SMTP

The aim of the SMTP protocol is to detect connection between a client and an e-mail server or between two e-mail servers using SMTP. It allows sending e-mails and is used by SEISMO to detect the version of the client and/or e-mail server in order to report possible vulnerabilities.

“IPS” tab

Automatically detect and inspect the protocol

If this protocol has been enabled, it will automatically be used for discovering corresponding packets in filter rules.

SMTP protocol extensions

Filter the CHUNKING extension

Allows filtering data transferred from one e-mail address to another.

 

Example:

Attachments in e-mails.

Filter Microsoft Exchange Server extensions

Allows filtering additional commands from the Microsoft Exchange Server.

Filter request to change connection direction (ATRN, ETRN)

Allows filtering data contained in the request to change connection direction, from the client to the server, or from the server to the client.

 

During an SMTP communication, the use of ATRN and ETRN commands allows exchanging the client/server roles.

Maximum size of elements (bytes)

Imposing a maximum size for elements (in bytes) allows countering buffer overflow attacks.

Message header [64 – 4096]

Maximum number of characters that an e-mail header can contain (e-mail address of the sender, date, type of encoding used, etc.)

Server response line [64 – 4096]

Maximum number of characters that the response line from the SMTP server can contain.

Exchange data (XEXCH50)[102400 – 1073741824]

Maximum volume of data when transferring files in MBDEF format (Message Database Encoding Format).

BDAT extension header [102400 – 10485760]

Maximum volume of data sent using the BDAT command.

Command line [64 – 4096]

Maximum volume of data that a command line can contain (excluding the DATA command).

Support

Disable intrusion prevention

When this option is selected, the scan of the SMTP protocol will be disabled and traffic will be authorized if the filter policy allows it

Log each SMTP request

Enables or disables the logging of SSL requests.

“Proxy” tab

Filter the welcome banner

When this option is selected, the server’s banner will become anonymous during an SMTP connection.

HELO Command

Replace the client's domain name with its IP address

During a basic identification, the client enters its domain name by executing the HELO command. By selecting this option, the domain name will be replaced by the IP address.

Filter domain name

Enable server’s domain name filtering

This option allows deleting the domain name of the SMTP server from its response to a HELO command coming from a client. This filter is enabled by default.

Connection

Keep original source IP address

When a request is made by a web client (browser) to the server, the firewall will intercept it and check that the request complies with URL filter rules and then relays the request.

 

If this option is selected, the new request will use the original source IP address of the web client that sent the packet. Otherwise, the firewall’s address will be used.

Limits when sending an e-mail

By default, the data size limit for the outgoing mail message (text line) is enabled. Its maximum has been set to 1000 according to the RFC 2821.

Restrict the size of message lines

Sets a limit on the length of the lines in an outgoing message.

Message line [1000-2048 (KB)]

This field indicates the maximum length of a line when sending a message.

REMARK

Imposing a maximum size for elements (in bytes) allows countering buffer overflow attacks.

Max. no. of recipients

Indicates the maximum number of recipients that a message can contain. The firewall will refuse messages with too many recipients (the refusal will be indicated by an SMTP error). This allows restricting spam.

Maximum size of the message [0 – 2147483647 (KB)]

Indicates the maximum size of messages passing through the Stormshield Network firewall. Messages exceeding the defined size will be refused by the firewall.

“SMTP Commands” tab

This menu allows you to authorize or reject SMTP commands defined in the RFCs. You can let commands pass, block them or analyze the syntax and check that the command complies with the current RFCs in force.

Proxy

Main commands

The button Modify all commands allows authorizing, rejecting or checking all commands.

Command

Indicates the name of the command.

Action

Indicates the action performed.

Other commands allowed

Command

By default, all commands not defined in the RFCs are prohibited. However, some mail systems use additional non-standard commands. You can therefore add these commands in order to let them pass through the firewall.

 

The buttons Add and Delete allow you to modify the list of commands.

IPS

Allowed SMTP commands

List of additional authorized SMTP commands. It is possible to Add or Delete commands.

Prohibited SMTP commands

List of prohibited SMTP commands. It is possible to Add or Delete commands.

“Analyzing files” tab

Maximum size for antivirus and sandboxing scan (KB)

The default size depends on the firewall model:

  • S model (U30S, U70S, SN150, SN160(W), SN200, SN210(W), SN300 and SN310): 4000 Ko.
  • M model (U150S, U250S, V50, V100, SN500, SN510, SN700, SN710 and SNi40): 4000 Ko.
  • L model (U500S, U800S, SN900 and SN910): 8000 Ko.
  • XL model (VS5, VS10, VS-VU, SN2000, SN2100, SN3000, SN3100, SN6000 and SN6100): 16000 Ko.

WARNING

When manually defining a size limit for analyzed data, ensure that all values are coherent. The total memory space corresponds to a common space for all the resources reserved for the Antivirus service. If you define the size limit for analyzed data on SMTP as 100% of the total size, no other files can be analyzed at the same time.

Action on messages

This zone defines the behavior of the antivirus module when certain events occur.

When a virus is detected

This field contains 2 options. "Pass" and "Block". By selecting “Block”, the analyzed file will not be sent. By selecting Pass, the antivirus will send the file event it has been found to be infected.

When the antivirus scan fails

The option Pass without scanning defines the behavior of the antivirus module if the analysis of the file it is scanning fails.

 

If Block has been specified, the file being scanned will not be sent.

 

If Pass without scanning has been specified, the file being scanned will be sent.

When data collection fails

This option defines the behavior of the antivirus module when certain events occur.

 

Examples:

If the hard disk has reached its capacity, information will not be downloaded.

The maximum size that the file can reach for the antivirus scan is restricted (1000KB).

"Sandboxing" tab

Sandboxing

Status

This column displays the status (Enabled/Disabled) of sandboxing for the corresponding file type. Double-click on it to change its status.

File types

The sandboxing option allows scanning four types of attachments:

  • Archive: these include the main types of archives (zip, arj, lha, rar, cab, etc)
  • Office document (Office software): all types of documents that can be opened with the MS Office suite.
  • Executable: files that can be run in Windows (files with the extension ".exe",".bat",".cmd",".scr", etc).
  • PDF: files in Portable Document Format (Adobe).
  • Flash (files with the extension ".swf").
  • Java (compiled java files. Example: files with a ".jar" extension).
Max. size of sandboxed e-mails (KB) This field allows defining the maximum size of e-mails that need to be sandboxed. By default, this value is equal to the one in the Maximum size for antivirus and sandboxing scan (KB) field in the File analysis tab. This value cannot be exceeded.

Actions on files

When known malware has been identified This field contains 2 options. By selecting Block, the analyzed file will not be sent. By selecting Pass, the file will be sent in its original form.
When sandboxing fails

This option defines the behavior of the sandboxing option if the file scan fails.

 

If Block has been specified, the file being scanned will not be sent.

If Pass without scanning has been specified, the file being scanned will be sent.