Data Loss Prevention

 View Only

  • 1.  Importing Certificates for scanning encrypted e-mail

    Posted Apr 23, 2012 06:42 PM

    I'd like to be able to import certificates for a CA (like Verisign) where we may send mail to a known/trusted thirdparty. so I can scan encrypted mail using this cert using Network Prevent for Email. I wasn't able to find anything in the 11.x Admin guide nor the MTA Integration Guide.

     

    Any ideas?



  • 2.  RE: Importing Certificates for scanning encrypted e-mail

    Posted Apr 25, 2012 08:37 AM

    Amit,

    Are you trying to use some sort of encryption in your Mail Flow, and have the Network Prevent for Email decrypt this message for inspection?



  • 3.  RE: Importing Certificates for scanning encrypted e-mail

    Broadcom Employee
    Posted Apr 25, 2012 09:12 AM

    As you know, the Network Prevent for Email is only used to scan the content of the Email. The action of the Email, for example, encrypt or quarantine.

    So, maybe you can try this workaround:

    The previous hop MTA send the Email to the Network Prevent for Email without encryption, after the scan of the content, the Network Prevent for Email deliver the Email to the next hop MAT without encryption. Then, let this MAT to encrypt your oursending email.

     



  • 4.  RE: Importing Certificates for scanning encrypted e-mail

    Posted Apr 25, 2012 10:22 AM

    To put it bluntly, Email Prevent cannot handle mail encrypted with TLS so will need to exempt mail to and from the Email Prevent server from TLS encryption on your MTA. Yang's workaround is ideal and is the recommendation that you should find in the Admin Guide.



  • 5.  RE: Importing Certificates for scanning encrypted e-mail

    Posted Apr 26, 2012 06:03 PM

    Sorry Yang and Xavier...you're wrong on this one.

    Email Prevent is capable of operating in a TLS environment, and it's well documented in the Admin guide.  You need to:

    (1) Create a keystore on the Prevent server.  There's one there by default, prevent.ks, which is just an empty keystore to start with.

    (2) Generate a cert from the keystore, which gets imported on the upstream MTA.

    (3) Import the cert from the downstream MTA into the Prevent keystore.

    (4) Turn on TLS by adding the STARTTLS in the RequestProcessor.AllowExtensions setting (it's there by default, btw).

    Refer to the guides for more detail. I'm going from memory, and there's a few sub-steps in there.  I've done this at several clients and it's generally pretty straightforward, though takes a little patience and know how on verifying that TLS is being properly negotiated the whole way through.

    ~Keith