Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

Symantec DLP Network Prevent for Mail, Quarantine and Block response rules.

Created: 07 Nov 2011 • Updated: 09 Nov 2011 | 3 comments
sacrificeme's picture

Hello!

Need assistance, dont understand how its working..

We implemented financial pack and there 2 response rules for mail (Qurantine and Block), we have forward mode for Network Prevent, so we have local mail server that sends mail forward to Network Prevent and next hope is our MTA thats sends outbound mail.

We imagine thats with "Qurantine SMTP Email" if incidents triger email stop proccesing futher and sits on prev hop mta or on network prevent, but we have incident registered and delivered message to recipient with confidental data..

With block response rule, all going fine. If incident created, email dont going futher, but now we unable to send this mail to recipient if this was false positive.

So, how to work with network prevent for mail in situations when we would like to stop message from proccesing if there policy violating triger and would like to use smart response rule and mark incident as false positive and send mail futher to next hop MTA?

Discussion Filed Under:

Comments 3 CommentsJump to latest comment

Keith Reynolds - ExchangeTek's picture

SMTP Prevent never stores or queues a message.  What you see in that Quarantine Mail response rule is simply a rule that adds an x-header to the email message.  The assumption there is that you would need to have some processing on your downstream MTA to read that email header, recognize the x-header that you specified for quarantining the email, and subsequently direct it to a quarantine area based on the mail routing on the downstream MTA.

~Keith

sacrificeme's picture

What about response rule Block SMTP Email? Any details how its work? Its sends back mail to Sender and redirect to some one.. But what actualy going on server side? What he say to MTA thats try to send policy violating mail?

jgt10's picture

As Keith pointed out SMTP Prevent is not an MTA, think of it as an MTA proxy.

The process is the following:

Sending MTA connects to SMTP Prevent (Prevent)

SMTP Prevent connects to forwarding MTA

Prevent receives the email from the sending MTA and immediately sends it to the forwarding MTA

When the sending MTA signals the email is complete, Prevent processes the email.

If the email is not blocked, Prevent completes the process with the forwarding MTA.

If the email is blocked, Prevent aborts the email with the forwarding MTA and fails the email back to the sending MTA.

Based on the failure code, the sending MTA does predefined actions on the email, including sending the email back to the sender.

 

JGT

--
John G. Thompson
JOAT(MON)