POP3, SMTP and IMAP setup

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

POP3, SMTP and IMAP setup

L4 Transporter

Hello,

 

Our POP3, SMTP and IMAP is currently set to Default (Alert) in the AV profile.

 

We have noticed malicious emails coming through and identified via Wildfire for staff using personal email addresses/computers using POP3 protocols? These personal computers are allowed on some of our remote sites.

 

Should POP3/SMTP and IMAP be set to Drop-reset for “Action” and “Wildfire” in the Anti-Virus security policy if it detects malicious file/link etc?

 

We are using Proofpoint to scan all our internal corporate email.

 

Thanks in Advance.

 

Antivirus.png

1 accepted solution

Accepted Solutions

L4 Transporter

Hi,

 

For SMTP, choosing reset-both is a good idea because the firewall will send a 541 response to the sending SMTP server to prevent the message to be sent.

 

For POP3 and IMAP, reset-both seems to cause the email clients to retry downloading the offending message eternally, so it probably interferes with the normal operation of the client. Still, that behavior is probably better than getting viruses inside your network (even if it's on personal computers).

 

Regards,

 

Benjamin

View solution in original post

4 REPLIES 4

L4 Transporter

Hi,

 

For SMTP, choosing reset-both is a good idea because the firewall will send a 541 response to the sending SMTP server to prevent the message to be sent.

 

For POP3 and IMAP, reset-both seems to cause the email clients to retry downloading the offending message eternally, so it probably interferes with the normal operation of the client. Still, that behavior is probably better than getting viruses inside your network (even if it's on personal computers).

 

Regards,

 

Benjamin

L4 Transporter

Thank you Benjamin for your suggestion. Much appreciated.

I use reset-both for pop3 and imap, with no "known" problems. Blocks viruses like a charm... Even after SSL decrypt. This is gmail. THREAT ALERT : medium : 173.194.222.109 -> 192.168.4.164 Trojan-Downloader/VBS.agent.dpiwk(1210797) reset-both type: THREAT subtype: virus app: imap category: web-based-email contenttype: severity: medium direction: server-to-client sport: 993 dport: 49498 natsport: 993 natdport: 36862 flags: 0x81502000 proto: tcp action: reset-both

hi,

 

could you share in details what you mean by no "known" problems?

 

after you set to "reset-both" for POP3/IMAP, did your email clients keep retrying to download the offending message eternally? 

 

thanks for sharing. 

  • 1 accepted solution
  • 7864 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!