Manual Chapter : Securing SMTP Traffic

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Manual Chapter

Securing SMTP Traffic

Overview: Securing SMTP traffic using system defaults

This implementation describes how to secure SMTP traffic using system defaults. When you create an SMTP security profile, the BIG-IP® Advanced Firewall Manager™ (AFM) provides several security checks for requests sent to a protected SMTP server. When you enable a security check, the system either generates an alarm for, or blocks, any requests that trigger the security check.

You can configure the SMTP security profile to include the following checks:

  • Verify SMTP protocol compliance, as defined in RFC 2821.
  • Validate incoming mail using several criteria.
  • Inspect email and attachments for viruses.
  • Apply rate limits to the number of messages.
  • Validate DNS SPF records.
  • Prevent directory harvesting attacks.
  • Disallow or allow some of the SMTP methods, such as VRFY, EXPN, and ETRN, that spam senders typically use to attack mail servers.
  • Reject the first message from a sender, because legitimate senders retry sending the message, and spam senders typically do not. This process is known as greylisting. The system does not reject subsequent messages from the same sender to the same recipient.

Task Summary

Creating an SMTP service profile with security enabled

The easiest method for initiating SMTP protocol security for your SMTP virtual server traffic is to use the system default settings. You do this by enabling protocol security for the system-supplied SMTP service profile, and then associating that service profile with a virtual server.
  1. On the Main tab, click Local Traffic > Profiles > Services > SMTP .
    The SMTP profile list screen opens.
  2. In the Name column, click smtp.
    The Properties screen for the system-supplied SMTP profile opens.
  3. Select the Protocol Security check box to enable SMTP security checks.
  4. Click Update.
You now have a security-enabled service profile that you can associate with a virtual server so that SMTP protocol checks are performed on the traffic that the SMTP virtual server receives.

Creating an SMTP virtual server with protocol security

When you enable protocol security for an SMTP virtual server, the system scans any incoming SMTP traffic for vulnerabilities before the traffic reaches the SMTP servers.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address/Mask field, type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP® system automatically uses a /32 prefix.
    Note: The IP address you type must be available and not in the loopback network.
  5. In the Service Port field, type 25 or select SMTP from the list.
  6. In the Configuration area, for the SMTP Profile setting, select the default profile, smtp.
  7. From the Source Address Translation list, select Auto Map.
  8. For the Default Pool setting, either select an existing pool from the list, or click the Create (+) button and create a new pool.
  9. Click Finished.
The custom SMTP virtual server appears in the Virtual Servers list.

Reviewing violation statistics for security profiles

You can view statistics and transaction information for each security profile that triggers security violations.
  1. On the Main tab, click Security > Event Logs > Protocol and click HTTP, DNS, or SIP.
    The appropriate statistics screen opens listing all violations for that protocol, with the number of occurrences.
  2. Type a Support ID, if you have one, to filter the violations and view one in particular.
  3. Click a violation's hyperlink to see details about the requests causing the violation.
    On the Statistics screen, in the left column, you can review information regarding the traffic volume for each security profile configured.

Overview: Creating a custom SMTP security profile

This implementation describes how to secure SMTP traffic. When you create an SMTP security profile, the system provides several security checks for requests sent to a protected SMTP server. When you enable a security check, the system either generates an alarm for, or blocks, any requests that trigger the security check.

You can configure the SMTP security profile to include the following checks:

  • Verify SMTP protocol compliance as defined in RFC 2821.
  • Validate incoming mail using several criteria.
  • Inspect email and attachments for viruses.
  • Apply rate limits to the number of messages.
  • Validate DNS SPF records.
  • Prevent directory harvesting attacks.
  • Disallow or allow some of the SMTP methods, such as VRFY, EXPN, and ETRN, that spam senders typically use to attack mail servers.
  • Reject the first message from a sender, because legitimate senders retry sending the message, and spam senders typically do not. This process is known as greylisting. The system does not reject subsequent messages from the same sender to the same recipient.

Task summary

Creating a custom SMTP service profile

You create an SMTP service profile optimized for security when you want to fine-tune the way that the BIG-IP®system scans SMTP traffic for vulnerabilities.
  1. On the Main tab, click Local Traffic > Profiles > Services > SMTP .
    The SMTP profile list screen opens.
  2. Click Create.
    The New SMTP Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Parent Profile list, select the existing SMTP protocol from which you want the new profile to inherit settings. The default is smtp.
  5. Select the Custom check box.
  6. Select the Protocol Security check box to enable SMTP security checks.
  7. Click Finished.
The custom SMTP service profile now appears in the SMTP list screen.

Creating a security profile for SMTP traffic

The SMTP security profile provides security checks that are applicable to the SMTP protocol.
  1. On the Main tab, click Security > Protocol Security > Security Profiles > SMTP .
    The Security Profiles: SMTP screen opens.
  2. Click the Create button.
    The New SMTP Security Profile screen opens.
  3. In the Profile Name field, type a unique name for the profile.
  4. In the Defense Configuration area, select Alarm or Block for the defenses you want to activate.
    FTP Defense Description when set to Block
    Active Mode Prevents port scanning and other active mode exploits.
    Anonymous FTP Requests Prevents unauthorized access by prohibiting anonymous users
    Command Length Restriction Prevents buffer overflow attacks by limiting command line length. Specify the maximum number of characters allowed in a command.
    FTP Commands Protects against unwanted FTP commands. Move the commands you do not want to allow into the Disallowed list.
    FTP Protocol Compliance Failed Protects against non-RFC compliant commands and also disallows syntax errors.
    Maximum Login Retries Prevents brute force attacks by limiting login retries. Specify the maximum attempts a user can try to log on, the maximum number of login attempts allowed from a specific client IP address, and how long to block users before they can try again.
    Passive Mode Prevents passive mode exploits such as file stealing.
    Option Description
    Alarm The system logs any requests that trigger the violation.
    Block The system blocks any requests that trigger the violation.
    Alarm and Block The system both logs and blocks any requests that trigger the violation.
    If you do not enable either Alarm or Block for a violation, the system does not perform the corresponding security check.
  5. Click Create.
    The screen refreshes, and you see the new security profile in the list.
The BIG-IP® system automatically assigns this service profile to SMTP traffic that a designated virtual server receives.

Enabling anti-virus protection for email

You can warn or block against email attachments containing a suspected virus. To do this, you configure the Application Security Manager™ to act as an ICAP client, and make sure that the SMTP profile has anti-virus options selected. This prompts an external ICAP server to inspect email and email attachments for viruses before releasing the content to the SMTP server.
  1. On the Main tab, click Security > Options > Application Security > Integrated Services > Anti-Virus Protection .
    The Anti-Virus Protection screen opens.
  2. For the Server Host Name/IP Address setting, type the fully qualified domain name of the ICAP server, or its IP address.
    Note: If you specify the host name, you must first configure a DNS server by selecting System > Configuration > Device > DNS .
  3. For Server Port Number, type the port number of the ICAP server.
    The default value is 1344.
  4. If you want to perform virus checking even if it may slow down the web application, select the Guarantee Enforcement check box.
  5. Click Save.
  6. On the Main tab, click Security > Options > Protocol Security > Advanced Configuration .
    The Advanced Configuration screen opens.
  7. In the System Variables area, ensure that the values for the icap_uri (URI for the ICAP service), and virus_header_name (header name used) internal parameters correspond to your ICAP server's settings.
    By default, the system supports an ICAP server with McAfee anti-virus protection. If your organization uses a different ICAP server, update the parameters and save your changes.
    ICAP Server icap_uri Value
    McAfee VirusScan /REQMOD
    Trend Micro InterScan Web Security /reqmod
    Kaspersky /av/reqmod
    Symantec /symcscanreq-av-url
    ICAP Server virus_header_name Value
    McAfee VirusScan X-Infection-Found,X-Virus-Name
    Trend Micro InterScan Web Security X-Virus-ID
    Kaspersky X-Virus-ID
    Symantec X-Violations-Found
  8. On the Main tab, click Security > Protocol Security > Security Profiles > SMTP .
    The Security Profiles: SMTP screen opens.
  9. Click an existing SMTP security profile name or create a new one.
    The (New) SMTP Profile Properties screen opens.
  10. For the Virus Detection setting, select the Alarm or Block options as required.
    Option Description
    Alarm The system logs any requests that trigger the virus detected violation, and displays them on the Protocol Security statistics screen.
    Block The system blocks any email requests that trigger the virus detected violation.
    Alarm and Block The system both logs and blocks any requests that trigger the virus detected violation.
  11. Click Create to create a new profile, or Update to update an existing one.
All incoming email attachments will be inspected for viruses.

Modifying associations between service profiles and security profiles

Before you can modify associations between service profiles and security profiles, you must have created at least one security profile.
When you enable the Protocol Security setting on an FTP, HTTP, or SMTP service profile, the system automatically assigns the first-listed security profile to the service profile you configured for that profile. You can review and modify the current associations between the service profiles and the security profiles for each protocol.
  1. On the Main tab, click Security > Protocol Security > Profiles Assignment .
    The Profiles Assignment: HTTP screen opens.
  2. From the Profiles Assignment menu, select the service profile type, if different from HTTP.
  3. For each traffic profile, select the protocol security profile to use from the list in the Assigned Security Profile column.
  4. Click Save.

Creating and securing an SMTP virtual server and pool

Configure a virtual server and a default pool for your network's SMTP servers, and assign the custom SMTP service profile. When the virtual server receives SMTP traffic, the SMTP security profile created in Application Security Manager™ scans for security vulnerabilities, and then the virtual server can be configured to perform other actions (such as load balancing) on traffic that passes the scan.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address/Mask field, type an address, as appropriate for your network.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP® system automatically uses a /32 prefix.
  5. In the Service Port field, type 25 or select SMTP from the list.
  6. From the Configuration list, select Advanced.
  7. From the SMTP Profile list, select the custom SMTP profile that you created.
  8. From the Source Address Translation list, select Auto Map.
  9. In the Resources area of the screen, for the Default Pool setting, click the Create (+) button.
    The New Pool screen opens.
  10. In the Name field, type a unique name for the pool.
  11. In the Resources area, for the New Members setting, select the type of new member you are adding, then type the information in the appropriate fields, and click Add to add as many pool members as you need.
  12. Click Finished to create the pool.
    The screen refreshes, and reopens the New Virtual Server screen. The new pool name appears in the Default Pool list.
  13. Click Finished.
The custom SMTP virtual server appears in the Virtual Servers list.

Reviewing violation statistics for security profiles

You can view statistics and transaction information for each security profile that triggers security violations.
  1. On the Main tab, click Security > Event Logs > Protocol and click HTTP, DNS, or SIP.
    The appropriate statistics screen opens listing all violations for that protocol, with the number of occurrences.
  2. Type a Support ID, if you have one, to filter the violations and view one in particular.
  3. Click a violation's hyperlink to see details about the requests causing the violation.
    On the Statistics screen, in the left column, you can review information regarding the traffic volume for each security profile configured.