Data Loss Prevention

 View Only

  • 1.  DLP Network Prevent for Email - client certificate authentication?

    Posted Oct 14, 2020 08:50 AM
    Hi,

    How can we configure Network Prevent for Email (NPE) to send emails in forward mode to Exchange Online (EOP) that requires client authentication using certificate. We have certificate, it was imported by keytool, but it is not used, in other words, NPE does not authenticate itself as a client with certificate. Is there any options/settings or something similar to force certificate auth?

    Regards,
    Vladimir Vucinic

    ------------------------------
    Net++ technology d.o.o.
    ------------------------------


  • 2.  RE: DLP Network Prevent for Email - client certificate authentication?

    Posted Oct 15, 2020 12:34 AM

    Hey Vladamir,

             We actually just got over this hump:

    1) suggest using CMAIL SMTP Client to test with
    2) create new keystore must be named  prevent.ks (verbatim)
    3) verify in your logs that its not saying "file is missing" this would indicate that its looking in another directory for the keystore file. 
    4) download Public Certs from your EOP Provider using the openssl key tool ( you can google docs )
    5) import both GSA and O365 EOP certs
    6) dont forget to set your requestor logs and smtp logs to FINEST
    7) create the keystore using this command
        keytool -genkeypair -alias < SMTPPreventHostName > -keyalg RSA -keystore /opt/SymantecDLP/Protect/keystore/prevent.ks ( if you put custom location double check ) 
       hit enter then input your password  it should ask you multiple questions for the cert  its going ot auto generate. for the name ( Must use the FQDN of the host )
    8) import the public certs from EOP ( 



    Original Message


  • 3.  RE: DLP Network Prevent for Email - client certificate authentication?

    Posted Oct 15, 2020 12:57 AM
    Hi,

    Thank you for your reply. Those instructions are for secure communication, to be able to use SMTP with TLS, and that part works. My issue is that EOP would relay emails only from hosts with appropriate certificate, so my DLP NPE need to send certificate for authentication, after TLS is established. We did what you wrote and this is procedure to establish secure SMTP or SMTP with TLS, but I need to use my server certificate to authenticate server to EOP!

    Regards,
    Vladimir

    ------------------------------
    Net++ technology d.o.o.
    ------------------------------

    Original Message


  • 4.  RE: DLP Network Prevent for Email - client certificate authentication?

    Posted Oct 15, 2020 10:02 AM
    The three actors must have all certificates, NP for email, Sender MTA, and forward MTA. Also, don't forget to set up a keystore password at the enforce console for the NP for mail configuration, remove trial mode, configure MX option (MX record must exit, test it wit nslookup)and add the domains, and make sure STARTTLS is added to the RequestProcessor.AllowExtensions in the Server advanced settings. If all this is done, then a Wireshark at the NP for mail will reveal what is happening for troubleshooting.
    Note: Assuming you are setting up DLP 15.7 and you added a license for NP for mail.

    Good luck,
    A.C.
    Original Message


  • 5.  RE: DLP Network Prevent for Email - client certificate authentication?

    Posted Oct 15, 2020 10:15 AM
    Edited by Vladimir Vucinic Oct 15, 2020 10:16 AM
    Hi Alvaro,

    Thanks for comment, but again, this in only for SMTP over TLS, and I do not have issue with it, it works. My problem is to authenticate sending server (NPE) to EOP using certificate. When creating connector at EOP you can limit who can send emails in name of domain, using IP address restrictions or using certificates (and this is what MS advised our customer and they do not want to use IP restriction, but only certificates).

    Regards,
    Vladimir

    ------------------------------
    Net++ technology d.o.o.
    ------------------------------

    Original Message


  • 6.  RE: DLP Network Prevent for Email - client certificate authentication?

    Posted Oct 15, 2020 11:09 AM
    I am confused on this part "I need to use my server certificate to authenticate server to EOP!" If NP for mail already authenticated itself in the TLS handshake, and is communicating, there is nothing else the DLP server is designed to do, other than transferring emails received after inspection. On this sentence "EOP would relay emails only from hosts with appropriate certificate" DLP NP for mail doesn't have control, DLP only has control on who is sending mail and where it has to go, after you configure it with MTAs and NP certificates certificates. If you want to control or Filter email, you will have to configure an email security solution (for spam filtering, etc.) such as Symantec https://docs.broadcom.com/doc/email-security-cloud-en or ProofPoint email protection https://www.proofpoint.com/us/products/email-protection. So, if I understood correctly, you are trying to control who can send email, and if that is true, NP has no control on that; NP only can control which MTAS can send and receive emails once their certs are inside NP for mail keystore (server authentication). Basically, on this sentence "so my DLP NPE need to send certificate for authentication, after TLS is established." is not a function of DLP (It only exchange certificates for TCP/TLS communications in the handshake process, for all servers involved in email sending), and after authentication DLP only function is to receive any mail on port 25, inspect it, and forward it to downstream MTA (or block it if in violation of a policy) so it doesn't send any more certificates.  I am sorry if I misunderstood.
    Original Message


  • 7.  RE: DLP Network Prevent for Email - client certificate authentication?

    Posted Oct 16, 2020 05:14 PM
    Adding a note. Perhaps you are talking about configuring your Email server for certificate-base connector? NP for Email is transparent in the email routing process. Check this MS document for configuring Email server for certificate based authentication https://docs.microsoft.com/en-us/exchange/troubleshoot/email-delivery/office-365-notice.

    Hope it helps,
    A.C>
    Original Message


  • 8.  RE: DLP Network Prevent for Email - client certificate authentication?

    Posted Oct 16, 2020 05:55 PM
    Hi Alvaro,

    Yes, this is what I am talking about. EOP is configured for cert based auth and it works with Exchange on premise when sending directly to EOP, but it does not work with NPE. Could you explain "NP for Email is transparent in the email routing process."?

    Vladimir

    ------------------------------
    Net++ technology d.o.o.
    ------------------------------

    Original Message


  • 9.  RE: DLP Network Prevent for Email - client certificate authentication?

    Posted Oct 19, 2020 10:47 AM
    NP for mail is neither a sender or receiver in the SMTP communication process, MTAs are the ones in charge of sending email. NP for mail doesn't store or do anything to the mail, unless it is configured to stop mail in case a security violation, in which instance email process is stopped and sender is notified. So, it is your email MTAs that are configured for who can or not send/receive mail. However, NP can be configured to limit machines (MTAs) that communicate with it (this is not the same as email users). For instance, Next-hop MTA in the the basic configuration (Enforce console) can be instructed to check a list of MX records (Forwarding mode), and/or other MTAs for further process such as encryption. The  keystore imported certificates will definitely limit which MTAs will be talking to DLP NP for mail server, but again NP doesn't care about who (as in users) send emails, it will process any mail coming on port 25.   So NP for mail, cannot restrict users from sending emails, and I will recommend asking in the MS forums how to do that, if your Message Submission agent or MTA is a MS server or web service.
    Good luck
    A.C.
    Original Message