0% found this document useful (0 votes)

13 views110 pages

Module 4 - Email Protection Handout

Module 4 of the Email Protection course covers the functionality and troubleshooting of MTA and Legacy modes, as well as SASI integration and the operation of POP3 and IMAP proxies. The module outlines the email flow through the XG firewall, detailing how emails are processed, scanned, and forwarded to recipient servers. It also includes a detailed MTA mail-flow diagram and emphasizes the importance of SMTP commands and policies in email handling.

Uploaded by

marcos.converg

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

13 views110 pages

Module 4 - Email Protection Handout

Uploaded by

marcos.converg

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

So

Module 4 – Email Protection

Supportability guide

Version 20.0 July 2024

Module 4 – Email Protection

Course Agenda
• Module 1: Architecture and Troubleshooting basics
• Module 2: Network Protection
• Module 3: Web Protection
• Module 4: Email Protection
• Module 5: Webserver Protection
• Module 6: Authentication
• Module 7: Synchronized Security and Central Management
• Module 8: Site-to-Site and Remote connections
• Module 9: Wireless Protection
• Module 10: High Availability
• Module 11: XGS Hardware and Troubleshooting

Module 1: Architecture and Troubleshooting basics

Module 2: Network Protection
Module 3: Web Protection
Module 4: Email Protection
Module 5: Webserver Protection
Module 6: Authentication
Module 7: Synchronized Security and Central Management
Module 8: Site-to-Site and Remote connections
Module 9: Wireless Protection
Module 10: High Availability
Module 11: XGS Hardware and Troubleshooting

Page 2 of 110
Module 4 – Email Protection

Module objectives
Once you complete this module you will be able to:
ü Explain how the MTA mode functions works
ü MTA mode features working and troubleshooting
ü Explain SASI integration
ü Explain how the Legacy mode functions works
ü Legacy mode features working and troubleshooting
ü Explain POP3 and IMAP proxy function and troubleshooting

Once you complete this module you will be able to:

ü Explain how the MTA mode functions works
ü MTA mode features working and troubleshooting
ü Explain SASI integration
ü Explain how the Legacy mode functions works
ü Legacy mode features working and troubleshooting
ü Explain POP3 and IMAP proxy function and troubleshooting

Page 3 of 110
Module 4 – Email Protection

MTA Email flow and logs

Page 4 of 110
Module 4 – Email Protection

Email Protection
Scenario

Internet

External network
[Link]/30
WAN
31 Recipient validation
Mail and content checks
Server
LAN

Internal network
2
2 [Link]/28

Switch

1 3
Mail client Mail client

Email Protection
Scenario

Before we look at how to troubleshoot issues, let’s look at how the XG is commonly configured as an SMTP
proxy. As this diagram shows, we have an internal and external network with a XG is in-between; we also
have a mail server, and a couple of computers with mail clients on the internal network.
[Click]
When a mail client sends an email, the mail client connects to the mail server, which accepts the email and
sends it to the XG. The SMTP proxy on the XG will perform any outbound checks that are configured, for
example data protection checks, then forward the email to the email server for the recipient's domain. This
would typically mean sending out to a server on the Internet through the WAN port.
[Click]
The XG will accept inbound emails for its list of configured internal domains. The SMTP proxy will validate
the recipient and perform content checks before delivering the email to the mail server on the internal
network that is configured for the recipient domain. The mail client on the internal computer will collect
the email from the mail server.

Note: When email subscription is Expired/unsubscribed only SMTP routing, Smart host and SMTP DoS will
be applied for both Legacy and MTA mode.
Page 5 of 110
Module 4 – Email Protection

How Email Works

4. The DNS responds with the Mail Exchanger (MX)
1. The sender writes an email to
record for the recipient domain, which is
TECHSUPTraining@[Link]
configured for Sophos Central

Sender’s Company DNS

Sender
Mail Server

3. The sending mail server checks

2. The email is sent to the sender’s
where the mail server for the
company mail server
recipient’s domain is

Let’s take a look at how Sophos Email works.

First, our sender writes an email to TECHSUPTraining@[Link] and clicks send. The senders mail client
will send the email to their company’s mail server. The first thing the mail server has to do is figure out
where the mail server for [Link] is. To do this it uses DNS.

The DNS server responds with the mail exchanger (MX) record for the recipients domain ([Link])
which is configured to be the Sophos Central email servers.

Page 6 of 110
Module 4 – Email Protection

How Email Works (part2)

6. Sophos Firewall scans the
email for viruses and spam

Sender’s Company Company Mail

Sophos Firewall Server
Mail Server

7. Clean emails are delivered to

5. The sender’s mail server sends
the recipients company mail
the email to the Sophos Firewall
server

Recipient

Now the mail server knows that to deliver the email to TECHSUPTraining@[Link] it needs to send it
to the Sophos Firewall.

When the Firewall receives the email it scans the email for viruses and spam and checks the sender against
the allow and block list.

If the email is clean then the firewall delivers the email to the recipients mail servers, and from there, the
recipients mail client will download the email.

Page 7 of 110
Module 4 – Email Protection

How Does An SMTP Session Work?

SMTP SMTP

Mail Server Internet

Company Mail
SMTP command Meaning Server
HELO “Hello.”– the client logs on with its computer name and starts
the session
MAIL FROM The client names the sender of the e-mail
RCPT TO “Recipient” – the client names the recipient of the e-mail
DATA The client initiates the transmission of the e-mail Recipient
RSET The client terminates the initiated transmission, but maintains
the connection between client and server
VRFY/EXPN “Verify”/“Expand”– the client checks whether a mailbox is
available for message transmission

The interaction between the SMTP client and the SMTP server mentioned in the first step of the SMTP
procedure represents the actual SMTP session. The rest of the SMTP procedure i.e. forwarding the e-mail
via SMTP from the server to the recipient is covered in a separate article. Each session consists of a
sequence of SMTP commands from the client and responses in the form of status codes from the server.

We’ll do a live demo shortly but the MAIL FROM and RCPT TO can be considered as the “envelope from” or
“recipient to”

Overview of SMTP commands

According to the applicable SMTP specifications, each implementation of the network protocol must
support at least the following eight commands, consisting of 7-bit ASCII characters:

Page 8 of 110
Module 4 – Email Protection

Email Protection
Forwarding SMTP requests to a SMTP-Relay-Server
Smart host Server

XG Forward to
Internal Mail Server SmartHost server
SMTP Policy
check on XG Step-4

Step-2 Step-3
Smarthost
Step-1 server Step-5
SMTP forward to
HELO recipient
Process server

Outbound mail
Inbound mail
Internal User Recipient mail
Server

Email Protection
Forwarding SMTP requests to a SMTP-Relay-Server

Smarthost is an MTA host which allows a mail server to route emails to an intermediate mail server rather
than directly to the recipient's mail server.
In a normal scenario, the internal mail server send emails to Sophos Firewall which initiates connection to
the recipient’s mail server. But when using a Smarthost, the internal mail server initiates connection to
Sophos Firewall, which as an MTA, opens an SMTP connection to the configured Smarthost and routes
emails to the recipient’s mail server via the Smarthost. In this case, Smarthost server works as an
intermediate emails routing server. It can be configured from Email > General Settings > Smarthost
settings

It is a 5 steps process:

From the below email logs and header, we can see that:
[Link] email server ([Link]) received email from [Link] server ([Link]).
[Link] ([Link]) received an email from Sophos Firewall ([Link] [[Link]]).
The email was generated from an internal PC (PC001-PC [[Link]]).

Page 9 of 110
Module 4 – Email Protection

Step -1 :- When an internal user sends an email, the internal mail server establishes a connection with
the recipient’s mail server and performs the SMTP EHLO HELO process, the internal server will then send
emails to the Sophos Firewall.

MSG Sep 27 [Link] [T_ACCEPTOR]: Firewall Info: [client fd: 27 fwid: 5 connid: -1951135712 uid: 0 gid: 0
sport: 23759 ]
MSG Sep 27 [Link] [0x2000033d]: New SMTP Session Initialized [Link]:53084 ==>
[Link]:25
INF Sep 27 [Link] [0x2000033d]: init_cache_node: mail transaction started with UID=0xc000000d
INF Sep 27 [Link] [0xc000000d]: Response: 220 [Link] ESMTP ready
INF Sep 27 [Link] [0xc000000d]: Request: 'EHLO SRV001'
INF Sep 27 [Link] [0xc000000d]: Response: [Link] Hello SRV001 [[Link]]
250 STARTTLS
INF Sep 27 [Link] [0xc000000d]: Request: 'STARTTLS'
INF Sep 27 [Link] [0xc000000d]: Response: 220 Ready to start TLS
INF Sep 27 [Link] [0xc000000d]: h-ver '0' , chel-ver '0'
INF Sep 27 [Link] [0xc000000d]: valid client hello
INF Sep 27 [Link] [0xc000000d]: h-ver '3' , chel-ver '5'
INF Sep 27 [Link] [0xc000000d]: initializing ssl session with ss client ctx
INF Sep 27 [Link] [T___WORKER]: Number of ssl renegotiation in this session:'1'
INF Sep 27 [Link] [0xc000000d]: SSL session established with client: '[Link]’

Step -2 :- When the XG receives these emails, it performs a SMTP policy check before sending them out.

Step -3 :- The XG then closes the connection with the internal mail server after the policy check.

INF Sep 27 [Link] [T___WORKER]: header length = '33' header type = '3'
INF Sep 27 [Link] [T___WORKER]: header[12] = '’
INF Sep 27 [Link] [T___WORKER]: header length = '2' header type = '0'
INF Sep 27 [Link] [0xc000000d]: message id 'c000000d-1506501410' for current mail
INF Sep 27 [Link] [T___WORKER]: matchpolicy: sender profile is avail
INF Sep 27 [Link] [0x2000033e]: Request: 'QUIT'
INF Sep 27 [Link] [0x2000033e]: Response: 221 [Link] closing connection

Step - 4 :- The XG checks whether any Smarthost is configured on global policy. In this scenario,
Smarthost is configured, so the XG sends emails to recipient’s mail server via smarthost
INF Sep 27 [Link] [T___WORKER]: matchpolicy: sender profile is avail
MSG Sep 27 [Link] [0xc000000d]: [0xc000000d0] FROM: inuser1@[Link] , TO:
exuser2@[Link]
INF Sep 27 [Link] [T___WORKER]: Relate with Firewall rule id: 5 mtuple flags: 2
MSG Sep 27 [Link] [0xc000000d]: Mail Transaction Started from [Link]:53084 to
[Link]:25 (fdid:27)

Page 10 of 110
Module 4 – Email Protection

MSG Sep 27 [Link] [0xc000000d]: Connecting to server ...

MSG Sep 27 [Link] [0xc000000d]: [0xc000000d] Mail sent successfully with 250 OK

Step -5 :- Lastly, when the XG receives confirmation that the email has successfully been sent to the
recipient’s mail server from the Smarthost server, it will terminate the connection. Recipient users will
think that the email was received from the internal server (which is behind the XG), but when the email
headers are opened, the complete details are shown.

Should the receipient reply to the Email it will get directly to Sophos Firewall and the host headers is as
follows:
Return-Path: <inuser1@[Link]>
Received: from [Link] (UnknownHost [[Link]]) by [Link] with SMTP;
Wed, 27 Sep 2017 [Link] +0530
Received: from [Link] (UnknownHost [[Link]]) by [Link] with SMTP;
Wed, 27 Sep 2017 [Link] +0530
Received: from [[Link]] (PC001-PC [[Link]])
by SRV001 with ESMTPA
; Wed, 27 Sep 2017 [Link] +0530
Subject: Re: Hello Bob!!!!
To: exuser2@[Link]
References: <031471c590b54cd7a17fdcca998195f2@[Link]>

Smarthost configuration is saved under table "tblsmarthostsetting” and “tblsmarthostsettingrel”

Note: The difference between Smart host server and an Open relay server is, Smart host only allows
authenticated SMTP traffic, whereas Open relay allows anyone to send emails from it.

Page 11 of 110
Module 4 – Email Protection

Email Protection MTA Mail-flow diagram

SMTP Request
TCP 25
EHLO check
DOS check
TCP 587 Cyren spam scan
SSL check Avira/Sophos Malware scan
Relay permission exim-in queue DLP scanning
Allow & block list Sophos Sandstorm scanning
SPF & BATV
(Acceptor) Work Queue File extension and TFT filter
Recipient verification SPX Encryption
Grey listing
RBL check Mail SCANNER
IP reputation SMTPd
QMAN
Act as service manager Quarantine

Quarantine queue
exim-out queue
(Forwarder)
Routing (MX, Static, DNS)
Smart host
Require/skip TLS settings
Relay to mail server

MTA Mail-flow diagram

Let's take a more detailed look at how the XG processes emails.

The XG uses Exim(4.91) for handling email, which is an open-source Message Transfer Agent (MTA). The
SMTP daemon (SMTPd), starts Exim processes to listen on the following ports:
• 25 : the default SMTP port
• 587 : authenticated message submission

Note :- MTA listens on Port 25 (for Plain & STARTTLS ) and Port 587 where Port 25 available by default for
scanning but you need to perform CLI operations to allow 587 i.e. set service-param SMTP add port 587.
We do not support MTA on Port 465.

Exim-in (Acceptor) :- All emails are accepted into the exim-in queue where the Exim works as front-end
MTA, it accept all emails on port no 25. Exim accepter takes /static/proxy/smtp/[Link] as configuration
[Link] is going to verify email policies like EHLO check, DOS check, SSL check, Relay permission check, Allow
& block list, SPF, BATV, Recipient verification, Grey listing, RBL check and IP reputation and then it is going
to forward to the SMTPD Queue Manager (QMAN).

Page 12 of 110
Module 4 – Email Protection

SMTPD Qman :- SMTPD is the service manager. It invokes all process, assigns work to respective processes,
maintains their configuration state and handles failures (restart them if required)of child [Link]
QMAN sends email to the Work Queue, which has a SCANNER queue and a Quarantine queue.

Work Queue :- Once in the Work Queue emails are processed by the SCANNER queue, where the content
checks take place, including all of the antivirus and antispam checks. If the email fails the checks it is sent to
the Quarantine queue, which quarantines the email. Mail scanner is scanner process. SMTPD sends mails
to scanner for batch policy processing. SMTPD maintains the pool of scanners. on each email SMTPD picks
one scanner. Scanner process loads the policies and apply email scanning policies like
1) Avira/Sophos Malware scan
2) Cyren spam scan
4) DLP scanning
5) Sophos Sandstorm scanning
6) File extension and TFT filter
7) SPX Encryption

Exim-out (Forwarder) :- Exim also works as backend MTA. SMTPD invokes Exim forwarder with
configuration file /static/proxy/smtp/[Link]. Exim forwarder takes Emails from /var/spool/output/input
and forwards them as per the forwarding [Link] the email passes all of the content checks it is
forwarded to the exim-out queue, where it is then be relayed to the mail server configured for the recipient
domain. This module will send mail to mail server as per configuration for routing(MX, Static, DNS), smart
host and In case if it fails to send mail, mail will be submitted to queue

When the XG is sending outgoing emails, SMTPd forks an Exim process that acts as an SMTP client,
connecting to the destination SMTP server for the recipient domain to deliver the message.

Page 13 of 110
Module 4 – Email Protection

Email Protection
MTA mode log files
Log file Description

/log/smtpd_main.log Most important logs for smtpd events.

/log/smtpd_panic.log • Prefilter(exim)
/log/smtpd_error.log • infilter(smtpd, scanner)
• postfilter logs(exim)
/log/[Link] Antivirus/sandbox/mimefilter

/log/[Link] /log/[Link] /log/[Link] (since v19) Antispam scanning, CTIP Antispam daemon

/log/[Link] Various timer activities

/log/[Link] Quarantine digest report

Email Protection
Log files

The whole process of accepting the email, moving it between queues, and performing the checks can be
tracked in the smtpd_main.log. Emails are tracked using the message ID <6>-<6>-<2>-H/-D , which changes
as the message moves between queues. we are having other logs files as well i.e. smtpd_panic.log and
smtpd_error.log which are used for mails that mailscanner is not able to processed

The exim-in queue performs all of the connection and routing checks for the emails, including relay,
recipient verification and real-time blackhole list (RBL) checks.

All of the checks on the content of the email itself are performed in the SCANNER queue.

Note: Running the ‘service smtpd:debug -ds nosync‘ is used to enable debug and running same command
a second time, will disable debug logging.

Page 14 of 110
Module 4 – Email Protection

Email Protection
Mail Logs on the WebAdmin

The above mail logs shows different mail actions such as Dropped, Delivered, Filtered and Quarantine as
per policy.

Rejected messages at SMTP transaction will not appear on log viewer in XG v17.5. In MTA mode, we see
that from the GUI --> Email --> Mail logs page but in legacy mode, it's not possible to see logs from the
GUI.

It is a known behavior that log viewer for email will show all the email communication as firewall rule ID ‘0’
only , whereas SMTPd logs and conntrack shows correct marking of firewall rule.

Page 15 of 110
Module 4 – Email Protection

Email Protection
Enabling, disabling and verify the debug mode for the smtpd service
# service smtpd:debug -ds nosync
200 OK

# service -S | grep smtpd

smtpd RUNNING,DEBUG

# cat /log/smtpd_main.log | grep -i toggling

MSG Nov 13 [Link] [ MPOLLER]: Toggling log level to: INF
MSG Nov 13 [Link] [ T_SMTPD-W]: Toggling log level to: DBG

# service smtpd:exim_debug -ds nosync

200 OK

# cat /log/smtpd_main.log | grep mode

MSG Nov 25 [Link] [ T_SMTPD-W]: [MT] running exim in debug mode
MSG Nov 25 [Link] [ T_SMTPD-W]: [MT] running exim in default mode

Email Protection
Enabling, disabling and verify the debug mode for the smtpd
service

When debugging smtpd, it uses standard XG debug command which is #service smtpd:debug –d –s nosync
and same command is used to disable it.

As you can see above, running the #service –S | grep smptd displays the current service status of smptd

The smtpd_main.log allows us to verify if the debug mode was successfully [Link] Message
MSG Apr 16 [Link] [ T_SMTPD-W]: Toggling log level to: DBG that debugging is running.

service smtpd:exim_debug -ds nosync is specifically used if you want to get some more details for
debugging ex. If you want to know about which RBL blocked. The Message MSG Nov 25 [Link] [
T_SMTPD-W]: [MT] running exim in debug mode that debugging is running.

Note: Ensure to disable any DEBUG status on ANY XG service. The longer you retain the DEBUG status, the
more log entries generated in the corresponding log file and increased the amount of DISK SPACE occupied.

Page 16 of 110
Module 4 – Email Protection

MTA Mode Configuration files

The main 2 directory's for SMTP configurations/policy are /static/proxy/smtp/ and /cfs/proxy/smtp which
includes all information for MTA, SMTP, SPX and exim.

# cd /cfs/proxy/smtp/conf/
# ls
[Link] exim_macro.conf [Link] [Link] [Link] [Link] [Link]
exim_fqdn.conf exim_profile [Link] [Link] [Link] [Link]

# cd /static/proxy/smtp/
# ls
[Link] [Link] exim_default.conf [Link] [Link]
[Link] exim_db.sql [Link] [Link]

MTA Mode
Database tables

The above database commands gives us detail about mail logs and mail spool. We have below other
important database tables as well which can be useful for troubleshooting

# psql -U nobody -d corporate -c "\dt "

List of relations
Schema | Name | Type | Owner
--------+----------------------+-------+--------
Page 17 of 110
Module 4 – Email Protection

config | tblbackupmaildetail | table | pgroot

# psql -U nobody -d corporate -c "\dt "

Page 18 of 110
Module 4 – Email Protection

Email Protection
Log example for a SMTP connection in “smtpd_main.log”
# cat /log/smtpd_main.log | grep -e "1iZCtl-0002Lk-TQ" -e "YPM7sO-E0t1fq-ZK"
2019-11-25 [Link].017 [9036] 1iZCtl-0002Lk-TQ <= jbrown@[Link] H=[Link] Exim
([Link]) [[Link]]:44532 I=[[Link]]:25 P=esmtp S=930 M8S=8 RT=0.086s message id
id=[Link]@[Link] T="SMTP Plain" from
<jbrown@[Link]> for frogers@[Link]
MSG Nov 25 [Link] [ T_SMTPD-M]: new mail queued, add to inqueue '1iZCtl-0002Lk-TQ-D'
MSG Nov 25 [Link] [ T_SMTPD-W]: Mail assigned to 'MS-2861' for scanning '1iZCtl-0002Lk-TQ-D'
MSG Nov 25 [Link] [ MS-2861]: scan request 1iZCtl-0002Lk-TQ-D
MSG Nov 25 [Link] [1iZCtl-0002Lk-TQ]: spam scanning result: 'not spam'
MSG Nov 25 [Link] [1iZCtl-0002Lk-TQ]: Sophos Antivirus Scanned result: Clean (file number:-1)
MSG Nov 25 [Link] [1iZCtl-0002Lk-TQ]: [0x8543e700] FROM: jbrown@[Link] , TO:
frogers@[Link]
MSG Nov 25 [Link] [1iZCtl-0002Lk-TQ]: [0x8543e700](frogers@[Link])SF Policy Action: ACCEPT
MSG Nov 25 [Link] [1iZCtl-0002Lk-TQ]: move 'YPM7sO-E0t1fq-ZK' to forwarder queue
MSG Nov 25 [Link] [1iZCtl-0002Lk-TQ]: YPM7sO-E0t1fq-ZK <= jbrown@[Link] R=1iZCtl-0002Lk-
TQ
MSG Nov 25 [Link] [ MS-2861]: processing for 1iZCtl-0002Lk-TQ completed
MSG Nov 25 [Link] [ T_SMTPD-W]: [SMTPD] mail '1iZCtl-0002Lk-TQ-D' processed sucessfully
2019-11-25 [Link].418 [9102] YPM7sO-E0t1fq-ZK => frogers@[Link] F=<jbrown@[Link]>
P=<jbrown@[Link]> R=static_route_hostlist T=static_smtp S=1267 H=[Link]
[[Link]]:25 I=[[Link]]:33581 C="250 Requested mail action okay, completed" QT=18s
DT=0.036s
2019-11-25 [Link].419 [9102] YPM7sO-E0t1fq-ZK Completed QT=18s

Troubleshooting MTA
Log example for a SMTP connection

The below logs are debug SMTP connection logs :-

Every email connection will be having 2 unique exim message ID in format <6>-<6>-<2>-H/-D for header
and data so we need to grep connection based on that unique ID

# tail -f /log/smtpd_main.log
DBG Nov 14 [Link] [ T_SMTPD-M]: ignore temp file '1iVBtB-0004pF-La-H'
2019-11-14 [Link].692 [18553] 1iVBtB-0004pF-La <= jbrown@[Link] H=[Link]
([Link]) [[Link]]:44040 I=[[Link]]:25 P=esmtp S=930 M8S=8 RT=0.014s
id=[Link]@[Link] T="SMTP Debug" from
<jbrown@[Link]> for frogers@[Link]
MSG Nov 14 [Link] [ T_SMTPD-M]: new mail queued, add to inqueue '1iVBtB-0004pF-La-D'
MSG Nov 14 [Link] [ T_SMTPD-W]: Mail assigned to 'MS-17086' for scanning '1iVBtB-0004pF-La-D'
MSG Nov 14 [Link] [ MS-17086]: scan request 1iVBtB-0004pF-La-D
INF Nov 14 [Link] [ MS-17086]: start processing new mail /sdisk/spool/input/work/1iVBtB-0004pF-La-
[Link]
DBG Nov 14 [Link] [ MS-17086]: parse_file_name: mail msg_id = 1iVBtB-0004pF-La
id 1iVBtB-0004pF-La
Page 19 of 110
Module 4 – Email Protection

DBG Nov 14 [Link] [1iVBtB-0004pF-La]: process_mail() reloading mail = 0 bytes

DBG Nov 14 [Link] [1iVBtB-0004pF-La]: smtp_reload_mail() read 930 bytes from file
id 1iVBtB-0004pF-La
id 1iVBtB-0004pF-La
DBG Nov 14 [Link] [ MS-17086]: unfolded string 'Received: from [Link] ([[Link]]:44040
helo=[Link])by [Link] with esmtp (Exim 4.91)(envelope-from
<jbrown@[Link]>)id 1iVBtB-0004pF-Lafor frogers@[Link]; Thu, 14 Nov 2019 [Link] -0600
INF Nov 14 [Link] [1iVBtB-0004pF-La]: message id '1iVBtB-0004pF-La-1573725490' for current mail
[Sub:'SMTP Debug']
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: Total mail size(ss->mail_size) = 930 bytes
DBG Nov 14 [Link] [ MS-17086]: session query buffer: insert into tblmailspool(mail_id, mail_from,
rcpt_to, m_subject, time_stamp, filename, m_size, m_status, decription, out_mail_id, src_ip, src_port)
select '1iVBtB-0004pF-La','jbrown@[Link]','frogers@[Link]', 'SMTP Debug',
to_timestamp('1573725490'), '1iVBtB-0004pF-La', 930, 0, 'Mail has been queued for delivery.', '1iVBtB-
0004pF-La', '[Link]', 44040 WHERE NOT EXISTS (select 1 from tblmailspool where mail_id='1iVBtB-
0004pF-La' AND rcpt_to='frogers@[Link]');
DBG Nov 14 [Link] [ MS-17086]: queries = insert into tblmailspool(mail_id, mail_from, rcpt_to,
m_subject, time_stamp, filename, m_size, m_status, decription, out_mail_id, src_ip, src_port) select
'1iVBtB-0004pF-La','jbrown@[Link]','frogers@[Link]', 'SMTP Debug',
to_timestamp('1573725490'), '1iVBtB-0004pF-La', 930, 0, 'Mail has been queued for delivery.', '1iVBtB-
0004pF-La', '[Link]', 44040 WHERE NOT EXISTS (select 1 from tblmailspool where mail_id='1iVBtB-
0004pF-La' AND rcpt_to='frogers@[Link]');
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: blog->reason: Email has been accepted by Device
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: blog->reason(0)
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: Applying policy to 'frogers@[Link]'
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: matchcurrentpolicy: called 0
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: DOIBSCAN
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: DOIBSCAN
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: Blocked
X-CTCH-FileName: /sdisk/spool/input/work/[Link]
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: ct_callback: called
MSG Nov 14 [Link] [1iVBtB-0004pF-La]: spam scanning result: 'not spam'
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: detail spam result:
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: calling process_mail
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: matchcurrentpolicy: called 0
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: DOIBSCAN
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: CONDITION

Page 20 of 110
Module 4 – Email Protection

DBG Nov 14 [Link] [1iVBtB-0004pF-La]: CONDITION

DBG Nov 14 [Link] [1iVBtB-0004pF-La]: SCANCONTENT
INF Nov 14 [Link] [1iVBtB-0004pF-La]: Scan content Malware Scanning: 1 True File Type: 1 Data
Protection: 0 Sandstorm: 0
DBG Nov 14 [Link] [ MS-17086]: scan_file_for_virus(): Selected Filename:
'/sdisk/spool/input/work/[Link]'
DBG Nov 14 [Link] [ MS-17086]: scan_file_for_virus(): len='107' data=0x9d03668,
filename='/sdisk/spool/input/work/[Link]' index='3'
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: Blocked
DBG Nov 14 [Link] [ MS-17086]: smtp_av_callback_batch: scan result for
/sdisk/spool/input/work/[Link] attache_count = -1
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: AV response tlv number: '21'
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: AV response tlv number: '0'
MSG Nov 14 [Link] [1iVBtB-0004pF-La]: Sophos Antivirus Scanned result: Clean (file number:-1)
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: calling process_mail with '4' state
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: matchcurrentpolicy: called 0
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: CONDITION
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: CONDITION
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: CONDITION
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: CONDITION
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: compare_mailsize() called.
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: DOFILTER
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: CONDITION
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: compare_filtered() called.
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: ADDHEADER 0
MSG Nov 14 [Link] [1iVBtB-0004pF-La]: [0x9d047d80] FROM: jbrown@[Link] , TO:
frogers@[Link]
MSG Nov 14 [Link] [1iVBtB-0004pF-La]: [0x9d047d80](frogers@[Link])SF Policy Action: ACCEPT
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: Loop for '1' Recipient done(Matchpolicy)
DBG Nov 14 [Link] [1iVBtB-0004pF-La]: policy matching done
MSG Nov 14 [Link] [1iVBtB-0004pF-La]: move '1JDVpq-WPclCU-FE' to forwarder queue
MSG Nov 14 [Link] [1iVBtB-0004pF-La]: 1JDVpq-WPclCU-FE <= jbrown@[Link] R=1iVBtB-
0004pF-La
DBG Nov 14 [Link] [ MS-17086]: session query buffer: update tblmailspool set out_mail_id = '1JDVpq-
WPclCU-FE', m_subject = 'SMTP Debug', filename = '1JDVpq-WPclCU-FE', m_reason = 0 where
mail_id='1iVBtB-0004pF-La' and rcpt_to = 'frogers@[Link]';

Page 21 of 110
Module 4 – Email Protection

DBG Nov 14 [Link] [ MS-17086]: queries = update tblmailspool set out_mail_id = '1JDVpq-WPclCU-FE',
m_subject = 'SMTP Debug', filename = '1JDVpq-WPclCU-FE', m_reason = 0 where mail_id='1iVBtB-0004pF-
La' and rcpt_to = 'frogers@[Link]';
MSG Nov 14 [Link] [ MS-17086]: processing for 1iVBtB-0004pF-La completed
MSG Nov 14 [Link] [ T_SMTPD-W]: [SMTPD] mail '1iVBtB-0004pF-La-D' processed sucessfully
2019-11-14 [Link].118 [18558] 1JDVpq-WPclCU-FE => frogers@[Link]
F=<jbrown@[Link]> P=<jbrown@[Link]> R=static_route_hostlist T=static_smtp S=1267
H=[Link] [[Link]]:25 I=[[Link]]:52144 C="250 Requested mail action okay, completed"
QT=9s DT=0.009s
2019-11-14 [Link].118 [18558] 1JDVpq-WPclCU-FE Completed QT=9s
DBG Nov 14 [Link] [ MPOLLER]: handle_inotify_event: file received in msglog queue '1JDVpq-WPclCU-
FE'
DBG Nov 14 [Link] [ MPOLLER]: file received in [Link] queue '1JDVpq-WPclCU-FE'
DBG Nov 14 [Link] [ MPOLLER]: process_omsg_file: file path =
/sdisk/spool//output/[Link]/1JDVpq-WPclCU-FE
DBG Nov 14 [Link] [ MPOLLER]: get_maildata_from_spool: query = select mail_id, mail_from, rcpt_to,
m_subject, time_stamp, m_size, m_reason from tblmailspool where out_mail_id='1JDVpq-WPclCU-FE'
DBG Nov 14 [Link] [ MPOLLER]: get_maildata_from_spool: 0th column value is 1iVBtB-0004pF-La
DBG Nov 14 [Link] [ MPOLLER]: insert_into_maillog: Query is 'insert into
tblmaillog(mail_id,mail_from,rcpt_to,m_subject,recv_time,m_size,m_status,m_reason,decription,fwd_tim
e,out_mail_id) values('1iVBtB-0004pF-La','jbrown@[Link]','frogers@[Link]','SMTP
Debug','2019-11-14 [Link]', '930', 2, 0, 'Mail sent successfully.', to_timestamp('1573725498'), '1JDVpq-
WPclCU-FE')'
DBG Nov 14 [Link] [ MPOLLER]: delete_from_spool: query = delete from tblmailspool where
out_mail_id='1JDVpq-WPclCU-FE'
DBG Nov 14 [Link] [ MPOLLER]: spool updated for '/sdisk/spool//output/[Link]/1JDVpq-
WPclCU-FE'
DBG Nov 14 [Link] [ MPOLLER]: process_msg_file: precessing 1JDVpq-WPclCU-FE

Log example for a virus file

The Email proxy determined that the content was having infected malware file which has been blocked

Note :- Current scanning time interval is 2 mins. Every re-scanning time it will pick updated policy, if it is
dual then both will be scanned, if it is single only primary AV will be scanned.

DBG Nov 15 [Link] [ T_SMTPD-M]: ignore temp file '1iVYmo-0000QK-NH-H'

Page 22 of 110
Module 4 – Email Protection

2019-11-15 [Link].742 [1632] 1iVYmo-0000QK-NH <= jbrown@[Link] H=[Link]

([Link]) [[Link]]:44310 I=[[Link]]:25 P=esmtp S=1329 M8S=8 RT=0.007s
id=[Link]@[Link] T="Virus Email" from
<jbrown@[Link]> for frogers@[Link]
MSG Nov 15 [Link] [ T_SMTPD-M]: new mail queued, add to inqueue '1iVYmo-0000QK-NH-D'
MSG Nov 15 [Link] [ T_SMTPD-W]: Mail assigned to 'MS-2920' for scanning '1iVYmo-0000QK-NH-D'
MSG Nov 15 [Link] [ MS-2920]: scan request 1iVYmo-0000QK-NH-D
INF Nov 15 [Link] [ MS-2920]: start processing new mail /sdisk/spool/input/work/1iVYmo-0000QK-
[Link]
DBG Nov 15 [Link] [ MS-2920]: parse_file_name: mail msg_id = 1iVYmo-0000QK-NH
id 1iVYmo-0000QK-NH
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: process_mail() reloading mail = 0 bytes
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: smtp_reload_mail() read 1329 bytes from file
id 1iVYmo-0000QK-NH
id 1iVYmo-0000QK-NH
DBG Nov 15 [Link] [ MS-2920]: unfolded string 'Received: from [Link] ([[Link]]:44310
helo=[Link])by [Link] with esmtp (Exim 4.91)(envelope-from
<jbrown@[Link]>)id 1iVYmo-0000QK-NHfor frogers@[Link]; Fri, 15 Nov 2019 [Link] -
0600
INF Nov 15 [Link] [1iVYmo-0000QK-NH]: message id '1iVYmo-0000QK-NH-1573813506' for current mail
[Sub:'Virus Email']
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: Total mail size(ss->mail_size) = 1329 bytes
DBG Nov 15 [Link] [ MS-2920]: session query buffer: insert into tblmailspool(mail_id, mail_from,
rcpt_to, m_subject, time_stamp, filename, m_size, m_status, decription, out_mail_id, src_ip, src_port)
select '1iVYmo-0000QK-NH','jbrown@[Link]','frogers@[Link]', 'Virus Email',
to_timestamp('1573813506'), '1iVYmo-0000QK-NH', 1329, 0, 'Mail has been queued for delivery.', '1iVYmo-
0000QK-NH', '[Link]', 44310 WHERE NOT EXISTS (select 1 from tblmailspool where mail_id='1iVYmo-
0000QK-NH' AND rcpt_to='frogers@[Link]');
DBG Nov 15 [Link] [ MS-2920]: queries = insert into tblmailspool(mail_id, mail_from, rcpt_to,
m_subject, time_stamp, filename, m_size, m_status, decription, out_mail_id, src_ip, src_port) select
'1iVYmo-0000QK-NH','jbrown@[Link]','frogers@[Link]', 'Virus Email',
to_timestamp('1573813506'), '1iVYmo-0000QK-NH', 1329, 0, 'Mail has been queued for delivery.', '1iVYmo-
0000QK-NH', '[Link]', 44310 WHERE NOT EXISTS (select 1 from tblmailspool where mail_id='1iVYmo-
0000QK-NH' AND rcpt_to='frogers@[Link]');
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: blog->reason: Email has been accepted by Device
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: blog->reason(0)
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: Applying policy to 'frogers@[Link]'
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: matchcurrentpolicy: called 0
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: DOIBSCAN

Page 23 of 110
Module 4 – Email Protection

DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: DOIBSCAN

DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: Blocked
X-CTCH-FileName: /sdisk/spool/input/work/[Link]
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: ct_callback: called
MSG Nov 15 [Link] [1iVYmo-0000QK-NH]: spam scanning result: 'not spam'
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: detail spam result:
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: calling process_mail
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: matchcurrentpolicy: called 0
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: DOIBSCAN
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: CONDITION
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: CONDITION
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: SCANCONTENT
INF Nov 15 [Link] [1iVYmo-0000QK-NH]: Scan content Malware Scanning: 1 True File Type: 1 Data
Protection: 0 Sandstorm: 0
DBG Nov 15 [Link] [ MS-2920]: add_name_to_ss: we have attache cnt=1,
name=/sdisk/spool//attach/0x1iVYmo-0000QK-NH-0
DBG Nov 15 [Link] [ MS-2920]: scan_file_for_virus(): Selected Filename:
'/sdisk/spool//attach/0x1iVYmo-0000QK-NH-0'
DBG Nov 15 [Link] [ MS-2920]: scan_file_for_virus(): len='143' data=0x85a7640,
filename='/sdisk/spool//attach/0x1iVYmo-0000QK-NH-0' index='4'
DBG Nov 15 [Link] [ MS-2920]: scan_file_for_virus(): Selected Filename:
'/sdisk/spool/input/work/[Link]'
DBG Nov 15 [Link] [ MS-2920]: scan_file_for_virus(): len='107' data=0x85a7660,
filename='/sdisk/spool/input/work/[Link]' index='5'
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: Blocked
DBG Nov 15 [Link] [ MS-2920]: smtp_av_callback_batch: scan result for
/sdisk/spool//attach/0x1iVYmo-0000QK-NH-0 attache_count = 0
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: AV response tlv number: '21'
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: AV response tlv number: '2'
INF Nov 15 [Link] [1iVYmo-0000QK-NH]: Sophos Antivirus has Detected Malware
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: data length:62 processed:0
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: handle_threat_list(): we have threat list 'EICAR-AV-Test'
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: data length:62 processed:17
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: handle_file_list(): we have threat list
'/sdisk/spool//attach/0x1iVYmo-0000QK-NH-0'

Page 24 of 110
Module 4 – Email Protection

DBG Nov 15 [Link] [ MS-2920]: smtp_av_callback_batch: scan result for

/sdisk/spool/input/work/[Link] attache_count = -1
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: AV response tlv number: '21'
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: AV response tlv number: '2'
INF Nov 15 [Link] [1iVYmo-0000QK-NH]: Sophos Antivirus has Detected Malware
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: data length:77 processed:0
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: data length:77 processed:17
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: calling process_mail with '4' state
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: matchcurrentpolicy: called 0
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: CONDITION
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: IF condition TRUE
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: BLOG
MSG Nov 15 [Link] [1iVYmo-0000QK-NH]: [0x0](frogers@[Link])SF Policy Action: DROP
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: blog->reason: INFECTED
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: blog->reason(10)
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: Loop for '1' Recipient done(Matchpolicy)
DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: policy matching done
MSG Nov 15 [Link] [1iVYmo-0000QK-NH]: completed processing mail for 'frogers@[Link]'
DBG Nov 15 [Link] [ MS-2920]: session query buffer: delete from tblmailspool where
mail_id='1iVYmo-0000QK-NH' and rcpt_to = 'frogers@[Link]';
DBG Nov 15 [Link] [ MS-2920]: session query buffer: delete from tblmailspool where
mail_id='1iVYmo-0000QK-NH' and rcpt_to = 'frogers@[Link]';insert into tblmaillog(mail_id,
mail_from, rcpt_to, m_subject, recv_time, m_size, m_status, m_reason, decription, fwd_time)
values('1iVYmo-0000QK-NH', 'jbrown@[Link]', 'frogers@[Link]', 'Virus Email',
to_timestamp('1573813507'), 1329, 8, 1, 'Mail has been dropped by policy SMTP.',
to_timestamp('1573813507'));
DBG Nov 15 [Link] [ MS-2920]: queries = delete from tblmailspool where mail_id='1iVYmo-0000QK-
NH' and rcpt_to = 'frogers@[Link]';insert into tblmaillog(mail_id, mail_from, rcpt_to, m_subject,
recv_time, m_size, m_status, m_reason, decription, fwd_time) values('1iVYmo-0000QK-NH',
'jbrown@[Link]', 'frogers@[Link]', 'Virus Email', to_timestamp('1573813507'), 1329, 8, 1,
'Mail has been dropped by policy SMTP.', to_timestamp('1573813507'));
MSG Nov 15 [Link] [ MS-2920]: processing for 1iVYmo-0000QK-NH completed
DBG Nov 15 [Link] [ MS-2920]: destroy_acl: free acl node 7DBG Nov 15 [Link] [ MS-2920]:
free_mail_data:file name to delete = /sdisk/spool//attach/0x1iVYmo-0000QK-NH-0
MSG Nov 15 [Link] [ T_SMTPD-W]: [SMTPD] mail '1iVYmo-0000QK-NH-D' processed sucessfully

Log example for a spam file

Page 25 of 110
Module 4 – Email Protection

The Email proxy determined that the content is a spam so it has been quarantine as per policy

DBG Nov 15 [Link] [ T_SMTPD-M]: ignore temp file '1iVXtf-0007Wh-2s-H'

2019-11-15 [Link].120 [28935] 1iVXtf-0007Wh-2s <= jbrown@[Link] H=[Link]
([Link]) [[Link]]:44250 I=[[Link]]:25 P=esmtp S=1035 M8S=8 RT=0.021s
id=[Link]@[Link] T="Spam Email" from
<jbrown@[Link]> for frogers@[Link]
MSG Nov 15 [Link] [ T_SMTPD-M]: new mail queued, add to inqueue '1iVXtf-0007Wh-2s-D'
MSG Nov 15 [Link] [ T_SMTPD-W]: Mail assigned to 'MS-2920' for scanning '1iVXtf-0007Wh-2s-D'
MSG Nov 15 [Link] [ MS-2920]: scan request 1iVXtf-0007Wh-2s-D
INF Nov 15 [Link] [ MS-2920]: start processing new mail /sdisk/spool/input/work/1iVXtf-0007Wh-2s-
[Link]
DBG Nov 15 [Link] [ MS-2920]: parse_file_name: mail msg_id = 1iVXtf-0007Wh-2s
id 1iVXtf-0007Wh-2s
DBG Nov 15 [Link] [1iVXtf-0007Wh-2s]: process_mail() reloading mail = 0 bytes
DBG Nov 15 [Link] [1iVXtf-0007Wh-2s]: smtp_reload_mail() read 1035 bytes from file
id 1iVXtf-0007Wh-2s
id 1iVXtf-0007Wh-2s
DBG Nov 15 [Link] [ MS-2920]: unfolded string 'Received: from [Link] ([[Link]]:44250
helo=[Link])by [Link] with esmtp (Exim 4.91)(envelope-from
<jbrown@[Link]>)id 1iVXtf-0007Wh-2sfor frogers@[Link]; Fri, 15 Nov 2019 [Link] -0600
INF Nov 15 [Link] [1iVXtf-0007Wh-2s]: message id '1iVXtf-0007Wh-2s-1573810087' for current mail
[Sub:'Spam Email']
DBG Nov 15 [Link] [1iVXtf-0007Wh-2s]: Total mail size(ss->mail_size) = 1035 bytes
DBG Nov 15 [Link] [ MS-2920]: session query buffer: insert into tblmailspool(mail_id, mail_from,
rcpt_to, m_subject, time_stamp, filename, m_size, m_status, decription, out_mail_id, src_ip, src_port)
select '1iVXtf-0007Wh-2s','jbrown@[Link]','frogers@[Link]', 'Spam Email',
to_timestamp('1573810087'), '1iVXtf-0007Wh-2s', 1035, 0, 'Mail has been queued for delivery.', '1iVXtf-
0007Wh-2s', '[Link]', 44250 WHERE NOT EXISTS (select 1 from tblmailspool where mail_id='1iVXtf-
0007Wh-2s' AND rcpt_to='frogers@[Link]');
DBG Nov 15 [Link] [ MS-2920]: queries = insert into tblmailspool(mail_id, mail_from, rcpt_to,
m_subject, time_stamp, filename, m_size, m_status, decription, out_mail_id, src_ip, src_port) select
'1iVXtf-0007Wh-2s','jbrown@[Link]','frogers@[Link]', 'Spam Email',
to_timestamp('1573810087'), '1iVXtf-0007Wh-2s', 1035, 0, 'Mail has been queued for delivery.', '1iVXtf-
0007Wh-2s', '[Link]', 44250 WHERE NOT EXISTS (select 1 from tblmailspool where mail_id='1iVXtf-
0007Wh-2s' AND rcpt_to='frogers@[Link]');
DBG Nov 15 [Link] [1iVXtf-0007Wh-2s]: blog->reason: Email has been accepted by Device
DBG Nov 15 [Link] [1iVXtf-0007Wh-2s]: blog->reason(0)
Page 26 of 110
Module 4 – Email Protection

DBG Nov 15 [Link] [1iVXtf-0007Wh-2s]: Applying policy to 'frogers@[Link]'

DBG Nov 15 [Link] [1iVXtf-0007Wh-2s]: matchcurrentpolicy: called 0
DBG Nov 15 [Link] [1iVXtf-0007Wh-2s]: DOIBSCAN
DBG Nov 15 [Link] [1iVXtf-0007Wh-2s]: DOIBSCAN
DBG Nov 15 [Link] [1iVXtf-0007Wh-2s]: Blocked
X-CTCH-FileName: /sdisk/spool/input/work/[Link]
DBG Nov 15 [Link] [1iVXtf-0007Wh-2s]: ct_callback: called
MSG Nov 15 [Link] [1iVXtf-0007Wh-2s]: spam scanning result: 'Confirmed spam'
DBG Nov 15 [Link] [1iVXtf-0007Wh-2s]: detail spam result:
DBG Nov 15 [Link] [1iVXtf-0007Wh-2s]: calling process_mail
DBG Nov 15 [Link] [1iVXtf-0007Wh-2s]: matchcurrentpolicy: called 0
DBG Nov 15 [Link] [1iVXtf-0007Wh-2s]: DOIBSCAN
DBG Nov 15 [Link] [1iVXtf-0007Wh-2s]: CONDITION
DBG Nov 15 [Link] [1iVXtf-0007Wh-2s]: IF condition TRUE
DBG Nov 15 [Link] [1iVXtf-0007Wh-2s]: BLOG
MSG Nov 15 [Link] [1iVXtf-0007Wh-2s]: [0x85b7e70](frogers@[Link])SF Policy Action:
QUARANTINE
DBG Nov 15 [Link] [1iVXtf-0007Wh-2s]: blog->reason: Spam
DBG Nov 15 [Link] [1iVXtf-0007Wh-2s]: blog->reason(6)
DBG Nov 15 [Link] [1iVXtf-0007Wh-2s]: insert_quarantine_query: Query = insert into
tblquarantinespammailmergev6(date,src_ip,messageid,sender,recipient,subject,size,srcdomain,quarantine
area,protocol,ruletype,reason) values(to_timestamp(1573810089),'[Link]','1iVXtf-0007Wh-2s-
1573810087','jbrown@[Link]','frogers@[Link]','Spam
Email',1035,'[Link]','/sdisk/spool//quarantine/0/R/jt2OM0-r3y7DF-hR',6,'SMTP',6)
DBG Nov 15 [Link] [1iVXtf-0007Wh-2s]: Loop for '1' Recipient done(Matchpolicy)
DBG Nov 15 [Link] [1iVXtf-0007Wh-2s]: policy matching done
MSG Nov 15 [Link] [1iVXtf-0007Wh-2s]: jt2OM0-r3y7DF-hR <= jbrown@[Link] R=1iVXtf-
0007Wh-2s
DBG Nov 15 [Link] [ MS-2920]: session query buffer: delete from tblmailspool where mail_id='1iVXtf-
0007Wh-2s' and rcpt_to = 'frogers@[Link]';
DBG Nov 15 [Link] [ MS-2920]: session query buffer: delete from tblmailspool where mail_id='1iVXtf-
0007Wh-2s' and rcpt_to = 'frogers@[Link]';insert into tblmaillog(mail_id, mail_from, rcpt_to,
m_subject, recv_time, m_size, m_status, m_reason, decription, fwd_time, out_mail_id) values('1iVXtf-
0007Wh-2s', 'jbrown@[Link]', 'frogers@[Link]', 'Spam Email', to_timestamp('1573810089'),
1035, 7, 2, 'Mail has been quarantined by policy SMTP.', to_timestamp('1573810089'),'jt2OM0-r3y7DF-hR');
DBG Nov 15 [Link] [ MS-2920]: queries = delete from tblmailspool where mail_id='1iVXtf-0007Wh-2s'
and rcpt_to = 'frogers@[Link]';insert into tblmaillog(mail_id, mail_from, rcpt_to, m_subject,

Page 27 of 110
Module 4 – Email Protection

recv_time, m_size, m_status, m_reason, decription, fwd_time, out_mail_id) values('1iVXtf-0007Wh-2s',

'jbrown@[Link]', 'frogers@[Link]', 'Spam Email', to_timestamp('1573810089'), 1035, 7, 2,
'Mail has been quarantined by policy SMTP.', to_timestamp('1573810089'),'jt2OM0-r3y7DF-hR');
MSG Nov 15 [Link] [ MS-2920]: processing for 1iVXtf-0007Wh-2s completed
MSG Nov 15 [Link] [ T_SMTPD-W]: [SMTPD] mail '1iVXtf-0007Wh-2s-D' processed sucessfully

Log example for a MIME filtering

The Email proxy determined that the content is a having MIME filtering so it has been blocked as per
policy

DBG Nov 15 [Link] [1iVYeB-0000Ab-To]: DOFILTER

DBG Nov 15 [Link] [ MS-2920]: do_filter: 1_filter
CRT Nov 15 [Link] [ MS-2920]: missing filename in this MIME part !!!
DBG Nov 15 [Link] [ MS-2920]: avd:(null) att_count = 1
DBG Nov 15 [Link] [ MS-2920]: search_tft_cache_entry() Entry 'TFT/UTF8-A' found-> hash '336'
DBG Nov 15 [Link] [ MS-2920]: search-pattern: text/inf
DBG Nov 15 [Link] [ MS-2920]: search-pattern: text/troff
DBG Nov 15 [Link] [ MS-2920]: search-pattern: text/x-info
DBG Nov 15 [Link] [ MS-2920]: search-pattern: text/x-texinfo
DBG Nov 15 [Link] [ MS-2920]: search-pattern: text/x-tcl
DBG Nov 15 [Link] [ MS-2920]: search-pattern: text/x-ruby
DBG Nov 15 [Link] [ MS-2920]: search-pattern: text/x-python
DBG Nov 15 [Link] [ MS-2920]: search-pattern: text/x-pascal
DBG Nov 15 [Link] [ MS-2920]: search-pattern: text/x-msdos-batch
DBG Nov 15 [Link] [ MS-2920]: search-pattern: text/x-makefile
DBG Nov 15 [Link] [ MS-2920]: search-pattern: text/x-m4
DBG Nov 15 [Link] [ MS-2920]: search-pattern: text/x-lua
DBG Nov 15 [Link] [ MS-2920]: search-pattern: text/x-lisp
DBG Nov 15 [Link] [ MS-2920]: search-pattern: text/x-po
DBG Nov 15 [Link] [ MS-2920]: search-pattern: text/x-fortran
DBG Nov 15 [Link] [ MS-2920]: search-pattern: text/x-diff
DBG Nov 15 [Link] [ MS-2920]: search-pattern: text/x-php
DBG Nov 15 [Link] [ MS-2920]: search-pattern: text/x-awk
DBG Nov 15 [Link] [ MS-2920]: search-pattern: text/x-nawk

Page 28 of 110
Module 4 – Email Protection

DBG Nov 15 [Link] [ MS-2920]: search-pattern: text/x-shellscript

DBG Nov 15 [Link] [ MS-2920]: search-pattern: text/x-java
DBG Nov 15 [Link] [ MS-2920]: search-pattern: text/x-perl
DBG Nov 15 [Link] [ MS-2920]: search-pattern: text/x-c++
DBG Nov 15 [Link] [ MS-2920]: search-pattern: text/x-c
DBG Nov 15 [Link] [ MS-2920]: search-pattern: text/x-asm
DBG Nov 15 [Link] [ MS-2920]: search-pattern: text/plain
DBG Nov 15 [Link] [ MS-2920]: search-pattern: [Link]
INF Nov 15 [Link] [ MS-2920]: Blocking Attachment: '[Link]'
DBG Nov 15 [Link] [ MS-2920]: do_filter: filtered: '[Link]'
DBG Nov 15 [Link] [1iVYeB-0000Ab-To]: CONDITION
DBG Nov 15 [Link] [1iVYeB-0000Ab-To]: compare_filtered() called.
DBG Nov 15 [Link] [1iVYeB-0000Ab-To]: IF condition TRUE
INF Nov 15 [Link] [1iVYeB-0000Ab-To]: [0x85b7e200] Inserting Prefix([filtered]) to Subject Header
DBG Nov 15 [Link] [ MS-2920]: prefix_header: 'Subject' '[filtered]'
DBG Nov 15 [Link] [ MS-2920]: remove_header: 'Subject'
DBG Nov 15 [Link] [ MS-2920]: __remove_header_by_type: 5 - Subject
DBG Nov 15 [Link] [ MS-2920]: add_header: 'Subject: [filtered] File Type Email'
DBG Nov 15 [Link] [1iVYeB-0000Ab-To]: ADDHEADER 0
DBG Nov 15 [Link] [ MS-2920]: add_header: 'X-Sophos-Firewall: smtpd v1.0'
MSG Nov 15 [Link] [1iVYeB-0000Ab-To]: [0x85b7e200] FROM: jbrown@[Link] , TO:
frogers@[Link]
MSG Nov 15 [Link] [1iVYeB-0000Ab-To]: [0x85b7e200](frogers@[Link])SF Policy Action: ACCEPT
DBG Nov 15 [Link] [1iVYeB-0000Ab-To]: Loop for '1' Recipient done(Matchpolicy)
DBG Nov 15 [Link] [1iVYeB-0000Ab-To]: policy matching done
MSG Nov 15 [Link] [1iVYeB-0000Ab-To]: move 'KoC78C-ciYK9v-Vt' to forwarder queue

Log example for a DLP detection and SPX message generation

The Email proxy determined that the content was confidential data and has to be encrypted with SPX.
The SPX generation worked without failure.

DBG Apr 16 [Link] [ MS-3573]: notify_sender hfile:/sdisk/spool/tmp/IPA1CJ-zRUoG6-T1-H hsize:400

dfiel:/sdisk/spool/tmp/IPA1CJ-zRUoG6-T1-D dsiz:1210

Page 29 of 110
Module 4 – Email Protection

MSG Apr 16 [Link] [ MS-3573]: moving notification '/sdisk/spool/tmp/IPA1CJ-zRUoG6-T1-D' file to

forwarder queue
MSG Apr 16 [Link] [ MS-3573]: S='administrator@[Link]' R='frogers@[Link]'
Subject='Your email violates your organization\'s confidentiality policy' Size='1610' Status='Mail has been
queued for delivery.' src_ip='[Link]' src_port=0
DBG Apr 16 [Link] [ MS-3573]: session query buffer: insert into tblmailspool(mail_id, mail_from,
rcpt_to, m_subject, time_stamp, filename, m_size, m_status, decription, out_mail_id, src_ip, src_port)
select 'IPA1CJ-zRUoG6-T1','administrator@[Link]','frogers@[Link]', 'Your email violates
your organization\'s confidentiality policy', to_timestamp('1555407965'), 'IPA1CJ-zRUoG6-T1', 1610, 0,
'Mail has been queued for delivery.', 'IPA1CJ-zRUoG6-T1', '[Link]', 0 WHERE NOT EXISTS (select 1 from
tblmailspool where mail_id='IPA1CJ-zRUoG6-T1' AND rcpt_to='frogers@[Link]');
DBG Apr 16 [Link] [ MS-3573]: queries = insert into tblmailspool(mail_id, mail_from, rcpt_to,
m_subject, time_stamp, filename, m_size, m_status, decription, out_mail_id, src_ip, src_port) select
'IPA1CJ-zRUoG6-T1','administrator@[Link]','frogers@[Link]', 'Your email violates your
organization\'s confidentiality policy', to_timestamp('1555407965'), 'IPA1CJ-zRUoG6-T1', 1610, 0, 'Mail has
been queued for delivery.', 'IPA1CJ-zRUoG6-T1', '[Link]', 0 WHERE NOT EXISTS (select 1 from
tblmailspool where mail_id='IPA1CJ-zRUoG6-T1' AND rcpt_to='frogers@[Link]');
DBG Apr 16 [Link] [ MS-3573]: commited db queries successfully
DBG Apr 16 [Link] [ MS-3573]: destroy_acl: free acl node 7DBG Apr 16 [Link] [1hGKfE-0007V8-
WE]: DPP Notification to sender queued!
DBG Apr 16 [Link] [1hGKfE-0007V8-WE]: DOSPX
DBG Apr 16 [Link] [ MS-3573]: remove_header: 'X-Sophos-SPX-Encrypt'
DBG Apr 16 [Link] [ MS-3573]: __remove_header_by_type: 7 - X-Sophos-SPX-Encrypt
DBG Apr 16 [Link] [ MS-3573]: init_spx: spx struct initiated
DBG Apr 16 [Link] [1hGKfE-0007V8-WE]: DOSPX Action
DBG Apr 16 [Link] [1hGKfE-0007V8-WE]: BLOG
DBG Apr 16 [Link] [ MS-3573]: get_name_type() AF_INET '[Link]'
DBG Apr 16 [Link] [1hGKfE-0007V8-WE]: blog->reason: DLP
DBG Apr 16 [Link] [1hGKfE-0007V8-WE]: blog->reason(8)
MSG Apr 16 [Link] [1hGKfE-0007V8-WE]: [0x985bad00] FROM: frogers@[Link] , TO:
sspade@[Link]
DBG Apr 16 [Link] [1hGKfE-0007V8-WE]: Loop for '1' Recipient done(Matchpolicy)
DBG Apr 16 [Link] [1hGKfE-0007V8-WE]: policy matching done
DBG Apr 16 [Link] [ MS-3573]: spx_hook: let us check SPX
DBG Apr 16 [Link] [ MS-3573]: SQL_get_pwd_for_rcpt: query = select pwd,reg_url from tblspx_details
where rcpt_to = lower('sspade@[Link]')
DBG Apr 16 [Link] [ MS-3573]: SQL_get_pwd_for_rcpt: spx db value: 'U29waG9zMTk4NSE=' at 0
DBG Apr 16 [Link] [ MS-3573]: spx_hook: spx password checking done, let us create msg to spx pdf...!!

Page 30 of 110
Module 4 – Email Protection

DBG Apr 16 [Link] [1hGKfE-0007V8-WE]: do_spx_encrypt:failure--->0

Log example for Encrypted PDF generated and sent to the recipient

The recipient gets access to the Firewall portal to generate his own password, the URL and recipient are
added. The PDF is generated and saved and attached to the Email actually delivered to the recipient.
Note: the Email body was removed from the slide, but you’ll find it in the Student handout.

DBG Apr 16 [Link] [ MS-3573]: POrtal:1,display org:1

DBG Apr 16 [Link] [ MS-3573]: URI:1555407965704395c3NwYWRlQGludGVybmV0Lnd3dw
DBG Apr 16 [Link] [1hGKfE-0007V8-WE]: generate_URL: url =
'[Link]
DBG Apr 16 [Link] [ MS-3573]: uri:1555407965704395c3NwYWRlQGludGVybmV0Lnd3dw
Rcpt:sspade@[Link]
DBG Apr 16 [Link] [ MS-3573]: SQL_insert_spx_db: query = insert into tblspx_reply_details(rcpt_to,
mail_from, subject, reply_url, mail_filename)
values('sspade@[Link]','frogers@[Link]','RE:
Finances','1555407965704395c3NwYWRlQGludGVybmV0Lnd3dw','1hGKfE-0007V8-WE')
DBG Apr 16 [Link] [ MS-3573]: SQL_insert_spx_db: succesfully inserted
DBG Apr 16 [Link] [ MS-3573]: decodeAnytoUtf(): string to decode = RE: Finances
DBG Apr 16 [Link] [ MS-3573]: decoded subject : 'RE: Finances'
DBG Apr 16 [Link] [ MS-3573]: cache file:10
DBG Apr 16 [Link] [ MS-3573]: read : 752 filled :0
DBG Apr 16 [Link] [ MS-3573]: x:50 imag_height:17 width:103
DBG Apr 16 [Link] [1hGKfE-0007V8-WE]: unfolded subject: '<sspade@[Link]>' length '21'
DBG Apr 16 [Link] [ MS-3573]: get_header: header 'CC' not found in message
DBG Apr 16 [Link] [1hGKfE-0007V8-WE]: unfolded subject: 'RE: Finances' length '12'
DBG Apr 16 [Link] [ MS-3573]: write_file_to_pdf charset is :UTF-8
DBG Apr 16 [Link] [1hGKfE-0007V8-WE]: save_pdf: pdf name '/sdisk/spool/tmp/1hGKfE-0007V8-
[Link]'
DBG Apr 16 [Link] [1hGKfE-0007V8-WE]: save_pdf: attach name '/sdisk/spool/tmp/[Link]'
DBG Apr 16 [Link] [ MS-3573]: MT_STRING: '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
Strict//EN" "[Link]
xmlns="[Link]

Page 31 of 110
Module 4 – Email Protection

<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title>Sophos SPX Secure Email

Reply</title>

<meta name="MSSmartTagsPreventParsing" content="true">

<p>
… <email body text> …

Log example for Sender notification

The sender is notified about the DLP content of their Email

2019-04-16 [Link].564 [28904] End queue run: pid=28904

3582 child 28904 ended: status=0x0
3582 normal exit, 0
3582 0 queue-runner processes now running
DBG Apr 16 [Link] [ MPOLLER]: get_maildata_from_spool: query = select mail_id, mail_from, rcpt_to,
m_subject, time_stamp, m_size, m_reason from tblmailspool where out_mail_id='IPA1CJ-zRUoG6-T1'
DBG Apr 16 [Link] [ MPOLLER]: get_maildata_from_spool: total columns in select query is '7'

Page 32 of 110
Module 4 – Email Protection

DBG Apr 16 [Link] [ MPOLLER]: get_maildata_from_spool: 0th column value is IPA1CJ-zRUoG6-T1

DBG Apr 16 [Link] [ MPOLLER]: get_maildata_from_spool: 1th column value is
administrator@[Link]
DBG Apr 16 [Link] [ MPOLLER]: get_maildata_from_spool: 2th column value is
frogers@[Link]
DBG Apr 16 [Link] [ MPOLLER]: get_maildata_from_spool: 3th column value is Your email violates
your organization's confidentiality policy
DBG Apr 16 [Link] [ MPOLLER]: get_maildata_from_spool: 4th column value is 2019-04-16 [Link]
DBG Apr 16 [Link] [ MPOLLER]: get_maildata_from_spool: 5th column value is 1610
DBG Apr 16 [Link] [ MPOLLER]: get_maildata_from_spool: 6th column value is 0
DBG Apr 16 [Link] [ MPOLLER]: insert_into_maillog: Query is 'insert into
tblmaillog(mail_id,mail_from,rcpt_to,m_subject,recv_time,m_size,m_status,m_reason,decription,fwd_tim
e,out_mail_id) values('IPA1CJ-zRUoG6-T1','administrator@[Link]','frogers@[Link]','Your
email violates your organization\'s confidentiality policy','2019-04-16 [Link]', '1610', 2, 0, 'Mail sent
successfully.', to_timestamp('1555407975'), 'IPA1CJ-zRUoG6-T1')'
DBG Apr 16 [Link] [ MPOLLER]: blog->reason: Email has been delivered to respective recipient.
DBG Apr 16 [Link] [ MPOLLER]: delete_from_spool: query = delete from tblmailspool where
out_mail_id='IPA1CJ-zRUoG6-T1'
DBG Apr 16 [Link] [ MPOLLER]: spool updated for '/sdisk/spool//output/[Link]/IPA1CJ-zRUoG6-
T1'
3582 SIGALRM received
3582 1 queue-runner process running
28949 Starting queue-runner: pid 28949
28949 LOG: queue_run MAIN
28949 Start queue run: pid=28949
2019-04-16 [Link].446 [28949] Start queue run: pid=28949

Page 33 of 110
Module 4 – Email Protection

Email Protection
Recipient verification

Checks recipient email address with the

user account on the destination mail server
Verifies recipients of inbound emails with the AD
server over simple, SSL, and STARTTLS protocols

Email Protection
Recipient verification

Recipient verification is as process that identify and validate the Recipient address with mail server.
Recipient verification is required and implemented to address the following risk factors:

• Accepting mail for non-existent recipients wastes CPU time as the message is unnecessarily scanned for
spam.
• Trying to deliver mail to non-existent recipients may cause SFOS or the back-end server to create Non-
Delivery Notifications Receipts (NDR). These useless notifications are called backscatter and can get the
SFOS machine IP address or your back-end mail server blacklisted.

Recipient verification flow

• Mail sent to recipient is checked by SFOS, by sending VRFY to internal mail server.
• If Recipient address is accepted, server sends 200 OK to SFOS.
• SFOS accept the RCPT TO values and accepts the mail.
• SFOS forwards the mail to destination Email server.

Note: Verification times out in 30 seconds.

Page 34 of 110
Module 4 – Email Protection

MTA Troubleshooting

Troubleshooting MTA
MTA doesn’t accept emails

• Verify Antispam service is running and the /var partition has free space
1

• Confirm MX record of the domain

• Verify the Device Access and ACL settings allowing SMTP relay
3

• Verify configuration of SMTP Profile

Page 35 of 110
Module 4 – Email Protection

Troubleshooting MTA
MTA doesn’t accept emails

• Is firewall settings correct to support Standard MTA/Transparent MTA?

Device Access (Standard MTA)?
Enable SMTP relay from Device access [Administrator >> Device access>>Local service ACL]
when XG is used as a direct/standard MTA for specific zone.
Firewall rule (Transparent MTA)?
Add one Email Clients [POP & IMAP] - business application firewall rule via Firewall
and configure underneath settings to use XG as a transparent MTA
Source: Zone – Any, Networks – Any
Destination: Zone – Any, Networks – Any
Malware Scanning: SMTP & SMTPS
Routing: Rewrite source address (masquerading)
Click to Save button
To troubleshoot the firewall related issues, use drop-packet capture, tcpdump or
Packet capture utility on UI [Diagnostics>>Packet capture]
• Check configuration of SMTP profile
In case of receiving an inbound mail, check the protected domain is configured correctly in SMTP
profile
• Checked relay settings?
Host based relay (for outbound email traffic)?
Add/Update hosts/networks details in Host based relay via [Email>>Relay settings>>Host
based relay] if mail is rejected due to “550 Relay not permitted”.
Check Maillogs for specific rejected mail and hover the mouse over status to see the reason.
It will show “Relay not permitted for [Link]” host.
Upstream host (for inbound email traffic)?
Add/Update hosts/networks details in Upstream host via [Email>>Relay
settings>>Upstream host] if mail is rejected due to “550 Upstream Relay not
permitted”
Check Maillogs for specific rejected mail and hover the mouse over status to see the
reason. It will show “Upstream Relay not permitted for [Link]” host

Note: As per architecture, Firewall policy doesn’t get applied on inbound mails received from internet and
are expected to delivered to mails server hosted on cloud like O365 and G-suite. So SNAT policy is not
applied for those mails. To apply firewall policy for all traffic, update disable_offline_relate to ‘no’ in the file
/static/proxy/smtp/[Link] and restart the SMTPd service.disable_offline_relate = no

Page 36 of 110
Module 4 – Email Protection

Scenario for Disable_offline_relate option :- XG is being used as an external mail relay for a client on the
WAN side. This client is set to send to the XG. The XG accepts the email fine. Then the XG has a policy to
route emails destined for the client's domain via MX. The mail server is Office 365. Traffic flow is perfect.
Only problem is NAT policy in which if we have configured SNAT policy then it will not work so we require to
enable this option.

This option Disable_offline means "firewall rule binding will be enabled for only outbound if below option is
'yes'"

We can enable disable offline relate option from GUI also from General settings > Advanced SMTP settings
> Route inbound mail through gateway and it is persisted through a firmware upgrade.

Page 37 of 110
Module 4 – Email Protection

Troubleshooting MTA (p2)

MTA doesn’t accept emails

• Verify the grey listing setting

• Verify rDNS records are available

• Verify SPF or BATV settings

• Verify if the email are rejected based on a RBL

Troubleshooting MTA
MTA doesn’t accept emails

• SMTP connection being rejected even with correct relay settings?

Is that grey-listing causing this?
When grey listing is enabled in SMTP profile under spam protection section, then the mail is
rejected with “451 Temporary local problem, please try again!” until the sender identified as
known sender.
Check Maillogs for specific rejected mail and hover the mouse over status to see the reason.
It will show “Temporary Rejection: Sender IP has been Greylisted” for sender host
Disable grey listing from SMTP profile under spam protection or configure an exception to
skip grey listing check for specific source hosts/domains or sender/recipient mail addresses
to accept the mails. [not advisable]
Analyze grey listing database
# sqlite3 /sdisk/exim/[Link]
sqlite> select * from tblgreylisted;
sqlite> select * from tblknownsender;
• Is that missing RDNS record causing this?

Page 38 of 110
Module 4 – Email Protection

When “Reject invalid HELO or missing RDNS” is enabled from the General settings under the
Advanced SMTP settings, the mail can be rejected with “550 Missing RDNS entry.” If no RDNS
available for sender domain.
Check Maillogs for specific rejected mail and hover the mouse over status to see the reason. It will
show “No RDNS entry for [Link].”.
Disable “Reject invalid HELO or missing RDNS” or configure an exception to skip RDNS/HELO check
for specific source hosts/domains or sender/recipient mail addresses to accept the mails. [not
advisable]
Check DNS configuration via [Network>>DNS] and configure the valid DNS servers which resolve the
RDNS.
Is that invalid RDNS record causing this?
When “Do strict RDNS checks” is enabled from the General settings under the Advanced
SMTP settings, the mail can be rejected with “550 Invalid RDNS entry for [Link].” If
resolved RDNS not matched back to sender domain.
Check Maillogs for specific rejected mail and hover the mouse over status to see the reason.
It will show “Invalid RDNS entry for [Link].”.
Disable “Do strict RDNS checks” or configure an exception to skip RDNS/HELO check for
specific source hosts/domains or sender/recipient mail addresses to accept the mails. [not
advisable]
Is that SPF fail causing this?
When “Reject based on SPF” is enabled in SMTP profile under spam protection
section, then the mail is rejected with “550 [Link] is not allowed to send mail
from [Link]”.
Check Maillogs for specific rejected mail and hover the mouse over status to see the
reason. It will show “SPF check failed: [Link] is not allowed to send mail from
[Link]” for sender host
Disable “Reject based on SPF” or configure an exception to skip SPF check for specific
source hosts/domains or sender/recipient mail addresses to accept the mails. [not
advisable]
Is that your source IP listed in any of the RBL?
When “Reject based on RBL” in SMTP profile under spam protection section or
“Reject based on IP Reputation” in SMTP settings under the General settings is
enabled, then the mail is rejected with “550-Sophos Anti Spam Engine has blocked
this Email because the sender IP Address is blacklisted.”.
Check Maillogs for specific rejected mail and hover the mouse over the status to see
the reason. It will show “Sophos Anti Spam Engine has blocked this Email because
the sender IP Address is blacklisted.”
Disable “Reject based on RBL” or “Reject based on IP Reputation” or configure an
exception to skip RBL check for specific source hosts/domains or sender/recipient
mail addresses to accept the mails.

Page 39 of 110
Module 4 – Email Protection

Troubleshooting MTA
Verifying Email connectivity using telnet
# telnet [Link] 25
ehlo [Link]
mail from:jdoe@[Link]
rcpt to:jsmith@[Link], janedoe@[Link]
data
Subject: Hello World
Hello,
This is my first email test using telnet.
Virtually Yours,
Jane Doe
.
250 OK id=4QGw3m-023484q-l5
quit

Troubleshooting MTA
Verifying Email connectivity using telnet

The above sample shows how to use TELNET when performing testing via SFOS without authentication.
When performing telnet command, reminders are:

• TELNET is normally disabled since its not a secured protocol. It broadcast transmissions in clear text
• When performing TELNET command to test email transmission, ensure its in the LAN zone and not
coming from outside
• Some customers have their SMTP Server Banner Greeting disabled when performing TELNET, which
result in SMTP Server Banner greeting 220 not be displayed
• Should testing be done with SFOS protecting Microsoft Exchange on-premise servers (2007, 2010, 2013
and 2016), TELNET service is disabled by default. Enabled it before testing.

Page 40 of 110
Module 4 – Email Protection

Troubleshooting MTA
Verifying Email connectivity using telnet with authentication
# telnet [Link] 25
220 [Link] ESMTP Exim 4.71 - "ATLAS SMTP Service" Wed, 13 Jul 201 1 [Link] +0100
EHLO [Link]
[Link] Hello [Link] [[Link]]
250-SIZE 31457280
250-PIPELINING
250-AUTH PLAIN LOGIN
250 HELP
AUTH LOGIN
334 DXNl4gddhbWU3
cwtui3lAcmlja2ljaeFoYewuY2 (Base 64 encoded username)
334 UGFzc3dvcmQ6
YeGjc3ducmE (Base 64 encoded password)
235 Authentication succeeded
MAIL FROM: emailaddress@[Link]
250 OK
RCPT TO: recipent@[Link]
250 Accepted
DATA
354 Enter message, ending with "." on a line by itself
Subject Test using Telnet
250 OK id=4Qgw3m-023484q-I5
quit

Troubleshooting MTA
Verifying Email connectivity using telnet with authentication

When sending email with authentication, its crucial that the Base 64 encoded username and equivalent
password is used. This ensures a security layer is added when performing TELNET testing.

Since EHLO command is invoked, this means that EHLO verbs are used in conjunction with SMTP
extensions.
When performing TELNET test, ensure that the following SMTP codes are received:
220 - This means that the target SMTP Server or domain has its SMTP Service Ready

250 - Means that the Requested Mail Action has completed. Examples of SMTP Extensions used in this
example are:

SIZE = which gives the server the estimated size of the message before its transmitted and for certain sizes,
provide the client with a warning that it will not accept those which exceeds the size limitation.
PIPELINING = This means that during connection, the client is not required to wait for a response when
sending the next or subsequent request.
AUTH PLAIN LOGIN = which simply means that the AUTHENICATED USER IS USING PLAIN LOGIN

Page 41 of 110
Module 4 – Email Protection

HELP = Likewise self-explanatory and does not changed the EHLP SMTP arguments

In the example entry of AUTH LOGIN, this invokes the use of the PLAIN mechanism which resulted in having
the Server responded with a 334 reply code. What happens next is that first the Base 64 Logon account is
entered and followed by the corresponding Base64 encoded password. Although the keyword PLAIN is
used when initiating the AUTH command, the username and password are NOT SEND IN PLAIN TEXT.

235 simply means that the AUTH LOGIN (Authentication is successful)

The 2nd graphic in this slide is just the normal way of performing TELNET email testing.

Page 42 of 110
Module 4 – Email Protection

Troubleshooting MTA
MTA accepts emails but emails do not appear on Email Spool
1. Check the error queue of the mail spool
2. Verify the number of scanners
3. Check smtpd debug logs for any abnormal activity and errors

# grep vcore –A 2 /cfs/proxy/smtp/conf/[Link]

# vcores 4
min_scanner 12
max_scanner 12

# service smtpd:debug -ds nosync

Troubleshooting MTA
MTA accepts emails but emails do not appear on Email Spool

• Have you checked the error queue?

If SMTPd (scanner) daemon fails to scan any mail, then mail is moved to error queue.
To check the error queue, go to Mailspool and select Error, click on Filter button to display mails.
Admin can only delete/download the mails from Error queue.
• Is number of scanners not sufficient for deployment?
SMTPd (acceptor) daemon accepts the mail when all security measurements get passed and stores
the mail to spool directory. Use below command to check the mails accepted by SMTPd (acceptor)
daemon.
ls /var/spool/input/work/
Check no. of SMTPd scanner
grep vcore -A 2 /cfs/proxy/smtp/conf/[Link]
SMTPd scanner processes the mail. Each scanner processes one mail at a time. So,
when mail flow is high then it will take some time to display /process the all mails.
The mail is displayed in Mailspool when SMTPd scanner picks it for scan.
The no. of scanner is assigned based on the HW/SW model type/configuration.
If high amount of mails is suspected due to spammer then enable antispam
mechanisms like inbound/outbound spam scanning, RBL, IP Reputation, grey listing,
SPF, Recipient verification, Invalid HELO or missing RDNS to stop them.

Page 43 of 110
Module 4 – Email Protection

• Have you checked SMTPd’s error?

Check SMTPd debug log for any abnormal activity or any undesirable error. Use below command to
put the service in debug mode.
service smtpd:debug -ds nosync

Page 44 of 110
Module 4 – Email Protection

Troubleshooting MTA
Emails get stuck in the mail spool

1
• Verify Antivirus service is running

2
• Verify recipient address is reachable

3
• Verify the recipient servers in the Exim DB

4
• Check if a Sandbox result is pending

5
• Check if DLP requested the recipient to register for SPX password

6
• Check if a temporary reject message was received from the Mail server

Troubleshooting MTA
Emails get stuck in the mail spool

• Is Antivirus service (AVD) working?

When SMTPd scanner is unable to scan mail with antivirus service, the mail status is updated with a
reason “Mail delivery failure. Mail could not be scanned for malware. [Link].”
Check antivirus service status from UI – [System services >> Services] or from CLI using below
command.
service antivirus:status -ds nosync
Check SMTPd service log - smtpd_main.log and antivirus service log - /log/[Link]
If no antivirus (AV) signature is available in appliance, then mail is updated with failed to
scan due to malware.
• Is recipient address routable?
SMTPd forwarder tries to forward the mail based on routing type (MX/DNS Host/Static Host
Routing). If it fails to deliver the message, it updates the status with the specific reason. Hover the
mouse over the status to see the reason.
• Is Exim DB have cached the recipient server as non-routable?
Exim has internal logic to retry & deliver the mails to mail server. The number of retry get reduced if
mail server is unreachable for a longer time and mails are continuously received for that domain.
Exim may try to send the mails at once in a day if mail server is unreachable for more time. So,

Page 45 of 110
Module 4 – Email Protection

admin can delete Exim db by below command to deliver all those mails immediately when mail
server is available to receive the mails.
rm -rf /var/spool/output/db/

defer (-53): retry time not reached for any host in the smtpd_main.log

F,2h,2m; G,16h,1h,1.5; F,3d,6h (config line in [Link])

• Exim will retry to deliver the mail in every 2mins for first 2hrs if mail delivery is failed. Then after first
2hrs to next 16hrs, it will get retried on every 1h with an expansion factor of 1.5. Then after from 18hrs
to next 3days, it will get retried on every 6h. If mail is still getting undelivered then bounce mail gets
generated with the message “retry time exceeded”.
Note :- this behaviour is domain specific not mail specific.
• In XG, Exim’s queue runner is running in interval of 15secs. On every run, it will check all pending mails
and check whether deliver first time header is present or not in mail file. This header is added only once
and gets removed in case of mail delivery failure. So, if deliver first time header is set, then that mail will
get tried by queue runner. If it fails to deliver the mail, then it will get retried by next queue runner. But
due to unreachability of retry time, the queue runner prints the message “defer (-53): retry time not
reached”. So once retry time gets reached then mail will get retried. If mail delivery gets failed, then it
will get requeued and get retried by next queue runner. If mail is sent successfully then retry time for
that domain gets reset.
• One can explicitly reset the retry time db by deleting files located at spool/output/db/retry*. Afterwards
you may want to retry the all queued mails by command “exim -qff” or restart the smtpd service. Mails
may put on in retry loop if they get undelivered.

Ref:- [Link]

Note: If a new Email policy was created on top of the one already matched be the old rule will also cause
this. The Emails in spool are not matching the new rule and retry indefinatly. In such a case we have move
the spooled emails to the new rule.

• Is XG waits for recipient to register for SPX password?

When Mail is SPXed encrypted and Recipient-specified SPX template is configured, then mail status
is updated with SPX blocked.
Once recipient registers the password, the mail would be SPXed with registered password and
delivered to recipient.
• Is XG waits for sandbox results to come back?
Any files attached in mail found as sandstorm eligible are sent to sandstorm server for advanced
analysis. During this period, the mail is updated with In-progress status.
To see sandstorm activity, go to [Advanced threat>>Sandstorm Activity].

Page 46 of 110
Module 4 – Email Protection

If any error is found during the analysis, then admin must release manually from sandstorm activity
page and mail would be delivered to recipient accordingly.
• Does any temporary rejection message receive from Mail server?
If any server rejects the message with 4xx error in response, then SMTPd forwarder updates the
message with proper error and one can see that message by hovering mouse over the status of
message.

Page 47 of 110
Module 4 – Email Protection

Troubleshooting MTA
Emails are not scanned
1. Verify using Packet Capture
2. Scroll down to SMTP Settings and verify the value set in Don’t Scan Emails Greater
Than * & select Action for Oversized Emails
3. Verify relevant scanning SMTP/S,POP3,IMAP scanning is applied or not
4. Use TCPDUMP at port 25 to capture SMTP traffic
5. Verify X-CTCH headers in /log/smtpd_main.log file or /log/[Link]
add_header:’X-CTCH-Spam: spam’
add_header:’X-CTCH-Pver:0000001’
add_header:’X-CTCH-Spam:Unknown’
add_header:’X-CTCH-RefID:
add_header:’X-CTCH-VOD:Unknown’
str=0001.0A150207.55C9C689.0291,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,
add_header:’X-CTCH-Flags:0’
cld=1,fgs=0’
add_header:’X-CTCH-
RefID:str=0001.0A150207.55C9C689.0291,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1
add_header:’X-CTCH-Spam:Unknown’
,cld=1,fgs=0’
add_header:’X-CTCH-RefID:
add_header:’X-CTCH-Score:0.000’
str=0001.0A150207.55C9C689.0291,ss=1,re=0.000,recu=000,reip=0.000,cl=1,cl
add_header:’X-CTCH-ScoreCust:0.000’
d=1fgs=0’
add_header:’X-CTCH-Rules:’

Troubleshooting MTA
Emails not scanned

• Verify using Packet Capture MONITOR & ANALYZE > Diagnostics > Packet Capture
• Scroll-down to SMTP Settings and verify the value in Don’t Scan Emails Greater Than * & select Action
for Oversized Emails
• Verify relevant scanning SMTP/S,POP3,IMAP scanning is applied or not
• Use TCPDUMP at port 25 to capture SMTP traffic
• Verify X-CTCH headers in /log/smtpd_main.log file or /log/[Link]

Check the smtpd_main.log and /log/[Link] using the advanced shell.

Page 48 of 110
Module 4 – Email Protection

Troubleshooting MTA
Not able to trigger file/MIME filter for MTA
• File protection is applied on inbound emails only
• Enable File protection in SMTP profile & configure:
o Block file types
o MIME whitelist
• MIME type or file extension should match the configured file protection
• Check for configured exceptions
• Check smtpd_main.log and using grep, search for “DOFILTER”
DBG Nov 15 [Link] [ MS-2920]: do_filter: 1_filter
DBG Nov 15 [Link] [ MS-2920]: search_tft_cache_entry() Entry
'TFT/UTF8-A' found-> hash '336’
INF Nov 15 [Link] [ MS-2920]: Blocking Attachment: '[Link]'
DBG Nov 15 [Link] [ MS-2920]: do_filter: filtered: '[Link]'
DBG Nov 15 [Link] [ MS-2920]: add_header: 'Subject: [filtered] File
Type Email'

Troubleshooting MTA
Not able to trigger file/MIME filter for MTA

You can find TFT list published by Labs here : [Link]

• Check MIME types detected by SMTPd scanner

search_tft_cache_entry() Entry 'TFT/PCAP-A' found-> hash '506'
search-pattern: application/[Link]
search-pattern: [Link]
2. Check mime type using file command in linux
# file --mime-type [Link]
[Link]: application/[Link]
3. When File filter matched then [filterd] keyword is appended into Subject header.
add_header: 'Subject: [filtered] test image file'

Page 49 of 110
Module 4 – Email Protection

SASI integration

In this section we will cover SASI integration

Page 50 of 110
Module 4 – Email Protection

SFOS Antispam Changes

Cyren Services SASI (Sophos Anti-

• CTIPD (IP reputation) Spam Interface)
• CTASD (Spam • SXL (IP reputation)
scanner) • SASI (Spam engine)

SFOS Antispam Changes

New to version 18.5 MR3+ and v19.0 EAP 2, the Sophos Firewall is moving away from Cyren to our in house
Sophos Labs Spam engine. The Sophos Firewall is the last Sophos product still utilizing Cyren services.

From the customers perspective and configuration side, nothing is changed as the changes made are under
the hood updates.

Previously, the CTIPD service was used for IP reputation checks and CTASD for anti-spam scanning, which
are all parts of the third party Cyren services. After updating, the SXL and SASI services will take over for
reputation/AS checks.

In the event a false positive or false negative needs to be submitted use the following article:

[Link]

Page 51 of 110
Module 4 – Email Protection

SASI engine v4.1.4 is used which is our own anti-spam solution developed by Sophos Labs. The only change
on the UI is under the pattern updates, it now lists Anti-spam. This means any future false positive or false
negative spam emails should be submitted using the following article:

[Link]

Page 52 of 110
Module 4 – Email Protection

SASI Troubleshooting
Location of the file Description
/bin/sasi SASI binary (built for Linux 32-bit)
/lib/sasi/bin/rsync This is the rsync binary SASI uses to merge downloaded deltas to to its DB
/cfs/sasi/[Link] SASI Configuration file
/conf/certificate/cacerts/curl-ca- CA certificate to validate Sophos signature server, every time
[Link] SASI downloads the updates from the database.
/sdisk/sasi/[Link] SASI Database Location
/log/[Link] SASI Logs

service antispam:<start/stop/restart/status> –ds nosync

curl -v -X POST -H "X-LASED-Pver: 0000002" -H "X-LASED-ReqType: command"

-d "command=getFitness" [Link]

SASI Troubleshooting

The following may be used for SASI troubleshooting. The primary SASI troubleshooting log is [Link], which
will log any pattern updates and statuses. While the SASI pattern updates and antispam database files are
stored in the /sdisk/sasi directory.

Wiki Reference: [Link]

+SASI+Support+Documentation

Managing the antispam engine service uses the standard service commands.

The curl command listed below can be performed to run a basic health check of the SASI daemon. Below is
a snippet of a healthy SASI database.

* About to connect() to [Link] port 25316 (#0)

* Trying [Link]... connected
* Connected to [Link] ([Link]) port 25316 (#0)
> POST / HTTP/1.1

Page 53 of 110
Module 4 – Email Protection

> User-Agent: curl/7.19.7 (i686-pc-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.2j

zlib/1.2.8 libidn/1.10
> Host: [Link]:25316
> Accept: */*
> X-LASED-Pver: 0000002
> X-LASED-ReqType: command
> Content-Length: 18
> Content-Type: application/x-www-form-urlencoded
>
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Cache-Control: private
< Server: Light-ASE 1.0
< Content-Type: text/plain
< Date: Mon, 26 Apr 2021 [Link] GMT
< Content-Length: 0
<
* Closing connection #0
====

Sample configuration file for SASI: (The SASI configuration file is located at /cfs/sasi/[Link]. It is
generated by an opcode, which means edits to this file are not preserved after a reboot.)

LOG_FILE = /log/[Link]
DEBUG_LEVEL = ERROR
CONSOL_OUTPUT = TRUE
LOG_SIZE = 10485760

LISTENING_PORT = 25315
LISTENING_ADDR = [Link]
TCP_NODELAY = TRUE
SPAMENGINE_DB_PATH = /sdisk/sasi
SPAMENGINE_DB_NAME = [Link]
CLIENT_TIMEOUT = 30
MAX_CONNECTIONS = 12

Page 54 of 110
Module 4 – Email Protection

MAX_THREAD = 4
WEIGHT_ENABLE = TRUE

ENABLE_PRECOMPILED_SIGS = FALSE
SIG_UPDATE_TIMEOUT = 480
SERVER_URL = [Link]
RSYNC_PATH = /lib/sasi/bin
CA_CERT_PATH = /conf/certificate/cacerts/[Link]
CUSTOMER_DEVICE_ID = XG/18.5.3.10061 (SFDemo-nest-vm-08/ecdd938b-5282-4f19-a646-
74a79d510420)
HMAC_TOKEN = none

Page 55 of 110
Module 4 – Email Protection

SASI Logs
/log/ [Link]
2021-04-26.[Link] MESSAGE [9999] [ [Link]] LASE Daemon STARTED
2021-04-26.[Link] MESSAGE [9999] [ [Link]] LASE Daemon Version: 4.1.4
2021-04-26.[Link] MESSAGE [9999] [ [Link]] Lased started on port : 25315
2021-04-26.[Link] MESSAGE [9999] [ [Link]] [Precompile thread]: Signatures are out
of sync. Fetching new signatures.
2021-04-26.[Link] MESSAGE [9999] [ [Link]] Downloaded file
/var/pattern/sasi/[Link] is verified with checksum..
2021-04-26.[Link] MESSAGE [9999] [ [Link]] Database loaded of
version: 2021.4.26.93315
2021-04-26.[Link] MESSAGE [9999] [ [Link]] [Precompile thread]: New signatures are
fetched and successfully loaded.
2021-04-26.[Link] MESSAGE [9999] [ [Link]] Downloaded file
/var/pattern/sasi/[Link] is verified with checksum..
2021-04-26.[Link] MESSAGE [9999] [ [Link]] Database loaded of
version: 2021.4.26.95415
2021-04-26.[Link] MESSAGE [9999] [ [Link]] [Precompile thread]: Signatures are
reloaded with latest delta and verified with checksum of new signatures.
...

2021-04-28.[Link] MESSAGE [9999] [ [Link]] LASE Daemon STARTED

2021-04-28.[Link] MESSAGE [9999] [ [Link]] LASE Daemon Version: 4.1.4
2021-04-28.[Link] MESSAGE [9999] [ [Link]] Lased started on port : 25315
2021-04-28.[Link] ERROR [9999] [ [Link]] Couldn't fetch:
[Link]

This is an example of what the logs will look like during a successful and a failure event. The above displays
the LASEd being updated with the latest version. Where the below output would be displayed in the event
of a failure.

Page 56 of 110
Module 4 – Email Protection

Anti-spam Troubleshooting

Page 57 of 110
Module 4 – Email Protection

Troubleshooting Anti-spam technologies

BATV Flow diagram
“[Link]” mail server 2
1
From: prvs=SBDGAUJ=jsmith@[Link]
From: jsmith@[Link] To: lfox@i_hate.[Link] 3
To: lfox@i_hate.[Link] lfox@i_hate.[Link]
does not exist
5 4
Message could From: <> “i_hate.[Link]” mail server
Not be delivered To: prvs=SBDGAUJ=jsmith@[Link]

No TAG!
“[Link]” mail server 7
No TAG! “i_hate.[Link]” mail server 6
From: <> From: jsmith@[Link]
To: jsmith@[Link] To: lfox@i_hate.[Link]

8 Rejected
lfox@i_hate.[Link] does not exist!! Evil Spammer

Troubleshooting Anti-spam technologies

BATV Flow diagram

BATV is a mechanism wherein an outgoing Email server adds a tag to the Envelope From address of all
outgoing Emails. For example, if an Email address goes out with From address as <info@[Link]>the
Envelope From is changed to <prvs=SBDGAUJ=info@[Link]>, where 'SBDGAUJ' is the added tag. This
tag is generated using an internal mechanism and is different for each email sent.
If any bounce is received by the Incoming email servers, they are checked to see if the Bounce address has
the proper tag (in above case 'SBDGAUJ'). If not, the email is rejected. BATV ensures that your Email users
do not become a victim of bounce floods.

[Click]
1. jsmith@[Link] send a mail to lfox@i_hate.[Link] and hand it off through [Link] mail
server. However, unbeknownst to jsmith, lfox has recently changed her email address.
[Click]
2. [Link] mail server signs SMTP MAIL FROM by adding a cryptographic tag.
[Click]
3. The recipient email server, mail.i_hate_spam.com, sees that the person lfox, does not exist.
[Click]

Page 58 of 110
Module 4 – Email Protection

4. The mail server accepts the message, but then bounces it back with a null sender and puts the original,
signed, MAIL FROM information into the RCPT TO field.
[Click]
5. When the message reaches [Link] mail server, it sees that the message is a bounce. It decrypts
the RCPT TO information which is subsequently verified, so it accepts the message and it is delivered
straight to inbox.
[Click]
6. Meanwhile, evil spammer sends a message to lfox at mail.i_hate_spam.net while forging
jsmith@[Link] address.
[Click]
7. Mail.i_hate_spam.net accepts the message, discovers that it can’t deliver it (because lfox doesn’t exist
there either) and then bounces it back to jsmith since jsmith appear to be the one who sent the message.
[Click]
8. When the bounced message hits [Link] email server, the server sees that the message is an NDR.
However, because the RCPT TO field is not signed, and [Link] email server knows that all genuine
outbound mail from customers is signed, the message is rejected.

Page 59 of 110
Module 4 – Email Protection

Troubleshooting Anti-spam technologies

Verifying BATV in the Mail logs

• Signatures expire after 7 days

• Validate incoming bounces contain

a prvs tag
Bounce mail got rejected due to
invalid or expired signature
• Enable debug mode:
o # service smtpd:debug –ds nosync

Troubleshooting Anti-spam technologies

Verifying BATV in the Mail logs

In this example, we have 2 different bounce back mail logs in which “virus found: BATV
Demo1” got accepted as it is contained a valid signature and BATV DEMO 2 got rejected due
to an invalid signature

Troubleshooting steps :-

1. Enable debug for smtpd and provide the smtpd_main.logs

#service smtpd:debug -ds nosync

Check smtpd_main.log
2. Email sample of original email (inbound) and where applicable original outbound email (outbox)

Points to remember
• There will be an exception policy for BATV where admin can except BATV for IPs, senders or recipients.
• Rejected bounce mail should be logged to mail log
• Default action of BATV will be a REJECT

Page 60 of 110
Module 4 – Email Protection

• Validity of prvs signed mail is 7 days, after this time tags will expire
• These tags are not stored in the database because they are generated with a prvs secret key and sender
address at the time of mail processing.
• Some mail transfer agents may reject a message whose envelope sender address was modified using
BATV. In this case, you need to create an exception rule for the senders, recipients, or domains affected.

Page 61 of 110
Module 4 – Email Protection

Troubleshooting Anti-spam technologies

SPF Flow diagram
Receiving Mail Server

Send Email Receive Email Return-path:

Extract return-path bounces@[Link]
Address domain email Extract domain
RETURN-PATH: From return-path address
Sending Mail Server
bounces@[Link]
IP: [Link] Fetch [Link] [Link]
Included in headers
SPF TXT record
[Link] SPF record
DNS Valid Address
[Link]
Return [Link] [Link]
SPF TXT record
[Link]

Is
sending server IP
Address in valid SPF
Y address N
SPF Pass SPF Fail

Troubleshooting Anti-spam technologies

SPF Flow diagram

A SPF (Sender policy framework) record is a public DNS TXT entry that specifies the IP addresses that send
email on behalf of your domain.
This is used by receiving mail servers to validate IF envelope sender IP address is authorized to send mail
from the domain for the purposes of email spoof prevention

Sender policy framework (SPF) is an email authentication mechanism that provides both antispam and anti-
phishing protection. This is based on RFC 7208 which replaced the previous release under RFC 4408. As a
validation protocol, it utilizes DNS records to identify legitimate or invalid inbound email. Once enabled,
Sophos Firewall will detect and reject SMTP connections from unauthorized email sender domains.

Here’s an example of SPF at a high level:

[click]
The administrator of [Link] creates a DNS TXT record specifying emails sent from [Link]
should only originate from IP [Link].
[click]
A user of [Link] domain sends an email. The email will be sent by the [Link] email server
whose IP is [Link]
[click]

Page 62 of 110
Module 4 – Email Protection

SPF works by looking at the domain of the Return-Path value included in the email’s headers. The receiving
server extracts the domain’s SPF record and then checks if the source email server IP is approved to send
emails for that [Link] the recipient’s email server receives the email, it takes email domain
[Link] and performs a TXT lookup, looking for the SPF record
[click]
The recipient’s email server [Link] then compares the source IP of the email with the one listed in
the SPF record
[click]
The email is then accepted as the source IP of the email matches what is specified by the SPF record and if
the sender IP not match the SPF record, the email will be dropped

Reference:
RFC 7208: [Link]

SPF has 2 scenarios when processing inbound email. The first one is when rejecting unathorized or
illegitimate connections. The second is once the email source IP is verified via DNS + SPF check, connection
is accepted and inbound email processed.
Though SPF-related log events are stored in ‘/log/smtpd_main.log’, smtpd service must be placed in
‘debug’ mode before SPF log events are recorded. To enable debug logging run the command: ‘#service
smtpd:debug -ds nosync’.

Note: Running the ‘service smtpd:debug -ds nosync‘ command a second time, will disable debug logging.

Page 63 of 110
Module 4 – Email Protection

Troubleshooting Anti-spam technologies

Verifying SPF records with nslookup
# nslookup -q=txt [Link]
Domain Name Server# [Link]
Domain Name # [Link]

Resolved Address 1# "v=spf1 include:[Link]._nspf.[Link]

include:%{i}._i
p.%{h}._ehlo.%{d}._spf.[Link] ~all"
Total query time # 0.26 msec

# nslookup -q=txt [Link]._nspf.[Link]

Domain Name Server# [Link]
Domain Name # [Link]._nspf.[Link]
Resolved Address 1# "v=spf1 -all"
Total query time # 2.15 msec

Troubleshooting Email Protection

Verifying SPF records with nslookup

To perform lookup and check a valid domain SPF record, run the command ‘nslookup –q=txt <domain>’. In
this example, we find the SPF records for [Link].

The action MTA will perform on specific SPF results

Page 64 of 110
Module 4 – Email Protection

Troubleshooting Anti-Spam New Email

Grey listing flow

Yes Yes Yes Spam Yes Remove entry
31 day limit
Accept Email RDNS lookup Trusted host? exception from known
expired?
list sender

No Yes No
No
Remove entry
No Known
Add entry in Remove entry from Yes from known
Sender? 7 day limit expired? Sender /
known sender Greylisted table
Inactive for
Yes No 7 days
No
No 4 mins No Yes
Minimum retry Update last
since 24hr limit expired? Already Greylisted?
time not reached access time
Greylisted?

Yes No

Reject Email Add to Greylisted mail

Remove entry from

Greylisted table.
Retry after 24 hours

Grey listing flow

Overview
• grey listing is an industry technology which temporarily blocks emails from being received by XG. This is
by rejecting the messages for a specific amount of time. The key item here is to group them by set
(Sender email address, sender IP address, Recipient Address and Message Subject) and block incoming
emails for, say, 4 to 15 minutes.
• Data set is compared with the SMTP proxy internal database; if data is not yet recorded, a corresponding
record entry and time stamp is created in the database. This rejects the email for a period (example: 4
minutes). Once the time expires and email resent again, the message is accepted.
• The positive note is that it doesn’t use pattern, data analytics or heuristics in analyzing the email but on
certain behavior. An example is if an email with the same message subject is received by the recipient
every 4 minutes. The behavior can be construed as malicious and might be a possible spam. grey listing
ensures the message is blocked for the time being.
• grey listing should only be applied to Inbound emails.
• Client sends Inbound email and it will be intercepted by SMTPD service. Sender/Host should be
Greylisted/Temporarily rejected for 4 minutes after first attempt. SMTPD service will wait for same mail
with same mail content and MAIL FROM and RCPT TO content after Grey listing timeout.
• For grey listing, the timer is called at 23:59 daily. So, the entry will be removed after the timer execution
even if 24hr/7days/31days are completed. For example, if the 1st mail is received at 1:00 pm on 13th
August and sender is inactive for next 7 seven days then the entry will be removed at 23:59 on 20th
August.
Identifies the following data set:

Page 65 of 110
Module 4 – Email Protection

Sender Email Address

Sender IP Address
Recipient Address
Message Subject

MTA service will accept and check against grey list as per below:

• If Spam exception is matched against inbound email, then email will be checked for Trusted host and
RDNS look up respectively. If host/domain is in trusted list and RDNS lookup is successful then, MTA will
accept the mail and as per profile match it forwards the mail to mail server as per routing.

• If there is no match in exception list then it verifies for known sender list, if sender entry is present in
database and if this entry is for more than 31 days then MTA service will remove that entry and perform
the above steps again. If 31st day limit is not expired for that known sender, then it verifies for 7 day limit
expiry where MTA service checks inactivity for that sender. If that sender is inactive for 7 days or more,
entry for that host will be removed. If the sender is active, it updates last access time and an email will
be accepted. Maximum limit in known hosts table is 1 million.

• If the sender is not Greylisted before then it will be added to Greylisted email. After being Greylisted,
email will be rejected. If host does not retry mail, remove entry after 24 hours.

• Sender/Host should be added to Known Hosts if same mail is retried within 5 minutes to 24 hours after
the first attempt.

Note: One notable instance of using grey listing is if a known, legitimate site had been hacked or infected
and in turn, sending out emails which are either spam or virus-infected. grey listing effectively block the
originating MTA and ensure the customer’s domain are protected during the duration of this issue.

Page 66 of 110
Module 4 – Email Protection

Troubleshooting Anti-spam technologies

Log example for a reject and accept of grey listing
# tail –f /log/smtpd_main.log
2019-07-16 [Link].704 [3071] SMTP connection from [[Link]]:59568 I=[[Link]]:25 (TCP/IP
connection count = 1)
2019-07-16 [Link].998 [7213] H=[Link] [[Link]]:59568 I=[[Link]]:25 Warning:
[Link] profile grey listing: Doing grey listing for this message
2019-07-16 [Link].998 [7213] [[Link]] F=<test@[Link]> R=<test@[Link]>
Accepted: upstream host
2019-07-16 [Link].015 [7213] 1hnGG2-0001sL-WD grey listing: Greylisted [Link]
2019-07-16 [Link].030 [7213] 1hnGG2-0001sL-WD H=[Link] [[Link]]:59568
I=[[Link]]:25 F=<test@[Link]> temporarily rejected after DATA: Temporary local
problem, please try again!
2019-07-16 [Link].038 [7213] SMTP connection from [Link] [[Link]]:59568
I=[[Link]]:25 closed by QUIT

2019-07-16 [Link].250 [3071] SMTP connection from [[Link]]:59570 I=[[Link]]:25 (TCP/IP

connection count = 1)
2019-07-16 [Link].690 [7758] H=[Link] [[Link]]:59570 I=[[Link]]:25 Warning:
[Link] profile grey listing: Doing grey listing for this message
2019-07-16 [Link].690 [7758] [[Link]] F=<test@[Link]> R=<test@[Link]>
Accepted: upstream host
2019-07-16 [Link].704 [7758] 1hnGK3-000218-MH grey listing: Successful greylist retry from
[Link] (original host was [Link])

Troubleshooting grey listing

Log example for a reject and accept of grey listing

The SMTPd log example shows us 2 different logs for initial rejections of mail due to grey listing and then
after 4 minutes mail has been accepted

Database
When the recipient server address was Greylisted
#psql -U nobody -d iviewdb -p 5433 -c "select * from tblgreylisted”
#psql -U nobody -d iviewdb -p 5433 -c "select * from tblmaillog where decription ='Temporary Rejection:
Sender IP address has been Greylisted.’”

When XG added sender server IP address to trusted sender list

#psql -U nobody -d iviewdb -p 5433 -c "select * from tblknownsender"

Page 67 of 110
Module 4 – Email Protection

Troubleshooting Anti-spam technologies

DKIM and Inbound Verification UI

SHA-256
Base64 encoding
RSA – 2048bit

Troubleshooting DKIM
Inbound Verification UI

DKIM verification help to validate inbound emails through the source domain name and message integrity
with Cryptographic authentication that prevents email spoofing.
DKIM Inbound eliminate spam and guarantee message contents from domains using DKIM that you trust

Page 68 of 110
Module 4 – Email Protection

Troubleshooting Anti-spam technologies

DKIM (Domain Keys Identified Mail) Flow diagram Receiving Mail Server

Send DKIM Signed-Email

Private DKIM Key

DKIM-Signature
Extract dkim-signature
Email Client Included in headers
from email headers
Fetch [Link] DKIM record [Link]
At ‘s._domainkey.[Link]’ s=[Link]

SHA-256 [Link]
DNS Validate message

Base64 encoding
using public key from
Return [Link]
DKIM DNS entry
DKIM record

RSA – 2048bit
Was message
unchanged?
Y N
DKIM Pass DKIM Fail

Email Protection
DKIM (Domain Keys Identified Mail) Flow diagram

DomainKeys Identified Mail (DKIM) is a method for E-mail authentication, allowing a person who receives
email to verify that the message actually comes from the domain that it claims to have come from. The
need for this type of authentication arises because spam often has forged headers and improves the
recognition of bogus senders i.e. phishing [Link] example, a spam message may claim in its "From:"
header to be from sender@[Link], when in fact it is not from that address, and the spammer's goal
is only to convince the recipient to click on a link in the body of the email which leads to some other Web
site.

Because the email is not actually from the [Link] domain, the recipient cannot have any effect by
complaining to the system administrator for [Link]. It also becomes difficult for recipients to
establish whether to give good or bad reputations to various domains, and system administrators may have
to deal with complaints about spam that appears to have originated from their systems, but didn't. DKIM
adds a header named "DKIM-Signature" that contains a digital signature of the contents (headers and
body) of the mail message. The default parameters for the authentication mechanism are to use SHA-256
as the cryptographic hash and RSA as the public key encryption scheme, and encode the encrypted hash
using Base64.
The receiving SMTP server then uses the name of the domain from which the mail originated, the string
_domainkey, and a selector from the header to perform a DNS lookup. The returned data includes the
domain's public key. The receiver can then decrypt the hash value in the header field and at the same time

Page 69 of 110
Module 4 – Email Protection

recalculate the hash value for the mail message (headers and body) that was received. If the two values
match, this cryptographically proves that the mail originated at the purported domain and has not been
tampered with in transit.

DomainKeys Identified Mail (DKIM)

• RFC 4871
• [Link]
• [Link]

DKIM Configuration
Step-1 - Generate signing key (public/private key pair)

• The recipient can query DNS to get the public key for the domain and use this to verify to the hashing
and signature of the email to confirm that it was signed be the indicated domain and that the header
has not been tampered with in transit.
• To configure DKIM you first need to create the public and private keys. On the UTM you can do this by
running the commands:
o To create a 2048 bit private key: openssl genrsa –out [Link] 2048
o To extract the public key: openssl rsa –in [Link] –out [Link] –pubout –
form PEM
o To strip unwanted characters from the public key: grep –v –e “^-^ [Link] | tr –d
“\n”
• The public key you will need in the next step is highlighted here. Be careful not to include the hostname
at the end.

Note :- Sophos Firewall quarantines DKIM-signed emails that use RSA SHA-1 or have key length less than
1024 or in excess of 2048 characters.

# openssl genrsa -out [Link] 2048

Generating RSA private key, 2048 bit long modulus
..........+++
..................................................................................................................................................+++
e is 65537 (0x10001)

# openssl rsa -in [Link] -out [Link] -pubout -outform PEM

writing RSA key

Page 70 of 110
Module 4 – Email Protection

# grep -v -e "^-" [Link] | tr -d "\n"

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw3ufUTThdalyA2YPKrXM+NSrhs1+vWz57apJKto4A
9SSQlzTwW7KRvqaN7b3zeQTFA6PAnQmo8U2zo4K810yyucDf5fPbef1h+vP1tjQdvH17R9sANNo1UhaKqt0uv
p99tLUjgbket38IuDUeTq7z1PHejRdpG2NK7m4KzRi5/tCdKEKO1xQeb84ROlDCbfVJOkJJmsck5eqZA27OshN7k
zGKn4uP/ZMQsQdkGkN3BSJicqy60A3mpWIzoPQZ5leUD

DKIM (Domain Keys Identified Mail)

Step-2 Publish public key for own domain(s) in DNS

• The next step is to create a record in DNS. Each domain key requires a selector that is included in the
email so that the receiving server can look it up. In this example I am using the hostname of the XG.
o The hostname for the DKIM record should be <selector>._domainkey.[Link].
o The record is a TXT (text) type record.
o Due to the length of the record, in BIND9 you need to split it across several lines using quote
marks.
o The record should start with the DKIM version and the key algorithm.
• There are other flags that you can include in the DNS record, including “t=y;” which indicates it is for
testing and that recipients should ignore your DKIM signature.

Note :- we can also generate DNS record directly from [Link] but it is not
recommended as it is not secure.

lon-gw1._domainkey.[Link]. IN TXT (
"v=DKIM1; k=rsa;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw3ufUTThdalyA2YPKrXM+NSrhs1+vWz57apJKto
4A9SSQlzTwW7KRvqaN7b3zeQTFA6PAnQmo8U2zo4K810yyucDf5fPbef1h+vP1tjQdvH17R9sANNo1UhaKqt0
uvp99tLUjgbket38IuDUeTq7z1PHejRdpG2NK7m4KzRi5/tCdKEKO1xQeb84ROlDCbfVJOkJJmsck5eqZA27OshN
7kzGKn4uP/ZMQsQdkGkN3BSJicqy60A3mpWIzoPQZ5leUD” )

DKIM (Domain Keys Identified Mail)

Step-3 Configure private key and selector in WebAdmin

To configure DKIM on the UTM, you need to paste the private key into the DKIM section, enter the selector
name for the key in DNS so that recipients can look it up, and choose which domains you want the UTM to
sign using DKIM.

Note: User's uploaded private key for DKIM signing will be stored at following location on appliance at ls -
lah /var/exim/dkim/

Page 71 of 110
Module 4 – Email Protection

DKIM (Domain Keys Identified Mail)

Step-4 Test your configuration

You can test DKIM using Gmail. In an email, use the menu to view the original message and you will see a
summary at the top that shows whether DKIM validation passed or failed.

Database tables

The command psql -U nobody -d corporate -c "select * from tbldkimsigning” will display the DKIM
database table details and tbldkimverification table will give us information about different paramters for
DKIM verifications.

Page 72 of 110
Module 4 – Email Protection

Troubleshooting Anti-spam technologies

DKIM signature header sample
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=lon-gw1;
d=[Link]; h=From:Date:Subject:MIME-Version:Content-
Type:To:Message-ID; i=info@[Link]; Identity Version, Algorithm
bh=nTZ5dMJsUUR3AQtCHx/sfVzBrXM=; & Selector
b=ZNVolJowcNPxRbK0DxMQdUjq6+VKvK99kT1cxnuj7xOL9N0S483Na2qwG1ndmiKVYz
bp/6ZKp1aH
IWp2n+pkUUyczhXUKioLVHaNrikTvt76ODQz/GSlniMaOM7Vx8OB86C4NzJRh1/r09In
AFyvqE8c +y2DeBtaOcqTztLaueU=

Hash Data

DKIM (Domain Keys Identified Mail)

DKIM signature header sample

Details of DKIM signature header

• v, Version—version of DKIM standard being used
• a, Algorithm—cryptographic algorithm used to create the hash
• c, Canonicalization—whether changes to the email like whitespace or line wrapping is allowed.
• s, Selector—selector to query the correct public key from the d value
• d, Domain—the domain that signed the message
• i, Identity—the identity of the signer, in email address format
• b, header= is the hash data of the headers listed in the h= tag; this hash is also called the DKIM signature
and encoded in Base64.
• Bh, signature= is the computed hash of the message body. The value is a string of characters
representing the hash determined by the hash algorithm.

Page 73 of 110
Module 4 – Email Protection

Troubleshooting Anti-spam technologies

Verifying DKIM records with nslookup
# nslookup -q=txt 20161025._domainkey.[Link]
Domain Name Server# [Link] Domain
Selector
Domain Name # 20161025._domainkey.[Link]

Resolved Address 1# "k=rsa;

p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAviPGBk4ZB64UfSqWyAicdR
7lodhytae+EYRQVtKDhM+1mXjEqRtP/pDT3sBhazkmA48n2k5NJUyMEoO8nc2r6sUA+/
Dom5jRBZp6qDKJOwjJ5R/OpHamlRG+YRJQqR"
"tqEgSiJWG7h7efGYWmh4URhFM9k9+rmG/CwCgwx7Et+c8OMlngaLl04/bPmfpjdEyLW
yNimk761CX6KymzYiRDNz1MOJOJ7OzFaS4PFbVLn0m5mf0HVNtBpPwWuCNvaFVflUYxE
yblbB6h/oWOPGbzoSgtRA47SHV53SwZjIsVpbq4LxUW9IxAEwYzGcSgZ4n5Q8X8Tndow
sDUzoccPFGhdwIDAQAB“

Total query time # 4.35 msec

Troubleshooting Email Protection

Verifying DKIM records with nslookup

In order to lookup and check a valid domain DKIM record, run the command ‘nslookup –q=txt
<selector>._domainkey.<domain>’. In this example, we find the DKIM records for [Link].

The DKIM header can be retrieve from the received mail as given in below example :-

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=[Link]; s=20161025; h=mime-

version:from:date:message-id:subject:to; bh=XAn7uCqRPomeltBFugglUWPrjx5efSz0nML/heF3OxQ=;
b=s4R9j4LDFlVTpDN9w4fg6P51QSn3Qztb/+CNY+K3UQFT4Zmn9ocX9kcVI1jpUcCWR9N7s7RazHiPpoM1EGF
Q7ZjtiUnoNRt6QeCELP17qcXXC60m46G5RpBFaq9qrm368bYEzy4yDfATyRwXzQVufAe/J8HzO2aSUX1I6jY+p/
GHoSc4NQfXS8Dcuih1Dpbg37gwWhap+wRgUjrFgPW4C0D147AcycBtjpAGHSSGj+6CI3WcGiotCu7d4hW3yn
LlURw6u67+NYa9tEiNFvpVVNJj4aucb/CpKcahymna10YHHhIX5TCIblKEj3qZzxAjNcd1FTnZZrWXeLzlwHHKEw=
=

# nslookup -q=txt 20161025._domainkey.[Link]

Domain Name Server# [Link]
Domain Name # 20161025._domainkey.[Link]

Page 74 of 110
Module 4 – Email Protection

Resolved Address 1# "k=rsa;

p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAviPGBk4ZB64UfSqWyAicdR7lodhytae+EYRQVtKD
hM+1mXjEqRtP/pDT3sBhazkmA48n2k5NJUyMEoO8nc2r6sUA+/Dom5jRBZp6qDKJOwjJ5R/OpHamlRG+YRJQ
qR"
"tqEgSiJWG7h7efGYWmh4URhFM9k9+rmG/CwCgwx7Et+c8OMlngaLl04/bPmfpjdEyLWyNimk761CX6KymzYi
RDNz1MOJOJ7OzFaS4PFbVLn0m5mf0HVNtBpPwWuCNvaFVflUYxEyblbB6h/oWOPGbzoSgtRA47SHV53SwZjI
sVpbq4LxUW9IxAEwYzGcSgZ4n5Q8X8TndowsDUzoccPFGhdwIDAQAB"
Total query time # 4.35 msec

To validate SPF entries from an Apple, Linux or Unix shell, we can use dig:
#dig txt <selector>._domainkey.<domain>

Page 75 of 110
Module 4 – Email Protection

Troubleshooting Anti-spam technologies

Verifying DKIM record for the Domain

DKIM (Domain Keys Identified Mail)

Verifying DKIM record for the Domain

• To sign outgoing messages with DKIM you have to configure your DNS settings on provider side.
• Please note without a txt record you cannot use DKIM.

Note: We can verify same TXT record from any linux based machine by executing command “dig
nameofthekey._domainkey.[Link] TXT +short”

Page 76 of 110
Module 4 – Email Protection

Troubleshooting Anti-spam technologies

Inbound Verification flow
DKIM Verification actions:
Exim Listener Inbound Accept, reject, quarantine
SMTP Proxy email

Yes

DKIM Yes
Verification Apply DKIM Failed Action
failed

Invalid Yes
DKIM Apply Invalid DKIM Signature Action
Signature

No DKIM Yes
Apply other configured policies to Apply DKIM Signature not found
Signature
mail Action
not found

DKIM (Domain Keys Identified Mail)

Inbound Verification flow

[Click]
Should DKIM verification fail (e.g. Body hash mismatch with the signature, indicating email body
modification in transit or the signature could not be verified, indicating a forged signature or a header
modification)
The failed DKIM action is applied.
[Click]
An invalid DKIM signature is detected (e.g. the sending domain’s public key was not in the TXT record or it
has an invalid syntax)
The invalid DKIM action is applied.
[Click]
No DKIM signature is found (e.g. the Email does not have a DKIM signature for this domain)
The no DKIM signature found action is applied.
[Click]
Other mail rules are applied

Page 77 of 110
Module 4 – Email Protection

Note: If a single mail is sent to two users an exception policy to skip DKIM verification is created for one
recipient. Should DKIM verification fail for the unexempt user then mail will be rejected for both the
recipients.

Page 78 of 110
Module 4 – Email Protection

Sophos Sandstorm

Page 79 of 110
Module 4 – Email Protection

Sophos Sandstorm
Detecting Zero-Day Threats using Sandstorm
• Supported using MTA (Mail
Transfer Agent) mode
• Applicable to Inbound SMTP policy
• Email > Policy > Add policy >
Malware Protection

Sophos Sandstorm
Detecting Zero-Day Threats using Sandstorm

• Zero-day threat protection

• Supported in MTA(Mail Transfer Agent) mode
• Applicable to Inbound SMTP policy
• Email > Policy > Add policy > Malware Protection

Page 80 of 110
Module 4 – Email Protection

Sophos Sandstorm
Services and log files

# service -S | grep "smtpd\|sandbox"

smtpd RUNNING
sandboxd RUNNING

# ls -l /log/sandbox*

-rw-r--r-- 1 root /log/sandbox_reportd.log

-rw-r--r-- 1 root /log/[Link]

Sophos Sandstorm
Services and log files

• To verify if Sandstorm service is running, use the above command: service –S | grep ‘mta\|sandbox’ to
display the following services:
• smtpd à Which is the SMTP MTA service responsible in allowing XG to absorb, process and
handover the entire email + attachment to either downstream or upstream MTA
• Sandboxd which is the main Sandstorm Sandboxing daemon/service
• Sandbox_reportd Is the supporting Sandstorm daemon/service responsible in logging and
displaying all the required statistical information of Sandstorm for XG

• We used smtpd_main.log as the main transactional log file when this feature is enabled in XG. To
support Sandstorm, we add two new additional logs namely:
• Sandbox_reportd.log
• [Link]

As standard, these logs are all located in the /log directory

Page 81 of 110
Module 4 – Email Protection

Sophos Sandstorm
Log example for Sandbox eligible file detected smtpd_mail.log
MSG Apr 16 [Link] [1hGLkj-0004w0-D5]: Sophos Antivirus Scanned result: Clean (file number:-1)
DBG Apr 16 [Link] [1hGLkj-0004w0-D5]: AV response tlv number: '5'
MSG Apr 16 [Link] [1hGLkj-0004w0-D5]: Avira Antivirus Scanned result: Clean (file number:-1)
DBG Apr 16 [Link] [ MS-3573]: smtp_av_callback_batch: attache no = 0, name =
/sdisk/spool//attach/0x1hGLkj-0004w0-D5-0, avresult = 0
DBG Apr 16 [Link] [1hGLkj-0004w0-D5]: DOSANDSTORM
INF Apr 16 [Link] [ MS-3573]: File '/sdisk/spool//attach/0x1hGLkj-0004w0-D5-0' , sandbox
status: 'Eligible'
DBG Apr 16 [Link] [ MS-3573]: scan_file_for_virus(): Selected Filename:
'/sdisk/spool//attach/0x1hGLkj-0004w0-D5-0'
DBG Apr 16 [Link] [ MS-3573]: decodeAnytoUtf(): string to decode = sandbox_test.exe
DBG Apr 16 [Link] [ MS-3573]: decoded subject : 'sandbox_test.exe'
DBG Apr 16 [Link] [ MS-3573]: scan_file_for_virus(): len='221' data=0x9876a40,
filename='/sdisk/spool//attach/0x1hGLkj-0004w0-D5-0' index='17'
DBG Apr 16 [Link] [1hGLkj-0004w0-D5]: Blocked
DBG Apr 16 [Link] [ MS-3573]: smtp_av_callback_batch: scan result for
/sdisk/spool//attach/0x1hGLkj-0004w0-D5-0 attache_count = 0
DBG Apr 16 [Link] [1hGLkj-0004w0-D5]: AV response tlv number: '32'
INF Apr 16 [Link] [1hGLkj-0004w0-D5]: Sandstorm result: Pending sha1: 84874922-00bb-4e08-8d2f-
9a5cc1745151
DBG Apr 16 [Link] [ MS-3573]: validate_sandstorm_result: Attachement No. = 0, Name =
'/sdisk/spool//attach/0x1hGLkj-0004w0-D5-0', Sandstorm result = Pending
DBG Apr 16 [Link] [ MS-3573]: Sanstorm Result = 'Pending'

Sophos Sandstorm
Log example for Sandbox eligible file detected smtpd_mail.log

Sandbox eligible file detected smtpd_mail.log example

While Sophos AV returned a „clean“ result, the executable attachment was detected as Sanstorm „eligble“.
The sandboxd service took over, generated an ID for the file and transferred it to the pending folder on the
storage.
INF Apr 16 [Link] [1hGLkj-0004w0-D5]: Sandstorm result: Pending sha1: 84874922-00bb-4e08-8d2f-
9a5cc1745151
The smtpd service is now contently polling for an update, until a result is returned by sandboxd.
DBG Apr 16 [Link] [ MS-3573]: smtp_av_callback_batch: scan result for
/sdisk/spool/input/work/[Link] attache_count = -1
DBG Apr 16 [Link] [1hGLkj-0004w0-D5]: AV response tlv number: '38'
DBG Apr 16 [Link] [1hGLkj-0004w0-D5]: SANDBOX_CONTEXT_DATA- unhandled tlv
DBG Apr 16 [Link] [1hGLkj-0004w0-D5]: AV response tlv number: '21'
DBG Apr 16 [Link] [1hGLkj-0004w0-D5]: AV response tlv number: '0'
MSG Apr 16 [Link] [1hGLkj-0004w0-D5]: Sophos Antivirus Scanned result: Clean (file number:-1)
DBG Apr 16 [Link] [1hGLkj-0004w0-D5]: AV response tlv number: '5'
MSG Apr 16 [Link] [1hGLkj-0004w0-D5]: Avira Antivirus Scanned result: Clean (file number:-1)

Page 82 of 110
Module 4 – Email Protection

DBG Apr 16 [Link] [ MS-3573]: smtp_av_callback_batch: attache no = 0, name =

/sdisk/spool//attach/0x1hGLkj-0004w0-D5-0, avresult = 0
DBG Apr 16 [Link] [1hGLkj-0004w0-D5]: calling process_mail with '4' state
DBG Apr 16 [Link] [1hGLkj-0004w0-D5]: matchcurrentpolicy: called 0
DBG Apr 16 [Link] [1hGLkj-0004w0-D5]: CONDITION
DBG Apr 16 [Link] [1hGLkj-0004w0-D5]: CONDITION
DBG Apr 16 [Link] [1hGLkj-0004w0-D5]: CONDITION
DBG Apr 16 [Link] [1hGLkj-0004w0-D5]: DOSANDSTORM
INF Apr 16 [Link] [ MS-3573]: File '/sdisk/spool//attach/0x1hGLkj-0004w0-D5-0' , sandbox status:
'Eligible'
DBG Apr 16 [Link] [ MS-3573]: scan_file_for_virus(): Selected Filename:
'/sdisk/spool//attach/0x1hGLkj-0004w0-D5-0'
DBG Apr 16 [Link] [ MS-3573]: decodeAnytoUtf(): string to decode = sandbox_test.exe
DBG Apr 16 [Link] [ MS-3573]: decoded subject : 'sandbox_test.exe'
DBG Apr 16 [Link] [ MS-3573]: scan_file_for_virus(): len='221' data=0x9876a40,
filename='/sdisk/spool//attach/0x1hGLkj-0004w0-D5-0' index='17'
DBG Apr 16 [Link] [1hGLkj-0004w0-D5]: Blocked
DBG Apr 16 [Link] [ MS-3573]: process_callback(): callback processed. data='0x9876a50', index='16'
DBG Apr 16 [Link] [ MS-3573]: process request
DBG Apr 16 [Link] [ MS-3573]: have enough space
DBG Apr 16 [Link] [ MS-3573]: client_writer:written: 221 byte to av
DBG Apr 16 [Link] [ MS-3573]: Number of evetns 1
DBG Apr 16 [Link] [ MS-3573]: process_av_events(): write event 8
DBG Apr 16 [Link] [ MS-3573]: Number of evetns 1
DBG Apr 16 [Link] [ MS-3573]: process_av_events(): read event 8
DBG Apr 16 [Link] [ MS-3573]: process_av_events(): write event 8
DBG Apr 16 [Link] [ MS-3573]: client_reader:read '54' bytes
DBG Apr 16 [Link] [ MS-3573]: client_reader: got traveller with length '40'
DBG Apr 16 [Link] [ MS-3573]: smtp_av_callback_batch: scan result for
/sdisk/spool//attach/0x1hGLkj-0004w0-D5-0 attache_count = 0
DBG Apr 16 [Link] [1hGLkj-0004w0-D5]: AV response tlv number: '32'
INF Apr 16 [Link] [1hGLkj-0004w0-D5]: Sandstorm result: Pending sha1: 84874922-00bb-4e08-8d2f-
9a5cc1745151
DBG Apr 16 [Link] [ MS-3573]: validate_sandstorm_result: Attachement No. = 0, Name =
'/sdisk/spool//attach/0x1hGLkj-0004w0-D5-0', Sandstorm result = Pending
DBG Apr 16 [Link] [ MS-3573]: Sanstorm Result = 'Pending'
Page 83 of 110
Module 4 – Email Protection

Sophos Sandstorm
Log example for the smtpd service polls the Sandstorm result
DBG Apr 16 [Link] [ MPOLLER]: spx list is not updated
DBG Apr 16 [Link] [ MPOLLER]: Check sandbox result 'bc3d1277-d7ee-4dce-a64a-b1f6dcad39dd' '6'
DBG Apr 16 [Link] [ MPOLLER]: Sandbox result Pending for bc3d1277-d7ee-4dce-a64a-b1f6dcad39dd
DBG Apr 16 [Link] [ MPOLLER]: total sandstorm pending result(s) 1
…
DBG Apr 16 [Link] [ MPOLLER]: Check sandbox result 'bc3d1277-d7ee-4dce-a64a-b1f6dcad39dd' '6'
DBG Apr 16 [Link] [ MPOLLER]: Sandbox result Clean for bc3d1277-d7ee-4dce-a64a-b1f6dcad39dd
DBG Apr 16 [Link] [ MPOLLER]: change result '6' to '4'
MSG Apr 16 [Link] [ MPOLLER]: sandbox result found for '/VWQB8t-CadjXu-sh-D', moved to queue
for further processing
DBG Apr 16 [Link] [ T_SMTPD-M]: events: 1
DBG Apr 16 [Link] [ T_SMTPD-M]: _enter in handle_inotify_event
DBG Apr 16 [Link] [ T_SMTPD-M]: ignore temp file 'VWQB8t-CadjXu-sh-H'
MSG Apr 16 [Link] [ T_SMTPD-M]: new mail queued, add to inqueue 'VWQB8t-CadjXu-sh-D'
DBG Apr 16 [Link] [ T_SMTPD-M]: read returned -1(Resource temporarily unavailable)
DBG Apr 16 [Link] [ T_SMTPD-W]: [SMTPD] smtpd write returned 27 bytes
MSG Apr 16 [Link] [ T_SMTPD-W]: Mail assigned to 'MS-3573' for scanning 'VWQB8t-CadjXu-sh-D'
DBG Apr 16 [Link] [ MS-3573]: Number of evetns 1
DBG Apr 16 [Link] [ MS-3573]: read event on smtpd 5
DBG Apr 16 [Link] [ MS-3573]: write event on smtpd 5

Sophos Sandstorm
Log example for the smtpd service polls the Sandstorm result

The smtpd service polls the Sandstorm result until it returns as either clean or malicious. In this example,
its clean.

Afterwards, smtpd service continues with either message delivery or takes the configured action for
malicious AV results.

Virus-infected emails and emails found malicious by Sandstorm can’t be release by SMTP quarantine.

Page 84 of 110
Module 4 – Email Protection

Sophos Sandstorm
Log example for the file eligible result in the Anti-Virus log ([Link])
2016-12-14 [Link] :[INFO] 0
sophos__scanfile: SweepFile(/sdisk/mail_cache/eml/[Link])

2016-12-14 [Link] :[INFO] 3

sophos__scanfile: File scan result : 0

2016-12-14 [Link] :[INFO] 3

sophos__scanfile: send_file_to_sandbox : 1

2016-12-14 [Link] :[INFO] 3

sophos__scanfile: write eligible log and check excluded file types
for component: EMAIL

Sophos Sandstorm
Log example for the file eligible result in the Anti-Virus log ([Link])

Log Line: 2016-12-14 [Link] :[INFO] 3 sophos__scanfile: write eligible log and check excluded file types
for component: EMAIL
Description: Confirms that the file has been identified by the Mail proxy.

Page 85 of 110
Module 4 – Email Protection

AwarrenSMTP (Legacy mode)

Page 86 of 110
Module 4 – Email Protection

7
AwarrenSMTP2 Packet Flow Proxy Sends data to
Mail server & Checks
Free SMTP
Session in
1 For Email journaling Proxy
SMTP traffic marked EHLO message exchange & unsupported
Mail Client for filtering & ESMTP capabilities filtered by proxy &
3 No
New SMTP Connection submitted to the forward to MUA
awarrenSMTP daemon
6
Email Rejected Yes
Or Dropped due Garner
Is Bypass SPAM check for SMTP
Authentication sessions enabled ? to spam
Yes
No
Is Verify sender IP reputation
REJECT enabled in AS configuration? No
(Notification is sent) Yes
Is Source IP added Spam check Antispam Scan
exception list? Yes
Proxy performs No No
tunnel connection
and frees the Communication with CTIPD engine
SMTP session in Accept CTIPD result
proxy Email Dropped due
Mail size Client starts sending data Proxy writes
configured ACTION
To Virus content Yes
temp file in /var/tmp/tmp directory
is taken
4 5
Drop Yes Mail size exceeds No Yes
CTIPD or SXL
Silent drop configured limit? Result Antivirus Scan
Reject/Tmpreject is sent to
client and connection is closed

AwarrenSMTP Packet Flow

Awarrensmtp is module which mainly takes care of email message filtering for Virus, spam content over
SMTP protocol. It includes external communication with mail client, server and internal communication
with Anti Virus Engine (AVIRA) for virus infection, Anti Spam engine (CTASD & CTIPD) for Spam & Virus
Outbreak classification of email message, Logging Daemon (Garner) for reporting purpose. Awarrensmtp
service runs on tcp Port 25

• New TCP connection commence the SMTP transaction since it opening it for an inbound SMTP mail
relay
• When SMTP mail traffic is classified as mark for filtering, it hands it over to AwarrenSMTP daemon to
start the pre-requisite checks

Antivirus scan : Mail will be submitted for Antivirus scanning, clean mail will be forwarded for Anti-spam
verification, infected mails will not be forwarded for anti-spam verification. Mail will be delivered or
dropped as per configuration.
Antispam scan: Virus clean mails will be verified against Anti-spam configuration and forwarded to proxy
for taking decision.
Proxy will act and continue as per result provided

Mail Server sends Greeting Message

Page 87 of 110
Module 4 – Email Protection

SMTP Traffic marked for Filtering and Submit to Awarren daemon

The objective of the Simple Mail Transfer Protocol (SMTP) is to transfer mail reliably and efficiently.

EHLO message exchange - as designed in RFC 2821 dictates that

The main identification feature is for ESMTP clients to open a transmission with the
command EHLO (Extended HELLO), rather than HELO (Hello, the original RFC 821 standard). An ESMTP
server would return the code 250 OK in a multi-line reply with its domain and a list of keywords to indicate
supported extensions. A RFC 821 compliant server would return error code 500, allowing ESMTP clients to
try either HELO or QUIT.

IP Reputation

CTIPD Engine
spam classifications, URL categorization, and malware detection

Unsupported ESMTP

Sophos Anti Spam detects Spam mails by checking IP addresses, Domain, Email addresses or RBL (Real-time
Blackhole List). Sophos allows administrators to Whitelist or Blacklist Email Addresses. Emails from
Whitelisted Email Addresses are bypassed during Anti Spam scanning while Emails from Blacklisted
Addresses are blocked.
This article describes how you can create White List and Black List and use them for allowing or blocking
Emails.

Whitelist
Create an Address Group called “Whitelist” consisting of Email Addresses whose Emails are to be bypassed
while Anti Spam scanning.

Blacklist
Create an Address Group called “Blacklist” consisting of Email Addresses whose Emails are to be blocked.

Starting SMTP connection

Whether we used awarrenSMTP, its recommended to:

• Set the logging to debug. This is done by running the command:
Page 88 of 110
Module 4 – Email Protection

• AwarrenSMTP = #service awarrensmtp:debug –ds nosync

• The logs are populated almost as per below which includes keyword, Log entry and description :-

To start with:

new_smtp_session : This starts the AwarrenSMTP process by showing the new_smtp_session. This means
that a new email is earn mark to the domain being protected by XG

new_smtp_session: (fd:19) [Link]:4027 == SMTP ==> (fd;20) [Link]:25

Server greeting message: Generates the server greeting to indicate that SMTP service that actually greets
the Inbound SMTP request. This is ok but to some organization, they do suppress SMTP banner since it
gives information of what service, product and port are opened

SER < 220 [Link] Microsoft ESMTP MAIL Service ready

EHLO: EHLO or Extended Hello is a part of the ESMTP commands or service [Link] EHLO
command ensure flexibility and is supported by majority of SMTP servers around the world.

CLI < EHLO

MAIL FROM: This simply specifies the email address or account of the message sender

SER > MAIL FROM:<[Link]@[Link]>

RCPT-TO-SMTP: Is the recipient or the receiver of the email message

SER > RCPT TO: <janedoe@[Link]>

Command AUTH completed: This signifies that the SMTP Proxy processing the inbound email have
successfully verified and authenticated the recipient’s email address or its UPN Universal Principal Name.
This is normally the email address of the recipient if the environment is using Microsoft Windows Active
Directory

SER < 235 2.7.0 Authentication successful

Page 89 of 110
Module 4 – Email Protection

authorization successful Command 'AUTH‘ completed

DOCTIPDSCAN: The keyword in this SFOS entry is the presence of the CTIPD which is the Cyren scanning
component. Using the handle_ctipd_requests:scan it will check the Source IP Address of the inbound email
message and provide a X-CTCH message header with a corresponding RefID. This classifies if the email
source is CLEAN or MALICIOUS

DOCTIPDSCAN
handle_ctipd_requests:scan:[Link]
handle_ctipd_requests:IN event on ipd_sfd
But is x-ctch-request-id:999
x-ctch-refid:rid=0001.0A150302.529C36D5.0053
ctipd_callback: result for [Link] is CLEAN

For the Mail Size, this depends on the maximum email size configured using the SFOS UI. Take note that in
this example the maximum size of 4096 or 4MB has been exceeded hence the terminal or final action for
the email is dropped. Drop action means that the SMTP connection is terminated and not part of the email
whether it’s a header, body or attachment is saved. Another item to be clear is that Mail Size settings
includes the attachment. Why?

Because as per RFC 2822 and its subsequent RFC that superseded it which is RFC 5322 dictates that the
attachment is folded or included in the email BODY.
RFC 2822
[Link]

RFC 5322
[Link]

ss->mail_size = 5344
mail oversized:exceeds 4096 bytes
CLI > 221 Oversized mail dropped

Trigger the DOVIRUSSCAN action

And this is perform on the Email which is temporarily placed at the /var/tmp/ox20000018 directory.
This is done since as an AV engine and its corresponding pattern files cannot scanned any message until its
Header (Mail Header) and Body (Details) are placed as a physical file.

Page 90 of 110
Module 4 – Email Protection

DOVIRUSSCAN
processing '/var/tmp/ox200000018'

The next stage here is the keyword, result:clean. In this example, the sample testing resulted in having
CLEAN action successfully removed or verified that the email is free from any malware. Checking the Log
Entry, for this row, it displays:

DOFILTER Filter Action triggered to perform Malware Scanning

do_filter:globalsignature which uses the AV signatures downloaded for either Avira, Sophos or BOTH
SCANCONTENT It calls on the Scanning Component enabled. For AV Scanning it goes to the AV component
and you can see that both TFT and DLP (Data Loss Protection) is set to zero (0) since its not triggered for
this stage.
handle_clean():Scanned result:clean As stated, email is CLEANED and no malware is either found or it is
successfully removed.

DOFILTER
do_filter:globalsignature
SCANCONTENT AV:1 TFT:0 DLP:0
handle_clean(): Scanned result:clean

BLOCKED is the other way around for this scenario. Instead of having a CLEAN email or action, the email
has detected a malware and should CLEAN Action not successful, BLOCKED action is triggered to ensure
that recipient and organization is protected from POSSIBLE INFECTION.

DO FILTER
do_filter:globalsignature
SCANCONTENT AV:1 TFT:0 DLP:0
client_writer:written:33 byte to av
scan_file_for_virus():len='19' data=9xea600468, filename='var/tmp/0x20000005b' index ='23'
BLOCKED

DLP or Data Loss Prevention ensures that data leaks of sensitive or confidential organizational data is
applied. This is now a standard for a lot of companies whether they are Government, Private Corporation
or even start-ups.
When DLP is ENABLED, SFOS takes its cues from the CCL or the Content Controlled List whether it’s:

Page 91 of 110
Module 4 – Email Protection

the default template downloaded from Sophos Labs used a Customized CCL which is tailor-fit to the
customer’s organization
Typical data points included in a CCL are Social Security Number, Credit Card number that uses the standard
either 15 digits(AMEX) or 16 digits (JCB/VISA/MASTERCARD)

SCANCONTENT AV: 0 TFT:0 DLP:1; CCL's matched; DODLP Action; compared_matched_ccl(); if condition
TRUE; ACCEPT

The keywords applied by AwarrenSMTP when DLP Actions are applied are:
ACCEPT - The email is tagged as ACCEPT by DLP since all conditions are verified as TRUE
REJECT & DROP shared the same final action which is QUARANTINE the Outbound email to the Qbin
directory. The difference is that when REJECT action is applied, a notification is generated and send to the
SENDER while DROP simply drop the connection and no notification generated.

SCANCONTENT AV: 0 TFT:0 DLP:1; CCL's matched; compared_matched_ccl();

Quarantine file path'Qbin.1/20x200000027_0'; REJECT

SCANCONTENT AV: 0 TFT:0 DLP:1; CCL's matched; compared_matched_ccl();

Quarantine file path'Qbin.1/20x200000027_0'; DROP

ACCEPT with SPX action provides additional layer of security by converting the email into SPX formatted file
with password applied. This is useful when sender is retrieving its email that is deemed FALSE POSITIVE.

Accept with SPX; SCANCONTENT AV: 0 TFT:0 DLP:1; DODLP Action

compared_matched_ccl(); if condition TRUE; QUARANTINE
Quarantine file path'Qbin.1/20x200000027_0'; ACCEPT
generate_random_password; save_pdf:pdf name '/var/tmp/[Link]
save_pdf:attach name '/var/tmp/[Link]

Performing Spam Check using the Cyren ct_spamcheck classification handle.

This is by using the CTASD engine which if its INBOUND, uses port 8088 while if its OUTBOUND, it uses port
8089.
Likewise when processing using Cyren, the necessary X-CTCH headers such as the Spam, RefID and Score
are also placed in the Mail Headers.

DOIBSCAN

Page 92 of 110
Module 4 – Email Protection

ct_spamcheck:executing spamcheck on 8088 port

X-CTCH-Spam
X-CTCH-RefID
X-CTCH-Score

Once the Mail Headers are stamped, it then perform a REFERENCE LOOKUP to the RBL (Real-time Black List)
URLS such as SPAMCOP in this example to verify if the INBOUND email is indeed coming from a LEGITIMATE
& CLEAN SOURCE.

DORBLCHECK
do_rblcheck:looking out for '[Link].[Link]'
rblcheck_done:host [Link].[Link] seems clean

Queued mail for delivery is the queuing process where all CLEAN & VERIFIED email messages with or
without attachments are placed on hold while being delivered to the DOWNSTREAM MTA. The
Downstream MTA can either be either on premise Mail Servers such as Microsoft Exchange or IBM Domino
or Hosted Solutions such as Google Apps or Office365.

SER < 250 250 2.6.0

<05E401DIIE30$3AB52940$B97GBC0$@janedoe@[Link]>[internalid=23428493762]Queued mail
for delivery

Free_smtp_session done. This signifies that the INBOUND email is now completely process and handover
by SFOS to the DOWNSTREAM MTA. This results in freeing the SMTP session for this email and completing
the SMTP cycle.

CLI < QUIT

QUIT ' len:6
Freeing server 20
free_smtp_session:done

Page 93 of 110
Module 4 – Email Protection

AwarrenSMTP Packet Flow Proxy Drops

Connection

Antivirus Antivirus Rule matching Based on Send notification to

FROM & TO Email address Proxy will No sender about mail
Configured if any act as per not delivered
No Further Yes result of
processing AV & AS Is notify Sender
No by AV scan enabled Yes
AS No
Is scanning enabled in rule?

Mail Body Replaced &

Yes Add Prefix:
DO File Type based filter Submit email to Sophos/Avira engine Attachment remove
For attachments for Virus scanning and add Header
Yes
Remove &
Is Block Type Deliver Original Don’t Deliver
Deliver
File Filter Response from scan
Applied in rule? AV Clean

No
Notify
Is Quarantine Administrator &
Yes
Quarantine Area Enable Receiver action
in rule?

AwarrenSMTP Packet Flow

Antivirus
• Avira - Maximum Performance (efficient SMTP security processing = less resources used)
• Dual Scanning - Maximum Security (ensure thorough scanning but consume more resources, hence
slower and might affect
• Performance specially during high-traffic mail situations (bulk emails)

Page 94 of 110
Module 4 – Email Protection

AwarrenSMTP Packet Flow

Antispam
Inbound Antispam Inbound CTASD engine Email classification for
Engine scan Over HTTP port 8088 SPAM
PROBABLE SPAM
Outbound Antispam Outbound CTASD engine VIRUS OUTBREAK
Engine scan Over HTTP port 8089 PROBABLEVIRUS
OUTBREAK

Sender IP address match

Adding CYREN Header
against IP Group SMTP action applied
Antispam rule matching REJECT: Notify the sender
Sender IP reputation verified DROP: Silently Drop Is Quarantine
Based on FROM & TO
Against RBLs & Trusted IP list Accept Enabled?
Email address
PREFIX CHANGE
RECIPENT CHANGE
Email Size comparison Yes
No

MIME header comparison

(Subject, From,TO,etc.)
Proxy transfers the data to
the mail server, checks for
Accept with SPX email archive and frees Quarantine Area
Action applied the SMTP session

AwarrenSMTP Packet Flow

Antispam

The topmost action that triggers antispam scanning is the Anti-Spam Rule matching which verifies the
ACTUAL SENDER & RECIPIENT EMAIL ADDRESS.
Once the top-level action is triggered, this resulted in a systematic scan flow that is performed from LEFT to
RIGHT.
• Antispam scanning is performed by CTASD at port 8080 if its INBOUND and port 8089 if its OUTBOUND.
The idea behind separating the ports is to ensure that mail traffic are processed accordingly in the most
economical and efficient way.
• Once email is identified as either INBOUND or OUTBOUND, the SOURCE IP ADDRESS is matched against
the IP GROUP.
• Furthermore, the IP Address (if its INBOUND) is checked against the RBLs & Trusted IP list. The purpose
is to ensure that IP address are both:
ü Legitimate and not SPOOFED
ü And the Sender IP address reputation is CLEAN and NOT LISTED IN ANY RBLs (Examples are
[Link], [Link], [Link], [Link] and [Link])
• Email Size is also checked to ensure that it follows the Maximum Mail Size configured by SFOS. This
feature based on the experience where DDOS or DOS-based email attacks often have huge file
attachments and eventually occupies the entire FREE DISK SPACE of a MAIL SERVER. This will shutdown
the Mail Server and prevent the organization from sending or receiving emails.

Page 95 of 110
Module 4 – Email Protection

• MIME Headers are also checked if they are completed. Header information such as SUBJECT, FROM, TO
& OTHERS are important part of the email envelope. Having one or many of these often resulted in
having SPOOFED or SPAM emails coming through the organization.
• For OUTBOUND emails, there is special emphasis in implementing DLP or Data Leak Protection which
ensures CONFIDENTIAL and SENSITIVE information ARE NOT DISCLOSED and DISTRIBUTED to the
PUBLIC. Information such as Social Security Number, Passport Number, 15, 16 & 19 digit Credit Card
Numbers are just a few of these IMPORTANT DATA that are being addressed by having using CCL
template or a Customized CCL configured with SFOS.
• Finally SPX Action is applied with a RANDOM GENERATED PASSWORD to ensure that if a email message
is QUARANTINE but needs to be retrieved, additional security layers are applied.

For the Spam Classification, as per Cyren we normally used either of the following above;
• SPAM à If the email is classified as Spam due to the number of hits in terms of keywords present in
the email.
• PROBABLE SPAM This is tagged since the email might be a SPAM but needs verification
• VIRUS OUTBREAK The email contains a virus or other of form of MALWARE that is spreading
through email transmission
• PROBABLE VIRUS OUTBREAK Email containing virus or other forms of malware are spreading but
since its hasn’t reach critical proportion, its tagged PROBABLE VIRUS OUTBREAK

POSSIBLE SMTP ACTIONS are TERMINAL ACTIONS performed by SFOS to emails coming via SMTP. Terminal
actions means that should it find the email message and/or attachment MALICIOUS, it applied BEST MATCH
FILTER ACTIONS which result in having the email processed and SKIP other scanning ACTIONS.

The possible SMTP actions are:

• REJECT: This ACTION not only let SFOS to refuse the INBOUND or OUTBOUND email from being
relayed TO and FROM but also generated a NOTIFICATION indicating REJECT ACTION APPLIED. For
Internal users, this is fine but for INBOUND emails, its BEST PRACTICE TO use DROP instead due to
security reasons.
• DROP: Drop is a preferred action specially for INBOUND emails since it provides additional security
by not generating a notification. However some organization specially those prone to FALSE
POSITIVES would request for REJECT instead of DROP but that is on a case to case basis.
• ACCEPTS: The email is tagged as CLEAN and the resulting ACTION is ACCEPT it and hand it over for
mail queing to either DOWNSTREAM or UPSTREAM MTA for delivery
• PREFIX CHANGE: Is by modifying the SUBJECT PREFIX base on the scan result
5. CHANGE RECIPIENT: This is normally performed on emails that are either INFECTED but contains
important information that is required by the organization or for those SENSITIVE INFORMATION being
transmitted OUTBOUND and have to be re-routed.

Note :- SPAM RULES Traversal follows top to bottom approach

Page 96 of 110
Module 4 – Email Protection

AwarrenSMTP
Service and log files
• Log file is /log/[Link]
• The awarrensmtp daemon can be started, stopped and restarted using the
advanced shell
• Switch to debug mode for troubleshooting
# service awarrensmtp:status -ds nosync
200 RUNNING

# service -S | grep awarren*

awarrensmtp RUNNING,DEBUG

# service awarrensmtp:debug -ds nosync

200 OK

AwarrenSMTP
Service and log files

Awarrensmtp service is responsible in processing emails that passes through the SMTP protocol and is
confirmed running by issuing the command:
#service awarrensmtp:status -d –s nosync

If the Firewall or Systems Administrator received a 200 OK or 200 RUNNING, this means that the
awarrrenSMTP service or daemon is running correctly

• In legacy mode, if there are more than 20 recipients in an email and emails are getting delivered to the
first 20 recipients however to the rest of the recipients the emails are not getting delivered or if you
want to retry email sending in legacy mode then we need to enable Fast ISP mode.(console> set service-
param SMTP fast-isp-mode on )
• Fast ISP mode approach is firmware upgrade safe.
• In legacy mode, If grey listing is enabled on the server side, which results mails are getting rejected. This
is because legacy mode doesn't support e-mail retry. If e-mail fails to be sent, legacy mode proxy
generates a notification and inform the sender. So, as per grey listing, failed e-mail should retried but
this is rejected with this log entry: "451 Temporary local problem, please try again!"
• If mail contains multiple recipients, policy rule which match first will apply to all recipient.
Ex. rule1 for yahoo with spam enable
rule2 for gmail with spam disable

Page 97 of 110
Module 4 – Email Protection

if mail contains yahoo and gmail domain recipients, rule 1 will match first so, spam scan apply to both
recipients.
• SPX will work partially. Only sender generated and onetime generate password methods will work with
fast isp mode.

The command switch format is the same as any other SFOS daemons and processes. So for the following
like:
To enable debug, we issue the command: # service awarrensmtp:debug -d -s nosync
This command are broken into the following:
• Service to commence the command line issue that a process or daemon is being tasked to
perform a specific function
• awarrensmtp is the name of the Legacy SMTP process or daemon
• debug is the task being asked to the daemon to perform. For this example, it sets the debug
level from normal to verbose logging. This provides detailed logging for the purpose of isolation,
audit and debugging purpose.
Note:
Ensure to only set the daemon to debug if [Link] the SFOS is running in DEBUG mode and no
troubleshooting is required, ensure to use the same command to disable it. -d -s nosync is used if the
customer is using a single Firewall device. If they are using SFOS on HA (High Availability) either
Active/Passive or Active/Active, removed the -nosync since it stands for No Synchronization.
Synchronization is required if customer deployed [Link], stop and restart are used when troubleshooting
or ensuring that the service is running.

You can place awarrenSMTP to advance debug as well by below command :-

ps | grep awarrensmtp
Result will get PID of awarrensmtp.
Then issue "kill -40 <pid_of_awarrensmtp>" command, so awarrensmtp service will run in to debug mode.
You can verify same thing from awarrensmtp logs

# grep Toggling /log/[Link]

MESSAGE Nov 25 [Link] [4152280512]: Toggling log level to: MAX

Awarrensmtp communicates with Inbound / Outbound CTASD engine over TCP Port 8088 & 8089 using
HTTP Protocol respectively for Spam & Virus Outbreak classification of email message. CTASD daemon first
looks in its cache file further communicates with CYREN data center if needed

# netstat -anep | grep 25

tcp 0 0 :::25 :::* LISTEN 0 3663209 15152/awarrenSMTP

# netstat -anep | grep 8088

Page 98 of 110
Module 4 – Email Protection

tcp 0 0 [Link]:8088 [Link]:* LISTEN 0 4014182 19706/[Link]

# netstat -anep | grep 8089

tcp 0 0 [Link]:8089 [Link]:* LISTEN 0 3998061 19704/[Link]

Page 99 of 110
Module 4 – Email Protection

Troubleshooting AwarrenSMTP
Virus attachment is not detected

1
• Verify that AV scanning is configured for the SMTP/SMTPS firewall rule

2
• Verify the configured virus outbreak action

3
• Verify the email header shows "X-Sophos-AV-Policy"

4
• Verify the antivirus rules are configured for “Infected” and “Suspicious”

5
• Verify the "X-Sophos-smtpxv-version" header

6
• Verify “Don’t scan email greater than” configuration in General settings

Troubleshooting the legacy proxy

Virus attachment is not detected

• Verify if AV scanning is applied on firewall rule where email traffic passes (SMTP & SMTPS)
• Verify if the default Anti-Spam rule for “Virus Outbreak” is configured properly with SMTP/SMTPS and
POP3/IMAP actions.
• Verify the email header "X-Sophos-AV-Policy" to ensure that the mail has been scanned by the antivirus
engine
• Verify if the antivirus rules are configured properly for “Infected” and “Suspicious” emails.
• Verify the "X-Sophos-smtpxv-version" header to ensure that the latest signature pattern versions are
used
• Verify “Don’t scan email greater than” configuration, In PROTECT > Email > General settings, check
whether a limit on the size of email to be scanned is configured, and what action is applied if that size is
exceeded.

We would recommend setting the size to ‘0’, which will scan files up to 50MB, and the action for oversized
emails to ‘Reject’. This will ensure that all emails are scanned for viruses or rejected.

Addition of Sophos SMTP Proxy Header for version information

INFO Dec 02 [Link] [3076545424]: add header: ‘X-Sophos-smtpxy-version: [Link]’

Page 100 of 110

Module 4 – Email Protection

Email Signature addition if any.

INFO Dec 02 [Link] [0x20000018]: DOFILTER
DEBUG Dec 02 [Link] [3076545424]: do_filter: globalsignature
DEBUG Dec 02 [Link] [3076545424]: Going to wait for event on rfd
INFO Dec 02 [Link] [0x20000018]: smtp_av_callback_batch: avresult: 'AV_CLEAN'
INFO Dec 02 [Link] [0x20000018]: smtp_av_callback_batch: calling MP
DEBUG Dec 02 [Link] [0x20000018]: matchcurrentpolicy: called 0

Block File Types filter

INFO Dec 02 [Link] [0x20000018]: DOFILTER
DEBUG Dec 02 [Link] [3076545424]: do filter: 7_filter

Adding one more header for Sophos SMTP AV Policy / Rule

INFO Dec 02 [Link] [3076545424]: add_header: ‘X-Sophos-AV-Policy: default'

If attachment is not being blocked, check the MIME type of the file which is not being scanned (check
from [Link]

Page 101 of 110

Module 4 – Email Protection

POP-IMAP Proxy

Page 102 of 110

Module 4 – Email Protection

POP-IMAP Proxy

Warren service manages the virus and spam filtering

of emails received using POP/IMAP protocol

Uses TCP Ports 109 (POP3) and 142 (IMAP4)

Sends event logs of virus / spam scan results to garner

for reporting & troubleshooting purposes

POP-IMAP Proxy

• The warren service handles the email antivirus and anti-spam filtering received using POP/IMAP protocol
• This includes communication with the client application, server, AVIRA antivirus engine, Commtouch
Advanced Security Daemon [CTASD], Commtouch IP Reputation Daemon [CTIPD] and firewall (ipset). The
warren service utilizes TCP Ports 109 for POP3 and 142 for IMAP4 traffic.
• Moreover, warren sends event logs of virus / spam scanning results to the garner logging daemon for
reporting & troubleshooting purposes.
• Sophos Firewall automatically applies the default POP-IMAP scan policy (default-pop-av) to POP3/S and
IMAP/S traffic which strips virus-infected attachments from inbound emails and replaces the message
body with a notification message.

Page 103 of 110

Module 4 – Email Protection

Troubleshooting POP-IMAP Proxy

Verifying warren service and communication

# service warren:status -ds nosync

200 RUNNING

# netstat -natupl | grep warren | grep LISTEN

tcp [Link]:109 [Link]:* LISTEN 2314/warren
tcp [Link]:142 [Link]:* LISTEN 2314/warren

# ls -lah /log/[Link]
-rw-r--r-- 1 root 197.3K Nov 20 21:43 [Link]

POP-IMAP Proxy
Verifying the warren service and communication

Warren service command: Status, debug, stop, start, restart

# service warren: status –d –s nosync 200 RUNNING

Warren Listens on TCP port 109,143 for POP & IMAP respectively :
# netstat -anep | grep warren | grep LISTEN
tcp 0 0 [Link]:109 [Link]:* LISTEN 0 56382 4717/warren
tcp 0 0 [Link]:142 [Link]:* LISTEN 0 56383 4717/warren

Log file location: /log/[Link]

Page 104 of 110

Module 4 – Email Protection

Quarantine
File location
• Quarantine messages & attachments are stored in /var/quarantine/Qbin.x
• Can specify the size of quarantine area of 5GB, 10 GB and 15GB from UI
• Each QBin directory has a size of 100 MB.
o Once size is reached, a new Qbin directory is created having the same setup.

# ls -l /var/quarantine/
drwxr-xr-x 2 root 0 4096 Dec 9 09:44 Qbin.1

# ls -l /var/quarantine/Qbin.1/
-rw-r—r-- 1 root 0 3389 Jun 02 12:31 0x2000000b
-rw-r-r—1 1 root 0 2652 June 02 16:29 0x2000000f
-w------- 1 root 0 0 June 02 09:44 1

Quarantine
File location

XG provides only the last 7 days of quarantine mails. Despite the messages stored already in the system,
appliance reporting should be enabled to get the quarantine mail listing.

In Sophos Firewall Quarantine, emails will stay at quarantine area until 90% of quarantine area is filled up.
After 90%, Sophos Firewall checks the quarantine space on each new quarantine mail and it that exceeds
quarantine limit, it remove older quarantine mails.

Quarantine Digest is an email that contains a list of quarantined messages filtered by Sophos Firewall and
stored inside the user Quarantine Area. Once configured, Quarantine Digest is generated and send based
on the configured frequency to the user. The Digest provides a link to User My Account where user can
access their quarantined messages and take necessary actions.

Run via shell:

# timer all:summary | grep digest
Spam_digest_mail REPEATJOB [0 6 10***] Thu Jun 02 [Link] 2019

Page 105 of 110

Module 4 – Email Protection

# timer spam_digest_mail:status
“name”:“spam_digest_mail”,“status”:“Enable”,“type”:”repeatjob”, “exec_time”:
“Thu Jun 02 [Link] 2019”, “exec_str”: “opcode_spam_digest_thread text (null)”

Page 106 of 110

Module 4 – Email Protection

Troubleshooting Quarantine digest

No Quarantine digest is generated
1. Verify Quarantine digest is configured and enabled for users
2. Verify the users email address is not in the Skip quarantine reports
3. Verify emails are quarantined to trigger a digest report
4. Verify notification settings
5. Verify spam digest timer
6. Manually trigger Quarantine digest report and check [Link] & smtpd_main.log
# opcode spam_digest_thread -ds nosync
200 OK

# timer spam_digest_mail:status
“name”:“spam_digest_mail”,“status”:“Enable”,“type”:”repeatjob”,
“exec_time”:
“Thu Jun 02 [Link] 2013”, “exec_str”: “opcode_spam_digest_thread text
(null)”

Troubleshooting the Quarantine digest

No Quarantine digest is generated/sent

• Check Quarantine digest [Email>>Quarantine digest] is configured and is enabled for users.
• Make sure user’s email address is not added in Skip quarantine reports in [Email>>Quarantine digest].
• Check Mails are quarantined for that user for configured email frequency. Only quarantined spam mails
are included in Quarantine Digest report.
• Check Notification settings [Administrator>>Notification settings] are configured properly.
• Check timer for spam digest mail to send quarantine digest report.
ü timer spam_digest_mail:status
• Test release of Quarantine digest report manually using below command and check [Link] &
smtpd_main.log.
ü opcode spam_digest_thread -ds nosync
ü check mailSize for specific user in [Link]. It should not be zero.
ü Check Mailspool & Maillogs for Quarantine mail release.

Page 107 of 110

Module 4 – Email Protection

Minimum Escalation Requirements (MER)

• Please refer to the MER KB Article for Email Protection:
o [Link]

Minimum Escalation Requirements (MER)

Please refer to the MER KB Article: for Email Protection:

[Link]

Page 108 of 110

Module 4 – Email Protection

Module Objectives
On completion of this module you are now able to:
ü Explain how the MTA mode functions works
ü MTA mode features working and troubleshooting
ü Explain SASI integration
ü Explain how the Legacy mode functions works
ü Legacy mode features working and troubleshooting
ü Explain POP3 and IMAP proxy function and troubleshooting

On completion of this module you are now able to:

Page 109 of 110

Module 4 – Email Protection

Lab 5: Email Protection

• Investigate an issue where email
communication is not working
• Investigate an issue where virus-
infected email is getting allowed
• Investigate an issue where spam
email is getting allowed

Page 110 of 110

Email Server Definitive Guide (2025)
No ratings yet
Email Server Definitive Guide (2025)
85 pages
SMTP
No ratings yet
SMTP
4 pages
SMTP
No ratings yet
SMTP
18 pages
CN SMPT and Email
No ratings yet
CN SMPT and Email
18 pages
22d41a0455 (DCN)
No ratings yet
22d41a0455 (DCN)
10 pages
Understanding Email Structure and Protocols
100% (1)
Understanding Email Structure and Protocols
31 pages
Under Sok
No ratings yet
Under Sok
8 pages
Computer
No ratings yet
Computer
11 pages
Understanding SMTP Protocol Basics
No ratings yet
Understanding SMTP Protocol Basics
30 pages
Networking
No ratings yet
Networking
13 pages
FortiMail Study Guide (App B) - Online
No ratings yet
FortiMail Study Guide (App B) - Online
470 pages
EM0505 3.0v1 Introduction To Sophos Email
No ratings yet
EM0505 3.0v1 Introduction To Sophos Email
19 pages
Understanding SMTP Protocol Basics
No ratings yet
Understanding SMTP Protocol Basics
3 pages
Unit5 Net
No ratings yet
Unit5 Net
6 pages
Email Systems and Protocols Guide
No ratings yet
Email Systems and Protocols Guide
32 pages
Email Security Protocols Explained
No ratings yet
Email Security Protocols Explained
28 pages
Mail Server
No ratings yet
Mail Server
17 pages
Cyber Lab3
No ratings yet
Cyber Lab3
3 pages
Email Systems
No ratings yet
Email Systems
18 pages
System Inetworking E-Mail
No ratings yet
System Inetworking E-Mail
56 pages
Email Protocol (SMTP, Mime, Imap, Pop
No ratings yet
Email Protocol (SMTP, Mime, Imap, Pop
53 pages
Lecture06 - Internet Ready Environment 2
No ratings yet
Lecture06 - Internet Ready Environment 2
47 pages
Introduction To SMTP
No ratings yet
Introduction To SMTP
12 pages
Email Protocols & Services Guide
No ratings yet
Email Protocols & Services Guide
22 pages
Lecture 10 11 Understanding SMTP and FTP Protocols
No ratings yet
Lecture 10 11 Understanding SMTP and FTP Protocols
10 pages
MAIL SERVERS - English
No ratings yet
MAIL SERVERS - English
23 pages
Email Server and Client Setup Guide
No ratings yet
Email Server and Client Setup Guide
11 pages
T4 SMTP
No ratings yet
T4 SMTP
8 pages
SMTP Email Security Vulnerabilities Explained
No ratings yet
SMTP Email Security Vulnerabilities Explained
3 pages
Group #12A - Electronic Mail
No ratings yet
Group #12A - Electronic Mail
26 pages
Computer Network Case Study
No ratings yet
Computer Network Case Study
10 pages
It Unit4
No ratings yet
It Unit4
13 pages
Email System Admin Essentials
No ratings yet
Email System Admin Essentials
33 pages
Secure Email Setup: Postfix & Dovecot
No ratings yet
Secure Email Setup: Postfix & Dovecot
27 pages
SMTP Essentials for IT Professionals
No ratings yet
SMTP Essentials for IT Professionals
8 pages
Application SMTP
No ratings yet
Application SMTP
47 pages
EO87 20.0v1 Sophos Firewall Email Protection Course Overview
No ratings yet
EO87 20.0v1 Sophos Firewall Email Protection Course Overview
4 pages
Ethical Hacking: Email Security
No ratings yet
Ethical Hacking: Email Security
19 pages
Cybersecruity 4
No ratings yet
Cybersecruity 4
26 pages
Unit 4
No ratings yet
Unit 4
41 pages
Network Protocols and Architecture: (Application Layer and Services)
No ratings yet
Network Protocols and Architecture: (Application Layer and Services)
15 pages
ns11 EmailSecurity6
No ratings yet
ns11 EmailSecurity6
5 pages
Unit-5 Part-2
No ratings yet
Unit-5 Part-2
22 pages
SMTP, IMAP, POP3: Key Differences Explained
No ratings yet
SMTP, IMAP, POP3: Key Differences Explained
9 pages
Exp8 2022301002 VirajBhalerao
No ratings yet
Exp8 2022301002 VirajBhalerao
9 pages
BCS 052
No ratings yet
BCS 052
9 pages
Planning and Configuring Message Hygiene
No ratings yet
Planning and Configuring Message Hygiene
32 pages
UNIT-2 Part2
No ratings yet
UNIT-2 Part2
12 pages
ICF-9-week-1-2 - Q2
No ratings yet
ICF-9-week-1-2 - Q2
13 pages
SMTP (508) CN
No ratings yet
SMTP (508) CN
10 pages
Understanding SMTP Protocol Basics
No ratings yet
Understanding SMTP Protocol Basics
6 pages
Sendmail Installation and Configuration Guide
No ratings yet
Sendmail Installation and Configuration Guide
25 pages
What Is A Mail Server
No ratings yet
What Is A Mail Server
2 pages
XCS v91 Studentguide Basics
No ratings yet
XCS v91 Studentguide Basics
248 pages
14 Email Communication ENG
No ratings yet
14 Email Communication ENG
11 pages
SMTP Penetration Test
No ratings yet
SMTP Penetration Test
21 pages
Spam and Phishing: CAP6135: Malware and Software Vulnerability Analysis
100% (2)
Spam and Phishing: CAP6135: Malware and Software Vulnerability Analysis
46 pages
Spam and Phishing Short 2019
No ratings yet
Spam and Phishing Short 2019
66 pages
How Email Works PDF
No ratings yet
How Email Works PDF
10 pages
Artificial Neural Networks Conference by Slidesgo
No ratings yet
Artificial Neural Networks Conference by Slidesgo
15 pages
Title: Design Note of Parapet Wall of 1.1 M Height: National Highway Authority of India
100% (1)
Title: Design Note of Parapet Wall of 1.1 M Height: National Highway Authority of India
6 pages
Jetour Dashing Folder Long Website
No ratings yet
Jetour Dashing Folder Long Website
10 pages
Music's Impact on Running Performance
No ratings yet
Music's Impact on Running Performance
6 pages
IELTS Reading Test Strategies Guide
No ratings yet
IELTS Reading Test Strategies Guide
3 pages
An Unexpected Party, JRR Tolkien
No ratings yet
An Unexpected Party, JRR Tolkien
4 pages
Class X Math Assignment 2024-25
No ratings yet
Class X Math Assignment 2024-25
1 page
Architectural Checklist (1) - Planning Consideration
No ratings yet
Architectural Checklist (1) - Planning Consideration
43 pages
Feeding System PDF
100% (1)
Feeding System PDF
52 pages
01 Resource Material
No ratings yet
01 Resource Material
67 pages
Maintenance Management & Reliability Engineering
No ratings yet
Maintenance Management & Reliability Engineering
15 pages
Maths p1 Gr11 Memo Nov 2023 - English-Afrikaans
No ratings yet
Maths p1 Gr11 Memo Nov 2023 - English-Afrikaans
15 pages
Biomedical Optics Question Bank
100% (2)
Biomedical Optics Question Bank
5 pages
Understanding Regular Expressions Basics
70% (10)
Understanding Regular Expressions Basics
23 pages
Profit Impact of Market Strategies
No ratings yet
Profit Impact of Market Strategies
2 pages
History of Programming Languages
No ratings yet
History of Programming Languages
3 pages
Steel Framing Roof Batten
No ratings yet
Steel Framing Roof Batten
2 pages
History of Fluorine: Moissan's Fluorine Cell, From His 1887 Publication
No ratings yet
History of Fluorine: Moissan's Fluorine Cell, From His 1887 Publication
3 pages
SENTRON LV10-1 Complete English 2012
No ratings yet
SENTRON LV10-1 Complete English 2012
740 pages
r22 IV CSD Year Syllabus
No ratings yet
r22 IV CSD Year Syllabus
21 pages
IAM Assignment ToR 26.10.23
No ratings yet
IAM Assignment ToR 26.10.23
5 pages
Market Profile Day Types Research
No ratings yet
Market Profile Day Types Research
6 pages
GDC 2013 Session Evaluation Feedback
No ratings yet
GDC 2013 Session Evaluation Feedback
4 pages
Linux Configuration & Installation
No ratings yet
Linux Configuration & Installation
436 pages
Form Sheet A - Letter of Commitment - Oman Schools
No ratings yet
Form Sheet A - Letter of Commitment - Oman Schools
4 pages
ARD Company Introduction 6.3.2025
No ratings yet
ARD Company Introduction 6.3.2025
31 pages
8.introduction To SiC
No ratings yet
8.introduction To SiC
31 pages
An Indian Plant: Arugampul' in Homoeopathy: Dr. AT Senthilkumar, Dr. N Nirubanraj and Dr. V Lakshmi Divyaa
No ratings yet
An Indian Plant: Arugampul' in Homoeopathy: Dr. AT Senthilkumar, Dr. N Nirubanraj and Dr. V Lakshmi Divyaa
3 pages
The Fateful: A Warlock Patron Guide
No ratings yet
The Fateful: A Warlock Patron Guide
5 pages
Complete Download Japan in The 21st Century Environment Economy and Society Karan Pradyumna P Karan Pradyumna P. P PDF All Chapters
100% (2)
Complete Download Japan in The 21st Century Environment Economy and Society Karan Pradyumna P Karan Pradyumna P. P PDF All Chapters
34 pages
NCHRP Syn 352
100% (1)
NCHRP Syn 352
134 pages

Module 4 - Email Protection Handout

Uploaded by

Module 4 - Email Protection Handout

Uploaded by

So

Module 4 – Email Protection

Version 20.0  July 2024

Module 1: Architecture and Troubleshooting basics

Once you complete this module you will be able to:

MTA Email flow and logs

How Email Works

Sender’s Company DNS

3. The sending mail server checks

Let’s take a look at how Sophos Email works.

How Email Works (part2)

Sender’s Company Company Mail

7. Clean emails are delivered to

How Does An SMTP Session Work?

Mail Server Internet

Overview of SMTP commands

MSG Sep 27 [Link] [0xc000000d]: Connecting to server ...

Smarthost configuration is saved under table "tblsmarthostsetting” and “tblsmarthostsettingrel”

Email Protection MTA Mail-flow diagram

MTA Mail-flow diagram

Let's take a more detailed look at how the XG processes emails.

/log/smtpd_main.log Most important logs for smtpd events.

/log/[Link] Various timer activities

/log/[Link] Quarantine digest report

# service -S | grep smtpd

# cat /log/smtpd_main.log | grep -i toggling

# service smtpd:exim_debug -ds nosync

# cat /log/smtpd_main.log | grep mode

MTA Mode Configuration files

# psql -U nobody -d corporate -c "\dt "

config | tblbackupmaildetail | table | pgroot

# psql -U nobody -d corporate -c "\dt "

The below logs are debug SMTP connection logs :-

DBG Nov 14 [Link] [1iVBtB-0004pF-La]: process_mail() reloading mail = 0 bytes

DBG Nov 14 [Link] [1iVBtB-0004pF-La]: CONDITION

Log example for a virus file

DBG Nov 15 [Link] [ T_SMTPD-M]: ignore temp file '1iVYmo-0000QK-NH-H'

2019-11-15 [Link].742 [1632] 1iVYmo-0000QK-NH <= jbrown@[Link] H=[Link]

DBG Nov 15 [Link] [1iVYmo-0000QK-NH]: DOIBSCAN

DBG Nov 15 [Link] [ MS-2920]: smtp_av_callback_batch: scan result for

Log example for a spam file

DBG Nov 15 [Link] [ T_SMTPD-M]: ignore temp file '1iVXtf-0007Wh-2s-H'

DBG Nov 15 [Link] [1iVXtf-0007Wh-2s]: Applying policy to 'frogers@[Link]'

recv_time, m_size, m_status, m_reason, decription, fwd_time, out_mail_id) values('1iVXtf-0007Wh-2s',

Log example for a MIME filtering

DBG Nov 15 [Link] [1iVYeB-0000Ab-To]: DOFILTER

DBG Nov 15 [Link] [ MS-2920]: search-pattern: text/x-shellscript

Log example for a DLP detection and SPX message generation

DBG Apr 16 [Link] [ MS-3573]: notify_sender hfile:/sdisk/spool/tmp/IPA1CJ-zRUoG6-T1-H hsize:400

MSG Apr 16 [Link] [ MS-3573]: moving notification '/sdisk/spool/tmp/IPA1CJ-zRUoG6-T1-D' file to

DBG Apr 16 [Link] [1hGKfE-0007V8-WE]: do_spx_encrypt:failure--->0

DBG Apr 16 [Link] [ MS-3573]: POrtal:1,display org:1

<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title>Sophos SPX Secure Email

<meta name="MSSmartTagsPreventParsing" content="true">

Log example for Sender notification

The sender is notified about the DLP content of their Email

2019-04-16 [Link].564 [28904] End queue run: pid=28904

DBG Apr 16 [Link] [ MPOLLER]: get_maildata_from_spool: 0th column value is IPA1CJ-zRUoG6-T1

Checks recipient email address with the

Recipient verification flow

Note: Verification times out in 30 seconds.

• Confirm MX record of the domain

• Verify configuration of SMTP Profile

• Is firewall settings correct to support Standard MTA/Transparent MTA?

Troubleshooting MTA (p2)

• Verify the grey listing setting

• Verify rDNS records are available

• Verify SPF or BATV settings

• Verify if the email are rejected based on a RBL

• SMTP connection being rejected even with correct relay settings?

235 simply means that the AUTH LOGIN (Authentication is successful)

# grep vcore –A 2 /cfs/proxy/smtp/conf/[Link]

# service smtpd:debug -ds nosync

• Have you checked the error queue?

• Have you checked SMTPd’s error?

• Is Antivirus service (AVD) working?

Version 20.0 July 2024