Applies To:

Show Versions Show Versions

Manual Chapter: Securing SMTP Traffic Using a Custom System Configuration
Manual Chapter
Table of Contents   |   << Previous Chapter

Overview: Creating a custom SMTP security profile

This implementation describes how to secure SMTP traffic manually. When you create an SMTP security profile, the Protocol Security Module™ provides several security checks for requests sent to a protected SMTP server. When you enable a security check, the system either generates an alarm for, or blocks, any requests that trigger the security check.

You can configure the Protocol Security Module to perform the following checks:

  • Verify SMTP protocol compliance as defined in RFC 2821.
  • Validate incoming mail using several criteria.
  • Inspect email and attachments for viruses.
  • Apply rate limits to the number of messages.
  • Validate DNS SPF records.
  • Prevent directory harvesting attacks.
  • Disallow or allow some of the SMTP methods, such as VRFY, EXPN, and ETRN, that spam senders typically use to attack mail servers.
  • Reject the first message from a sender, because legitimate senders retry sending the message, and spam senders typically do not. This process is known as greylisting. The system does not reject subsequent messages from the same sender to the same recipient.

Task summary

Creating a custom SMTP service profile

You create an SMTP service profile optimized for security when you want to fine-tune the way that the BIG-IPsystem scans SMTP traffic for vulnerabilities.
  1. On the Main tab, click Local Traffic > Profiles > Services > SMTP . The SMTP profile list screen opens.
  2. Click Create. The New SMTP Profile screen opens.
  3. In the Name field, type a name for the profile.
  4. In the Parent Profile setting, select the existing SMTP protocol from which you want the new profile to inherit settings. The default is smtp.
  5. On the right side of the screen, select the Custom check box. The settings in the Settings area become available for modification.
  6. Select the Protocol Security check box to enable SMTP security checks.
  7. Click Finished.
The custom SMTP service profile now appears in the SMTP list screen.

Creating a security profile for SMTP traffic

The SMTP security profile provides the security checks that are applicable to the SMTP protocol. In the security profile, you can also specify whether the Protocol Security Module logs violations locally (the default) or to a remote logging server.
  1. On the Main tab, click Protocol Security > Security Profiles > SMTP . The Security Profiles: SMTP screen opens.
  2. Click the Create button. The new SMTP Security Profile screen opens.
  3. In the Profile Name field, type a unique name for the profile.
  4. If you have specified the remote logging server, and you want to enable remote logging for this profile, select the Remote Logging check box.
  5. In the Defense Configuration area, modify the blocking policy settings for each violation. If you do not enable either Alarm or Block for a violation, the system does not perform the corresponding security check.
    Option Description
    Alarm The system logs any requests that trigger the violation.
    Block The system blocks any requests that trigger the violation.
    Alarm and Block The system both logs and blocks any requests that trigger the violation.
  6. For the Virus Detection setting, select the Alarm or Block options as required.
    Option Description
    Alarm The system logs any requests that trigger the virus detected violation, and displays them on the Protocol Security statistics screen.
    Block The system blocks any email requests that trigger the virus detected violation.
    Alarm and Block The system both logs and blocks any requests that trigger the virus detected violation.
  7. Click Create. The screen refreshes, and you see the new security profile in the list.
The BIG-IP system automatically assigns this service profile to SMTP traffic that a designated virtual server receives.

Enabling anti-virus protection for email

You can warn or block against email attachments containing a suspected virus. To do this, you configure the Protocol Security Module to act as an ICAP client, and make sure that the SMTP profile has anti-virus options selected. This prompts an external ICAP server to inspect email and email attachments for viruses before releasing the content to the SMTP server.
  1. On the Main tab, click Protocol Security > Options > Anti-Virus Protection . The Anti-Virus Protection screen opens.
  2. For the Server Host Name setting, type the ICAP server host name in the format of a fully qualified domain name.
    Note: Enter either the server's host name or IP address. It is not necessary to provide both. Though if you specify the host name only, you must first configure a DNS server by selecting System > Configuration > Device > DNS .
  3. For the Server IP Address setting, type the IP address of the report server.
  4. For the Server Port Number setting, type the port number of the ICAP server or use the default value, 514.
  5. If you want to perform virus checking, even if it may slow down the web application, select the Guarantee Enforcement check box.
  6. Click Save to save the ICAP server configuration.
  7. On the menu bar, click Advanced Configuration . The Advanced Configuration screen opens showing internal parameters.
  8. Ensure that the values of the icap_uri and virus_header_name internal parameters correspond to your ICAP server's settings. By default, the system supports an ICAP server with McAfee anti-virus protection. If your company uses a different ICAP server, update the parameters and save your changes.
  9. On the Main tab, click Protocol Security > Security Profiles > SMTP . The Security Profiles: SMTP screen opens.
  10. Click an existing SMTP security profile name or create a new one. The (New) SMTP Profile Properties screen opens.
  11. For the Virus Detection setting, select the Alarm or Block options as required.
    Option Description
    Alarm The system logs any requests that trigger the virus detected violation, and displays them on the Protocol Security statistics screen.
    Block The system blocks any email requests that trigger the virus detected violation.
    Alarm and Block The system both logs and blocks any requests that trigger the virus detected violation.
  12. Click Create to create a new profile, or Update to update an existing one.
All incoming email attachments will be inspected for viruses.

Modifying associations between service profiles and security profiles

Before you can modify associations, you must have created at least one security profile.
When you enable the Protocol Security setting on a service profile, the system automatically assigns the first-listed security profile to the service profile you configured for that profile. On the Profiles Assignment screen, you can review and modify the current associations, including a protocol's service profile, the virtual server that uses that service profile, and the security profile itself.
  1. On the Main tab, click Protocol Security > Profiles Assignment . The Profiles Assignment screen opens.
  2. On the menu bar, click the protocol whose settings you want to view (for example, HTTP, FTP, or SMTP).
  3. In the Security Profiles Assignment area, for each traffic profile, select the protocol security profile to use from the list in the Assigned Security Profile column.
  4. Click Save.

Configuring an SMTP virtual server with a server pool

You can configure a local traffic virtual server and a default pool for your network's SMTP servers. When the virtual server receives SMTP traffic, any SMTP security profile created in Protocol Security Module scans for security vulnerabilities, and load balances traffic that passes the scan.
  1. On the Main tab, click Local Traffic > Virtual Servers . The Virtual Server List screen displays a list of existing virtual servers.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For the Destination setting, select the type, and type an address, or an address and mask, as appropriate for your network.
  5. In the Service Port field, type 25 or select SMTP from the list.
  6. From the Configuration list, select Advanced.
  7. From the SMTP Profile list, select either smtp or a custom profile.
  8. From the SNAT Pool list, select Auto Map.
  9. In the Resources area of the screen, for the Default Pool setting, click the Create (+) button. The New Pool screen opens.
  10. In the Name field, type a unique name for the pool.
  11. For the New Members setting, select the type of new member you are adding, then type the appropriate information in the Node Name, Address, and Service Port fields, and click Add to add as many pool members as you need.
  12. Click Finished to create the pool. The screen refreshes, and reopens the New Virtual Server screen. The new pool should be listed in the Default Pool setting.
  13. Click Finished to create the virtual server. The screen refreshes, and you see the new virtual server in the list.
The custom SMTP virtual server appears in the Virtual Servers list.

Reviewing violations statistics for security profiles

Protocol Security Module provides statistics and transaction information for each profile that triggers any of the security violations defined by each service profile. If you enable the Alarm flag for a violation and incoming traffic triggers the violation, the Protocol Security Module logs the request, which you can review on the Statistics screen of the Protocol Security Module. If you enable the Block flag for any of the violations, the Protocol Security Module blocks the request.
  1. On the Main tab, click Protocol Security > Statistics . The Protocol Statistics screen opens listing all violations, organized by protocol, with the number of occurrences.
  2. Enter a Support ID if you have one to filter the violations and view one in particular.
  3. Click a violation's hyperlink to see details about the requests causing the violation. On the Statistics screen, in the left column, you can review information regarding the traffic volume for each security profile configured.
Table of Contents   |   << Previous Chapter

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)