This document describes the required configuration and policy to deliver inbound messages from a Trustwave Secure Email Gateway (premises) installation for checking by the Trustwave Sandboxing service.
Readers are expected to have familiarity with Trustwave SEG administration including creation of policy and policy elements. General procedures to create these items are covered in Help and the User Guide.
- Enable TLS on the SEG server for incoming and outgoing messages, using a valid (CA signed) certificate. TLS is required to communicate with the Trustwave Sandbox service.
- Create a new IP Group called "IP Trustwave Sandbox". Add the Trustwave Sandbox service Public IP ranges. These are the valid sources for responses from the Sandbox service.
- For US instance:
- Trustwave Sandbox US Range 1: 52.191.90.76/30
- Trustwave Sandbox US Range 2: 13.91.203.24/30
- For EU instance:
- Trustwave Sandbox EU Range 1: 20.31.9.32/31
- Trustwave Sandbox EU Range 2: 20.105.76.250/31
- Create a new Quarantine folder called “Trustwave Sandbox Errors”. This will hold messages that could not be processed by the Sandbox service or caused any error in sandbox processing.
- (Optional) Create two new Archive folders called “Sent to Trustwave Sandbox” and “Received from Trustwave Sandbox”. These will hold copies of the messages sent to and received from the Trustwave Sandbox service. Saving these messages can be useful in case of queries about what was processed.
- Extract the six SEG Category Scripts from TrustwaveSandboxSEGCustomerFiles.zip. Copy the Category Scripts to the Config folder of the SEG Array Manager installation. The categories will be selectable by name when you create SEG rules.
Note: The policy listings below assume that default Spam and Malware folders exist. These folders are created by default in recent installations of SEG. If these folders do not exist, you must create them.
Required Policy
Two new Policy Groups are required. The first group delivers messages to the service for processing. The second group processes messages returned from the Sandbox Service. In addition, TLS rules must be changed in many cases.
Policy Group: To Trustwave Sandbox
Place this policy group after all other Content Analysis policy groups except for Archiving policy. The rule action to copy the message to a folder is optional. The “Prefilter” condition checks for message components that can be processed through the Sandbox.
- This policy group detects incoming messages that have not been sent to the Sandbox service and routes them to the service.
When a message arrives
Where message is incoming
Except where addressed from 'IP Trustwave Sandbox'
Process message using this policy group
Rule: Send to Trustwave Sandbox
- Note: Be sure to specify the correct routing for your configured instance.
The copy action is optional.
Where message size is 'less than 10240 KB'
and where message is categorized as 'Sandbox Prefilter'
Copy the message to 'Sent to Trustwave Sandbox' with release action "continue processing"
And set message routing to
- For US instance: smtp.sandboxing.us.twsegcloud.com:25,IPv4
- For EU instance: smtp.sandboxing.eu.mailmarshal.cloud:25,IPv4
And pass the message on and do not process any additional rules
1 Rule(s)
Policy Group: From Trustwave Sandbox
Place this policy group before all other Content Analysis policy groups.
- This policy group detects messages returned from the Sandbox service and quarantines messages that were flagged by the service.
When a message arrives
Where addressed from 'IP Trustwave Sandbox'
Process message using this policy group
Rule: Archive From Trustwave Sandbox (Optional)
Copy the message to 'Received from Trustwave Sandbox' with release action "continue processing"
And pass message to the next rule for processing.
Rule: Trustwave Sandbox Block Malware
Where message is categorized as 'Trustwave Sandbox Malicious Attachment'
Move the message to 'Malware' with release action "continue processing"
Rule: Trustwave Sandbox Block Suspected Malware
Where message is categorized as 'Trustwave Sandbox Suspect Attachment'
Move the message to 'Malware - Suspected' with release action "continue processing"
Rule: Trustwave Sandbox Block Spam
Where message is categorized as 'Trustwave Sandbox Spam'
Move the message to 'Spam - Suspected' with release action "continue processing"
Rule: Trustwave Sandbox Block Suspect URL
Where message is categorized as 'Trustwave Sandbox Suspect URL'
Move the message to 'Suspect URLs' with release action "continue processing"
Rule: Trustwave Sandbox Errors
Where message is categorized as 'Trustwave Sandbox Error'
Move the message to 'Trustwave Sandbox Errors' with release action "continue processing"
6 Rule(s)
TLS Connection Properties Policy
The Sandbox service communicates over TLS. The TLS Client Certificate for this server cannot match the sending domain. You must exclude the Sandbox server from Client Certificate domain matching rules.
Add the following condition to any TLS Client Certificate domain matching rule:
Except where addressed from 'IP Trustwave Sandbox'
For example, in the default ruleset of recent MailMarshal versions, modify the rule TLS Connection Properties > Reject Non-domain matching TLS Client Certificates
The rule should appear as follows:
Where the message is addressed to or from any user
Except where addressed from 'IP Trustwave Sandbox'
Where the TLS client certificate was presented with options: 'Domain does not match'
Refuse message and reply with 550 TLS client certificate subject does not match sender domain
The Sandbox service returns messages using the original "From" address but not the sender's verified IP address. Also, returned messages will have additional headers. To avoid false detection of SPF, DKIM, and DMARC policy breaches, you must exclude the Sandbox server from any rules that apply these checks to inbound messages.
For example, in the default ruleset of recent MailMarshal versions, the following rules or policy groups should have the condition Except where addressed from 'IP Trustwave Sandbox'