Idea ID: 2855585

Prevent potential security exposure: document internal mail!

Status : New Idea

The SMG documentation and KB articles suggest various ways to optimize SMG filters. One such suggestion is to configure specific filters and exceptions based on message direction. I fully support that recommendation.

Most of the SMG filter discussions pertain to the SMTP interface.

  • Email entering SMG via the SMTP interface is email that is external to SMG.
  • It is not unreasonable to assume that email sent from SMG is outbound and email received by SMG is inbound.

As they say, assumptions can be dangerous and in this case particularly so!

These are the options available to us when configuring a scan policy:

SMG Policy Management.PNG

On the SMTP interface we have inbound and outbound messages but an internal message? What is that?

If you search for it you will not find an answer. There is no mention of it in the SMG documentation nor in any KB article. So, why is it important?

Email receive from an external source whose sender's domain is the same as the recipient's domain is not an inbound message. It is an internal message.

The security implications here are huge. If you have created SMTP Scan Policies for inbound and outbound mail and have not included internal mail in your inbound policy, these messages will not be scanned at all!

That oversight is easily remedied, without any product enhancements, as long as we understand how inbound messages are classified. Please add this information to the documentation ASAP!

Don't forget to vote for this.

__________
Kevin Boyle, 
Knowledge Partner

Calgary, Alberta, Canada

Labels:

Other
Administration
  • When I initially discovered that email receive from an external source whose sender's domain is the same as the recipient's domain is not considered an inbound message but an internal message, I opened a Service Request believing that this undocumented behavior was inappropriate. The response I got was that SMG was working as designed and therefore there was nothing to fix and the SR was closed.

    If a product is working as designed and customers would like to change a particular behavior it is normally considered an enhancement. That's when I created this Idea.

    I now see in the version history for Revision: 163 - created 02-Dec-2020

    • GWAV-3031 - Email sent via Internet to SMTP interface is scanned as INTERNAL

    I was unaware that a program defect had been created let alone that the behavior of SMG may have been altered.

    Since the description for GWAV-3031 simply is a statement of fact describing a particular behavior when that defect was created, there is no way to know how the processing of inbound and/or internal messages has changed or if this issue has been properly addressed.

    __________
    Kevin Boyle, 
    Knowledge Partner

    Calgary, Alberta, Canada

  • It's one thing not to have documented internal mail. It's another matter completely to provide examples of how to create profiles and not include internal mail. 

    These examples, if followed, will leave customers exposed to malware while they are given to believe they are properly protected!

    Here are examples from section 7 of the Secure Messaging Gateway Administrator and User Guide August 2020 suggesting that internal mail does not need to be scanned.

    Policy Configuration Tips and Tricks

    __________
    Kevin Boyle, 
    Knowledge Partner

    Calgary, Alberta, Canada

  • However POA and a MTA scanner will work with internal mails too!

    Nevertheless documentation needs work, a lot of work

    Use "Verified Answers" if your problem/issue has been solved!

  • Ok.  Added my vote.

    And I just checked my policies.  My inbound is set to inbound and internal and my outbound is set to outbound.  Which is how it should be.

    But documentation definitely needs improving!

  • Hi Ken,

    I assume you have an SPF filter to reject forged email? It will reject email like my Mary/John example if the email is scanned.

    If you have scan policies for inbound and outbound email and if your inbound policy (or another one) does not include internal mail, that Mary/John email will not be scanned and will slip right on by. 

    The issue is if internal mail is not documented anywhere, why would anyone want to include it on their policy that is supposed to scan all inbound mail?

    __________
    Kevin Boyle, 
    Knowledge Partner

    Calgary, Alberta, Canada