Manual Chapter : Securing SMTP Traffic

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 14.0.0
Manual Chapter

Securing SMTP Traffic

Overview: Securing SMTP traffic using system defaults

This implementation describes how to secure SMTP traffic using system defaults. When you create an SMTP security profile, the BIG-IP®Advanced Firewall Manager (AFM) provides several security checks for requests sent to a protected SMTP server. When you enable a security check, the system either generates an alarm for, or blocks, any requests that trigger the security check.
You can configure the SMTP security profile to include the following checks:
  • Verify SMTP protocol compliance, as defined in RFC 2821.
  • Validate incoming mail using several criteria.
  • Inspect email and attachments for viruses.
  • Apply rate limits to the number of messages.
  • Validate DNS SPF records.
  • Prevent directory harvesting attacks.
  • Disallow or allow some of the SMTP methods, such as VRFY, EXPN, and ETRN, that spam senders typically use to attack mail servers.
  • Reject the first message from a sender, because legitimate senders retry sending the message, and spam senders typically do not. This process is known as
    greylisting
    . The system does not reject subsequent messages from the same sender to the same recipient.

Task Summary

Creating an SMTP service profile with security enabled

The easiest method for initiating SMTP protocol security for your SMTP virtual server traffic is to use the system default settings. You do this by enabling protocol security for the system-supplied SMTP service profile, and then associating that service profile with a virtual server.
  1. On the Main tab, click
    Local Traffic
    Profiles
    Services
    SMTP
    .
    The SMTP profile list screen opens.
  2. In the
    Name
    column, click
    smtp
    .
    The Properties screen for the system-supplied SMTP profile opens.
  3. Select the
    Protocol Security
    check box to enable SMTP security checks.
  4. Click
    Update
    .
You now have a security-enabled service profile that you can associate with a virtual server so that SMTP protocol checks are performed on the traffic that the SMTP virtual server receives.

Creating an SMTP virtual server with protocol security

When you enable protocol security for an SMTP virtual server, the system scans any incoming SMTP traffic for vulnerabilities before the traffic reaches the SMTP servers.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click the
    Create
    button.
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. In the
    Destination Address
    field, type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    The IP address you type must be available and not in the loopback network.
  5. In the
    Service Port
    field, type
    25
    or select
    SMTP
    from the list.
  6. In the Configuration area, for the
    SMTP Profile
    setting, select the default profile,
    smtp
    .
  7. From the
    Source Address Translation
    list, select
    Auto Map
    .
  8. For the
    Default Pool
    setting, either select an existing pool from the list, or click the Create (+) button and create a new pool.
  9. Click
    Finished
    .
The custom SMTP virtual server appears in the Virtual Servers list.

Reviewing violation statistics for security profiles

You can view statistics and transaction information for each security profile that triggers security violations.
  1. On the Main tab, click
    Security
    Event Logs
    Protocol
    and click
    HTTP
    ,
    DNS
    , or
    SIP
    .
    The appropriate statistics screen opens listing all violations for that protocol, with the number of occurrences.
  2. Type a Support ID, if you have one, to filter the violations and view one in particular.
  3. Click a violation's hyperlink to see details about the requests causing the violation.
    On the Statistics screen, in the left column, you can review information regarding the traffic volume for each security profile configured.

Overview: Creating a custom SMTP security profile

This implementation describes how to secure SMTP traffic. When you create an SMTP security profile, the system provides several security checks for requests sent to a protected SMTP server. When you enable a security check, the system either generates an alarm for, or blocks, any requests that trigger the security check.
You can configure the SMTP security profile to include the following checks:
  • Verify SMTP protocol compliance as defined in RFC 2821.
  • Validate incoming mail using several criteria.
  • Inspect email and attachments for viruses.
  • Apply rate limits to the number of messages.
  • Validate DNS SPF records.
  • Prevent directory harvesting attacks.
  • Disallow or allow some of the SMTP methods, such as VRFY, EXPN, and ETRN, that spam senders typically use to attack mail servers.
  • Reject the first message from a sender, because legitimate senders retry sending the message, and spam senders typically do not. This process is known as
    greylisting
    . The system does not reject subsequent messages from the same sender to the same recipient.

Task summary

Creating a custom SMTP service profile

You create an SMTP service profile optimized for security when you want to fine-tune the way that the BIG-IPsystem scans SMTP traffic for vulnerabilities.
  1. On the Main tab, click
    Local Traffic
    Profiles
    Services
    SMTP
    .
    The SMTP profile list screen opens.
  2. Click
    Create
    .
    The New SMTP Profile screen opens.
  3. In the
    Name
    field, type a unique name for the profile.
  4. From the
    Parent Profile
    list, select the existing SMTP profile from which you want the new profile to inherit settings. The default is
    smtp
    .
  5. Select the
    Custom
    check box.
  6. Select the
    Protocol Security
    check box to enable SMTP security checks.
  7. Click
    Finished
    .
The custom SMTP service profile now appears in the SMTP list screen.

Creating a security profile for SMTP traffic

The SMTP security profile provides security checks that are applicable to the SMTP protocol.
  1. On the Main tab, click
    Security
    Protocol Security
    Security Profiles
    SMTP
    .
    The Security Profiles: SMTP screen opens.
  2. Click the
    Create
    button.
    The New SMTP Security Profile screen opens.
  3. In the
    Profile Name
    field, type a unique name for the profile.
  4. In the Defense Configuration area, select
    Alarm
    or
    Block
    for the SMTP defenses you want to activate.
    Option
    Description
    Alarm
    The system logs any requests that trigger the violation.
    Block
    The system blocks any requests that trigger the violation.
    Alarm
    and
    Block
    The system both logs and blocks any requests that trigger the violation.
  5. Click
    Create
    .
    The screen refreshes, and you see the new security profile in the list.
The BIG-IP system automatically assigns this service profile to SMTP traffic that a designated virtual server receives.

Enabling anti-virus protection for email

You can warn or block against email attachments containing a suspected virus. To do this, you configure the Application Security Manager to act as an ICAP client, and make sure that the SMTP profile has anti-virus options selected. This prompts an external ICAP server to inspect email and email attachments for viruses before releasing the content to the SMTP server.
  1. On the Main tab, click
    Security
    Options
    Application Security
    Integrated Services
    Anti-Virus Protection
    .
    The Anti-Virus Protection screen opens.
  2. For the
    Server Host Name/IP Address
    setting, type the fully qualified domain name of the ICAP server, or its IP address.
    If you specify the host name, you must first configure a DNS server by selecting
    System
    Configuration
    Device
    DNS
    .
  3. For
    Server Port Number
    , type the port number of the ICAP server.
    The default value is
    1344
    .
  4. If you want to perform virus checking even if it may slow down the web application, select the
    Guarantee Enforcement
    check box.
  5. Click
    Save
    .
  6. On the Main tab, click
    Security
    Options
    Protocol Security
    Advanced Configuration
    .
    The Advanced Configuration screen opens.
  7. In the System Variables area, ensure that the values for the
    icap_uri
    (URI for the ICAP service), and
    virus_header_name
    (header name used) internal parameters correspond to your ICAP server's settings.
    By default, the system supports an ICAP server with McAfee anti-virus protection. If your organization uses a different ICAP server, update the parameters and save your changes.
    ICAP Server
    icap_uri Value
    McAfee VirusScan
    /REQMOD
    Trend Micro InterScan Web Security
    /reqmod
    Kaspersky
    /av/reqmod
    Symantec
    /symcscanreq-av-url
    ICAP Server
    virus_header_name Value
    McAfee VirusScan
    X-Infection-Found,X-Virus-Name
    Trend Micro InterScan Web Security
    X-Virus-ID
    Kaspersky
    X-Virus-ID
    Symantec
    X-Violations-Found
  8. On the Main tab, click
    Security
    Protocol Security
    Security Profiles
    SMTP
    .
    The Security Profiles: SMTP screen opens.
  9. Click an existing SMTP security profile name or create a new one.
    The (New) SMTP Profile Properties screen opens.
  10. For the
    Virus Detection
    setting, select the
    Alarm
    or
    Block
    options as required.
    Option
    Description
    Alarm
    The system logs any requests that trigger the virus detected violation, and displays them on the Protocol Security statistics screen.
    Block
    The system blocks any email requests that trigger the virus detected violation.
    Alarm
    and
    Block
    The system both logs and blocks any requests that trigger the virus detected violation.
  11. Click
    Create
    to create a new profile, or
    Update
    to update an existing one.
All incoming email attachments will be inspected for viruses.

Modifying associations between service profiles and security profiles

Before you can modify associations between service profiles and security profiles, you must have created at least one security profile.
When you enable the
Protocol Security
setting on an FTP, HTTP, or SMTP service profile, the system automatically assigns the first-listed security profile to the service profile you configured for that profile. You can review and modify the current associations between the service profiles and the security profiles for each protocol.
  1. On the Main tab, click
    Security
    Protocol Security
    Profiles Assignment
    .
    The Profiles Assignment screen opens.
  2. From the Profiles Assignment menu, select the service profile type.
  3. For each traffic profile, select the protocol security profile to use from the list in the Assigned Security Profile column.
  4. Click
    Save
    .

Creating and securing an SMTP virtual server and pool

Configure a virtual server and a default pool for your network's SMTP servers, and assign the custom SMTP service profile. When the virtual server receives SMTP traffic, the SMTP security profile created in Application Security Manager scans for security vulnerabilities, and then the virtual server can be configured to perform other actions (such as load balancing) on traffic that passes the scan.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click the
    Create
    button.
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. In the
    Destination Address/Mask
    field, type an address, as appropriate for your network.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
  5. In the
    Service Port
    field, type
    25
    or select
    SMTP
    from the list.
  6. From the
    Configuration
    list, select
    Advanced
    .
  7. From the
    SMTP Profile
    list, select the custom SMTP profile that you created.
  8. From the
    Source Address Translation
    list, select
    Auto Map
    .
  9. In the Resources area of the screen, for the
    Default Pool
    setting, click the
    Create (+)
    button.
    The New Pool screen opens.
  10. In the
    Name
    field, type a unique name for the pool.
  11. In the Resources area, for the
    New Members
    setting, select the type of new member you are adding, then type the information in the appropriate fields, and click
    Add
    to add as many pool members as you need.
  12. Click
    Finished
    to create the pool.
    The screen refreshes, and reopens the New Virtual Server screen. The new pool name appears in the
    Default Pool
    list.
  13. Click
    Finished
    .
The custom SMTP virtual server appears in the Virtual Servers list.

Reviewing violation statistics for security profiles

You can view statistics and transaction information for each security profile that triggers security violations.
  1. On the Main tab, click
    Security
    Event Logs
    Protocol
    and click
    HTTP
    ,
    DNS
    , or
    SIP
    .
    The appropriate statistics screen opens listing all violations for that protocol, with the number of occurrences.
  2. Type a Support ID, if you have one, to filter the violations and view one in particular.
  3. Click a violation's hyperlink to see details about the requests causing the violation.
    On the Statistics screen, in the left column, you can review information regarding the traffic volume for each security profile configured.