AnsweredHot!Only permit outbound SMTP traffic from Icewarp MailServer

Author
CodeMonkey
Silver Member
  • Total Posts : 115
  • Scores: 14
  • Reward points: 0
  • Joined: 2015/01/12 03:18:57
  • Status: offline
2017/09/29 06:26:23 (permalink) 5.2
0

Only permit outbound SMTP traffic from Icewarp MailServer

FGT60D running v5.2.11.
 
I'm looking to use application control to restrict outbound SMTP (internal -> wan) to IceWarp (a.k.a. Merak) mail server only, however I'm struggling to understand how to accurately identify IceWarp within a custom signature.
 
Can anyone advise me whether:
1. This is actually possible
2. The best way to accurately and consistently identify IceWarp (as opposed to a powershell script sending SMTP traffic for example).
 
 
#1
hmtay_FTNT
Gold Member
  • Total Posts : 215
  • Scores: 28
  • Reward points: 0
  • Joined: 2017/02/22 11:02:10
  • Status: offline
Re: Only permit outbound SMTP traffic from Icewarp MailServer 2017/09/29 15:08:32 (permalink)
0
Hello CodeMonkey,
 
Can you do a packet capture of a session? If it is SMTP, we should be able to see the domain name. If it is SMTPS, you would have to enable deep-inspection to decrypt the session. If you can get me a packet capture, I can write you a custom signature. Please close the session first before you start the packet capture. I would need the full session to analyze it. Thanks!
#2
CodeMonkey
Silver Member
  • Total Posts : 115
  • Scores: 14
  • Reward points: 0
  • Joined: 2015/01/12 03:18:57
  • Status: offline
Re: Only permit outbound SMTP traffic from Icewarp MailServer 2017/10/02 01:03:57 (permalink)
0
hmtay
Hello CodeMonkey,
 
Can you do a packet capture of a session? If it is SMTP, we should be able to see the domain name. If it is SMTPS, you would have to enable deep-inspection to decrypt the session. If you can get me a packet capture, I can write you a custom signature. Please close the session first before you start the packet capture. I would need the full session to analyze it. Thanks!


Thanks for responding and the offer - for the moment I'd prefer to understand how to do it myself if you're able to outline that for me? I've been able to do various packet captures but don't quite understand how to use that raw data to create a signature.
Also although we have SMTPS in the works,  we're unable to use deep-inspection at present due to a bug that we're progressing with Fortinet.
#3
hmtay_FTNT
Gold Member
  • Total Posts : 215
  • Scores: 28
  • Reward points: 0
  • Joined: 2017/02/22 11:02:10
  • Status: offline
Re: Only permit outbound SMTP traffic from Icewarp MailServer 2017/10/02 08:29:39 (permalink) ☼ Best Answerby CodeMonkey 2017/10/02 08:36:43
0
Here's an example of an SMTP session without encryption (or if encryption is enabled, after it is decrypted).
 
The server will send a packet banner in the beginning. If information about the mail server is not removed, that can be used as a pattern to identify in a signature.
 
If the mail server decides to remove the packet banner (a common move to avoid providing unnecessary detail about the server to anyone), the Fortigate will go further down and identify the session after the "HELO" or "EHLO" request. In this case, you can use the email address @xxxx.com to identify the mail server that you are using, e.g. icewarp.com.
 
E.g custom app control signature:
 
F-SBID( --name "SMTP_Dot.Net"; --protocol tcp; --app_cat 21; --weight 20; --service SMTP; --flow from_server; --pattern "dotnetzone.com"; --context header; --no_case; )
 
Hope this helps.

Attached Image(s)

#4
CodeMonkey
Silver Member
  • Total Posts : 115
  • Scores: 14
  • Reward points: 0
  • Joined: 2015/01/12 03:18:57
  • Status: offline
Re: Only permit outbound SMTP traffic from Icewarp MailServer 2017/10/02 08:33:54 (permalink)
0
That's great, thanks hmtay - very helpful!.
 
#5
Jump to:
© 2018 APG vNext Commercial Version 5.5