smtp/pop3 over SSL - how to configure security rules?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

smtp/pop3 over SSL - how to configure security rules?

L4 Transporter

Hi

I moved my email serwer from untrust to DMZ. Everything almost is working fine, almost ...

This server has ftp and webmail function too, so my security rules looks:

2013-11-07_083113.png

I checked on aplipedia for aplication smtp and pop3. Accroding to aplipedia smtp uses tcp/25,587  and pop3 tcp/110.

Thats true for on secure connections. But how _properly_ pass SSL traffic?

On my server I use ports 465 (smtp) 993 (imap) 995 (pop3) for secures connections.

I'd like to use aplications insted of services like I use now.

I do this as a temporary solution.

Please give my advice how to properly cinfigured security rules in such situations.

With Regards

Slawek

1 accepted solution

Accepted Solutions

Hell Slawek,

 

Some more investigation lead me to the following document which answers your scenario:

App-IDs for SSL-Secured Versions of Well-Known Services

 

Hope the above document helps you.

 

 

Thanks and regards,

Kunal Adak

View solution in original post

7 REPLIES 7

L5 Sessionator

Hello Slawek,

Since according to applipedia, SMTP and POP3 are not incorporating SSL ports like 995 and 465, you can write a separate rule to include smtp and pop3 and have service as 'any'  instead of application-default. In that way, you can make sure that your other applications ftp, dns and web-browsing are still riding on their default ports while allowing SMTP and POP3 on all ports.

Hope that helps.

Thanks and regards,
Kunal Adak

Hi Kadak

Thank You for sugestion, I changed my policy.

But I have dubt that this is a right way to make workaround in _such_ simple problem.

I wonder that maybe will be better to change aplication definition and add there my ports. Port that I use are standart and many administrator use the same.

I sow many time on this forum and tech doc's that it's important to use aplication default in service field of policy - because using "any" could be "dangerous".

With Regards

SLawek

Hell Slawek,

 

Some more investigation lead me to the following document which answers your scenario:

App-IDs for SSL-Secured Versions of Well-Known Services

 

Hope the above document helps you.

 

 

Thanks and regards,

Kunal Adak

L4 Transporter

Hi

Second point looks interesting:

"Create service objects for the SSL-variant ports, and allow 'ssl' App-ID in security policy on those services: SMTPS:TCP/465; IMAPS:TCP/993; POP3S:995; IMAPS:TCP/585."

Is my policy correct?

2013-11-07_195431.png

ie. "Port 465" has tcp/465 enabled.

Regards

SLawek

The policy is correct. You allow all applications that are identified as SSL on the 3 ports 465,993,995 in your scenario.

There is no way to modify the app id because the traffic is encrypted. The system can not see what app is trying e.g. to use port 465. So there is only one app called SSL. The only way for the system to identify the app is to use ssl decryption policy. Then you would see which app is using this port.

HTH

L4 Transporter

I understand your explanation.

In my opinion it is mistake to put only one 586port and 25 as a ports for smtp. Most of Us using also different ports too.

Using workaround that provice Kadak we have to make another policy that PA have to process, so we have two policy in every situation where is SSL traffic and regular trafic but on different ports (like in my scenario).

If this is Palo Alto vision - I can't do anything with it

I can't use decryption.

Regards

Slawek

Which other way do you see to implement inspection of encrypted data flow?

Have you looked at the data flow chart explaining how the PA dataplane handels traffic? Maybe that helps to understand.

I don´t think there is another vendor that can identify an application that sends encrypted traffic without breaking the encryption. How should this work?

And the ports 25 and 586 are the default ports for smtp (see RFC5321). No matter which other ports you are using.

And there is no problem by creating more than one rule to handle traffic that can not be handled by only one rule. I also created some own services to handle traffic that is not caught by the app-default setting.

I don´t see the main problem you seem to have with the PA way.

cu

  • 1 accepted solution
  • 13489 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!