How can I report on inbound TLS connections?


This article applies to:

  • Trustwave MailMarshal (SEG)

Question:

  • How can I report on inbound TLS connections?

Background:

MailMarshal SMTP can send and receive email over TLS (Transport Layer Security, or SSL tunnel). For information about setting up TLS, see Trustwave Knowledgebase article Q11636.

  • Outbound messages delivered using TLS are classified as "Delivered successfully over TLS" and you can report on this classification using MailMarshal Reports or Marshal Reporting Console.
  • For inbound messages:
    • In Trustwave MailMarshal (SEG) 7.0 and above, you can use the Content Analysis rule conditions "Where message was/was not received via TLS" and "Where the negotiated TLS parameters match criteria" to log classifications for reporting.
    • In earlier versions, inbound messages delivered using TLS are marked in the email header as "Using TLS", but they are not classified for reporting. You can use the procedure below to log these messages.
    • TLS cipher strength is only recorded in the Receiver text log file. This information is not available for reports. In version 6.9.6 and above you can require strong ciphers; see Trustwave Knowledgebase article Q14317.

Response:

Use Trustwave SEG 7.0 or above and log a classification to be reported on. You can use the Content Analysis rule conditions "Where message was/was not received via TLS" and "Where the negotiated TLS parameters match criteria" to log classifications for reporting.

Workaround:

To allow reporting on inbound TLS messages in MailMarshal version 6.9.9 and below, you can set up the following items:

  • A reporting classification
  • A Standard rule using Header Match to record messages that include the TLS email header.

Creating a Classification

  1. In the MailMarshal Configurator, expand Policy Elements and select Classifications.
  2. Click New Classification.
  3. Enter Received with TLS
  4. Click OK.

Creating a Rule

  1. View the headers of a message received by your MailMarshal server with TLS. You can use the MailMarshal Console, or you might be able to view headers in your email client.
  2. Locate a header line similar to the following:

    Received: from somewhere.else.com ([192.168.0.1]) by vm-example18.example.com with MailMarshal (v6,8,2,9371) (using TLS: SSLv23)
  3. Note the local server name (in the example above, vm-example18.example.com)
  4. Create a Header Match rule. See below for a description of the header match condition.
    • In the MailMarshal Configurator, expand Email Policy. Select and expand a Policy Group that applies to all incoming connections (such as the default Connection Policies group).
    • Add a standard rule as follows:
      When a message arrives
      Where the message is addressed to or from any user
      Where message contains one or more headers 'Check for TLS'
      Write log message(s) with 'Received with TLS'
      And pass message to the next rule for processing.

Header match condition

The header match condition is created as part of the rule creation, when you select the condition Where message contains one or more headers

  1. Click New
  2. On the Field Matching window, select the box for the Received field, accept other default values and click Next.


  3. In the Field Search Expression field, enter an expression based on the local server name. For the above server name:

    vm-example18.example.com 

    use the expression:

    vm-example18\.example\.com.*using\sTLS:


    (Red color is only used to highlight the changes. This expression ensures that the dots and whitespace in the line are matched appropriately.)

    The search for the server name is included to ensure the rule only finds messages received with TLS by your server, and excludes any other MailMarshal servers that may have handled the message.

  4. Give the Header Match a name, and complete the Header Match and Rule wizards.

To apply the rule, commit MailMarshal configuration.

Notes:

  • If your installation includes more than one processing server, you could change the header match to only include the domain part (not the server name):  \.example\.com.*using\sTLS:
  • If you want to match more than one full server name, you will need to add a separate rule to classify messages for each server. You cannot use a single rule with multiple header match conditions in this case, because multiple header match conditions in the same rule are evaluated using the boolean AND (all items must match for the condition to be true).
     

Last Modified 3/1/2020.
https://support.trustwave.com/kb/KnowledgebaseArticle13829.aspx