https://live.paloaltonetworks.com/t5/advanced-threat-prevention/exact-threat-details/m-p/377758#M1011 <P>&nbsp; Hi,</P><P>&nbsp;</P><P>&nbsp; I have seen 4 different threat IDs so far for non-RFC compliant SMTP traffic, so it's not like you have a very broad set of criteria that classifies traffic under one ID and that there could be a gazillion reasons. As I noted in my OP the sending server is a Postfix (SMTP) server, although an old one (7+ years), so I don't think it sends corrupt messages in any way and that it sent SMTP traffic, not something else. I used Thunderbird (latest as of OP's date) to send the mails via this server. Server adds a DKIM signature, which is validated OK by Google, so I don't see where the problem comes from. The problem started when we enabled SSL inspection and I believe my server was using STARTTLS with a valid certificate to encrypt traffic.</P> Mon, 04 Jan 2021 21:23:53 GMT KozbeszHat 2021-01-04T21:23:53Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/exact-threat-details/m-p/371636#M993 <P>&nbsp; Hi,</P><P>&nbsp;</P><P>&nbsp; Is there a way to know what a specific threat ID checks for? We enabled SSL inspection for SMTP traffic and Palo started to flag every e-mail with threat ID 56951 (non-RFC compliant SMTP traffic), but ThreatDB does not provide anything useful as to what/how it is non-compliant. E-mails were received from a proper e-mail server running an older version of Postfix and using an older OpenSSL version for SSL encryption.</P><P>&nbsp;</P><P>&nbsp; Thanks,</P><P>&nbsp;</P><P>&nbsp; Morc</P> Thu, 10 Dec 2020 14:59:48 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/exact-threat-details/m-p/371636#M993 KozbeszHat 2020-12-10T14:59:48Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/exact-threat-details/m-p/373482#M995 <P>Thanks for the information&nbsp;</P> Thu, 10 Dec 2020 10:56:05 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/exact-threat-details/m-p/373482#M995 Millender12 2020-12-10T10:56:05Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/exact-threat-details/m-p/376157#M1005 <P>You would need to open a case with Support.</P> Thu, 24 Dec 2020 22:49:44 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/exact-threat-details/m-p/376157#M1005 mivaldi 2020-12-24T22:49:44Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/exact-threat-details/m-p/377685#M1009 <P>But why? Other threat IDs have links for more information, but these non-RFC SMTP ones don't have anything.</P> Mon, 04 Jan 2021 16:53:12 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/exact-threat-details/m-p/377685#M1009 KozbeszHat 2021-01-04T16:53:12Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/exact-threat-details/m-p/377687#M1010 <P>Hello Laszlo,</P> <P>As you can see in ThreatVault, "<SPAN data-reactid=".0.1.1:$kqWlj.2.0.0.1.0.1.0.2.1:0.0.0.0">This signature detects suspicious and non-RFC compliant SMTP traffic on port 25. This could be associated with applications sending non SMTP traffic using port 25 or indicate possible malicious activity.</SPAN><SPAN data-reactid=".0.1.1:$kqWlj.2.0.0.1.0.1.0.2.1:0.0.0.1">&nbsp;&nbsp;"</SPAN></P> <P><SPAN data-reactid=".0.1.1:$kqWlj.2.0.0.1.0.1.0.2.1:0.0.0.1">This signature is alerting on port 25 traffic that is not valid SMTP traffic per&nbsp;RFC 5321 - Simple Mail Transfer Protocol. Security best practices recommend not allowing non SMTP traffic via port 25. Identifying the specific issue requires investigation into the actual traffic and/or hosts sending the traffic. Due to the broad category of non-rfc compliance, we are unable to provide a more specific description, as this signature simply detects if the traffic is not compliant with the RFC.</SPAN></P> Mon, 04 Jan 2021 17:17:46 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/exact-threat-details/m-p/377687#M1010 brcook 2021-01-04T17:17:46Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/exact-threat-details/m-p/377758#M1011 <P>&nbsp; Hi,</P><P>&nbsp;</P><P>&nbsp; I have seen 4 different threat IDs so far for non-RFC compliant SMTP traffic, so it's not like you have a very broad set of criteria that classifies traffic under one ID and that there could be a gazillion reasons. As I noted in my OP the sending server is a Postfix (SMTP) server, although an old one (7+ years), so I don't think it sends corrupt messages in any way and that it sent SMTP traffic, not something else. I used Thunderbird (latest as of OP's date) to send the mails via this server. Server adds a DKIM signature, which is validated OK by Google, so I don't see where the problem comes from. The problem started when we enabled SSL inspection and I believe my server was using STARTTLS with a valid certificate to encrypt traffic.</P> Mon, 04 Jan 2021 21:23:53 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/exact-threat-details/m-p/377758#M1011 KozbeszHat 2021-01-04T21:23:53Z