Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 545 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

No Email subscription, external email: any benefit to inspection of the IMAP/POP/SMTP traffic?

Wayne Folta

If you use external, third-party email which is outside of your firewall and you have no control over the email domain, is it still beneficial to TLS decrypt IMAPS, POP3S, SMTPS traffic and thus have it inspected? Actually, as I write this I'm not sure what service actually would inspect it. (IDP, Malware, ?)

Just to be clear, behind the XGS (18.5) are users who reach outside of the firewall to third-party email services to send and receive email. It's apparently not that useful to subscribe to the Email subscription in that case. So then there's the choice of figuring the large third parties do spam and spoofing checking and potentially malware scanning -- haven't seen any evidence of that, but they might -- and leaving the up/down mail traffic encrypted and relying on the third parties and the email client to keep things clean.

Or you could add endpoint software so you have multiple things checking for evil email. And/or you could TLS decrypt the IMAPS/SMTPS traffic and maybe some other kinds of things are done in the XGS (again, without Email subscription so you can't turn on IMAPS scanning, etc) that might be helpful.

Thoughts? If I turn on TLS decryption on IMAPS/SMTPS traffic and don't have an Email subscription, is anything useful happening? Or should I just not decrypt that traffic and save myself potential breakages and errors?



This thread was automatically locked due to age.
  • 0

    Hi,

    I don't think you can select scan Imaps and Smtps if you don't have an email subscription.

    Ian

  • 0 in reply to rfcat_vk

    That is correct, you can't. So the question is: if I decrypt email streams, does something (IPS, etc) other than Scan IMAPS or Scan SMTPS (which I don't have) look at the resulting stream for any bad things? Or does nothing really look at it, so it's not worth it. I'm not expecting something as specialized and perhaps attachment-aware as Scan IMAPS and Scan SMTPS, but if the answer is that nothing looks into the decrypted stream, then we may as well not decrypt.

  • 0 in reply to Wayne Folta

    Hi Wayne,

    as I am a home suer I have access to the mail scanning in TLS, but my current installation of v18.0.5 mr5 586 does not work with IMAPs scanning, breaks the server connection.

    I use admit I haven't tried just using the TLS to decrypt mail. Something to try without enabling the scan function in the firewall rule.

    Ian

  • 0 in reply to rfcat_vk

    I expect I am making a configuration error when setting up DPI and SS/TLS mail scanning because one sends okay but neither receive Until I disable the functions and just use a bare firewall rule with mail scanning enabled.

    Ian

  • 0 in reply to rfcat_vk

    Yes, the kind of complications that can arise if we try TLS, which might be worth it if there is some actual scanning going on but not if not.

    I looked at The Life of a Packet diagrams and it looks like if you choose TLS decryption, the DPI-related services may be applicable: IPS, Web Policies, Application ID & Control. And these services can consult with Antivirus and Sandstorm. It seems to me that of the three, IPS has a chance of spotting a virus pattern in the (unencrypted) data flying through, though I would think that Anti-virus and Sandstorm would need to be presented with delineated targets and it's not clear that DPI/IPS knows enough about email to break out attachments. I assume that's what the Email subscription does.

    On the other hand, I also assume that once Intercept X is installed, it sees unencrypted emails and is aware of execution of an attachment, etc, and provides a layer of protection there that's comparable to or better than Email. (Email would stop it sooner and doesn't require a client machine to do anything, so not saying it's useless, just that I think/hope that Intercept X will fill much the same role.

  • 0 in reply to Wayne Folta

    Whatever the bad stuff is should be stoped at the firewall, that is what it is employed for, the bad stuff should not make into your network and rely on a localised product to detect it, that is why you has zero day stuff on the firewall I thought?

    Ian