handle the email again.
-
Drop - Delete the email.
-
Bypass - Do not perform the security inspection and send the email to the next hop.
Additional widgets:
-
Current Emails in Queue
-
Emails In Queue
-
For More Than 1 Minute
-
For More Than 3 Minutes
-
Earliest Email in Queue Arrived
-
-
Emails Delivered
-
Emails Delivered
-
-
Email Status
-
Bounced - The MTA sent the Emails back to the sender.
-
Deferred - A temporary failure occurred. The MTA will retry to perform the applicable action again.
-
Dropped - The MTA did not transfer the emails to the next hop.
-
Skipped - The MTA bypassed the emails. No performance was performed.
-
When you click a column in the diagram, a window opens with a list of the logs that the column is based on.
This view shows statistical data on the email traffic which passed through the MTA in these timelines:
-
Emails by Status Timeline
-
Email Content Timeline
-
Emails in Queue Timeline
You can use compare these timelines to identify trends in email traffic and analyze the root cause for all kinds of situations.
For example, if the emails in queue timeline shows many emails in the queue at a certain point in time, you can look at the other timelines to check the possible reasons for this.
If the content timeline shows many emails with links and attachments at the same point in time, this could explain it, because they take longer to scan.
Additional widgets:
-
Emails Additional Information
-
Emails Delivered
-
Unique Email Senders
-
Unique Email Recipients
-
-
Emails Content
-
Emails With Links
-
Emails With Attachments
-
This view shows the causes of failure and the number of failures for each cause:
-
Failures Timeline
-
Most Common Failures
This timeline shows the X top failures. The default is 5.
-
Email Failures
This timeline shows all failures.