Manual Chapter : Securing SMTP Traffic Using the Default Configuration

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter

Securing SMTP Traffic Using the Default Configuration

Overview: Securing SMTP traffic using system defaults

This implementation describes how to secure SMTP traffic using system defaults. When you create an SMTP security profile, the BIG-IP® Advanced Firewall Manager™ (AFM) provides several security checks for requests sent to a protected SMTP server. When you enable a security check, the system either generates an alarm for, or blocks, any requests that trigger the security check.

You can configure the SMTP security profile to include the following checks:

  • Verify SMTP protocol compliance, as defined in RFC 2821.
  • Validate incoming mail using several criteria.
  • Inspect email and attachments for viruses.
  • Apply rate limits to the number of messages.
  • Validate DNS SPF records.
  • Prevent directory harvesting attacks.
  • Disallow or allow some of the SMTP methods, such as VRFY, EXPN, and ETRN, that spam senders typically use to attack mail servers.
  • Reject the first message from a sender, because legitimate senders retry sending the message, and spam senders typically do not. This process is known as greylisting. The system does not reject subsequent messages from the same sender to the same recipient.

Task Summary

Creating an SMTP service profile with security enabled

The easiest method for initiating SMTP protocol security for your SMTP virtual server traffic is to use the system default settings. You do this by enabling protocol security for the system-supplied SMTP service profile, and then associating that service profile with a virtual server.
  1. On the Main tab, click Local Traffic > Profiles > Services > SMTP .
    The SMTP profile list screen opens.
  2. In the Name column, click smtp.
    The Properties screen for the system-supplied SMTP profile opens.
  3. Select the Protocol Security check box to enable SMTP security checks.
  4. Click Update.
You now have a security-enabled service profile that you can associate with a virtual server so that SMTP protocol checks are performed on the traffic that the SMTP virtual server receives.

Creating an SMTP virtual server with protocol security

When you enable protocol security for an SMTP virtual server, the system scans any incoming SMTP traffic for vulnerabilities before the traffic reaches the SMTP servers.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP® system automatically uses a /32 prefix.
    Note: The IP address you type must be available and not in the loopback network.
  5. In the Service Port field, type 25 or select SMTP from the list.
  6. In the Configuration area, for the SMTP Profile setting, select the default profile, smtp.
  7. From the Source Address Translation list, select Auto Map.
  8. For the Default Pool setting, either select an existing pool from the list, or click the Create (+) button and create a new pool.
  9. Click Finished.
The custom SMTP virtual server appears in the Virtual Servers list.

Reviewing violation statistics for security profiles

You can view statistics and transaction information for each security profile that triggers security violations.
  1. On the Main tab, click Security > Event Logs > Protocol and click HTTP, FTP, SMTP, or DNS.
    The appropriate statistics screen opens listing all violations for that protocol, with the number of occurrences.
  2. Type a Support ID, if you have one, to filter the violations and view one in particular.
  3. Click a violation's hyperlink to see details about the requests causing the violation.
    On the Statistics screen, in the left column, you can review information regarding the traffic volume for each security profile configured.