Data Loss Prevention

 View Only

  • 1.  Email Traffic is not coming to the Email Prevent Detection Server in DLP

    Posted Mar 13, 2015 04:58 AM

    Hello All,

    Email Traffic is not coming to my email prevent server. Hence i am not able to see any Network Prevent -Email incidents on Enforce Server.

     

    Please let me know, What is the troubleshooting steps?

    How can i get resolve the problem.

     

    Thanks in Advance.

     

    Regards,

    Kalpesh Parmar



  • 2.  RE: Email Traffic is not coming to the Email Prevent Detection Server in DLP
    Best Answer

    Posted Mar 13, 2015 09:29 AM

    Hello Kalpesh, how are you ?

    In this case, do you can check if Prevent Email it's up to accept outbound connections from their Upstreams mail servers, the default port to accept connections is 10025, the 25 port is restricted on DLP and can't accept direct connections because it's used internally to forwarded connections to Downstream mail servers.

    Could you do a simple test with telnet ?

    Try connect on DLP Mail Prevent using the port 10025, you can try also simulate an policy violation if do you want.

    Use TELNET from Upstreams Mail Servers or any other machine to Symantec Mail Prevent DLP:

    telnet <DLP Mail Prevent IP Address> 10025
    helo mail
    mail from: <Internal user mail like you>
    rcpt to: <External mail like @gmail.com>
    data
    <Something that violate the DLP policies configured to PE>
    .

    Please, put the results here, look if the incident was created or if is possible look a new message passed by PE.


     

     

     

     



  • 3.  RE: Email Traffic is not coming to the Email Prevent Detection Server in DLP

    Trusted Advisor
    Posted Mar 18, 2015 05:50 AM

    Hello,

     - You can check if your prevent server are receiving traffic (checking network card statistics or traffic web page in DLP UI)

     - You can create a supervision policy (for example looking for an exotic keyword known only by you) and try sending email. So this will let you know if server is able to detect data leakage.

    - Check that flows arriving to prevent server are not encrypted. if initial flow was TLS encrypted, you need to do some specific operation in your prevent server to enable decryption / analysis / reencryption

    - Deploy a wireshark (or any other tools) on your server and try capturing traffic then you will be able to see excactly content of traffic arriving on prevent server

    - Ask your network team to check that traffic is really routed to prevent server by the system (depending on your architecture)

     

    Regards



  • 4.  RE: Email Traffic is not coming to the Email Prevent Detection Server in DLP

    Trusted Advisor
    Posted Mar 19, 2015 03:49 PM

    You should change the settings of the Emial prevent server to be looking for emails on port 25.

    Change the Server Settings on the Email Prevent server to 25 for the following settings.

    RequestProcessor.ServerSocketPort:

    RequestProcessor.MTAResubmitPort:

    Recycle the services after the change.



  • 5.  RE: Email Traffic is not coming to the Email Prevent Detection Server in DLP

    Posted Mar 20, 2015 12:23 AM

    Thank You All



  • 6.  RE: Email Traffic is not coming to the Email Prevent Detection Server in DLP

    Posted Mar 20, 2015 02:06 AM

    Hello KalpeshParmar is your issue resloved ? if yes then please share what was the problem and how were you able to fix it ?