SMTP communication over the Email Connector
Last Modified: 2023-02-24 10:26:49 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
SMTP communication over the Email Connector
Technical Articles ID:
KB90813
Last Modified: 2023-02-24 10:26:49 Etc/GMT Environment
Advanced Threat Defense (ATD) Intelligent Sandbox (IS) Email Connector Summary
This article explains how the ATD/IS Email Connector handles SMTP connections in inbound and outbound directions. It also provides the timeline of events and scanning activity on ATD/IS. Abstract Email Connector receives the email message, extracts the sample for scanning from the email, and submits it to ATD/IS. The connector then forwards the scanned email to the smart host. After the mail is delivered to the smart host, the Email Connector returns the SMTP status code for the DATA phase back to the sender MTA. The Email Connector doesn't have an email queue. The connector's SMTP return code for the DATA phase depends on the result of the delivery attempt to the smart host. If the delivery to the smart host is successful, the connector returns a successful SMTP status code to the sender MTA. But, if the delivery fails, the connector returns an error in the form of an SMTP status code. The sender MTA retains the original email and resends it to the Email Connector when the error is detected. Sequence of events in a successful email delivery:
Phase 1: Email Connector receives inbound email from the sender MTA The ATD/IS Email Connector receives an inbound SMTP connection from your sender MTA. The Email Connector listens through the TCP port number that you specified as the listen port. NOTE:
The sender MTA starts sending the email message to the Email Connector in the DATA phase of the SMTP conversation. When the contents of the email message are sent to the Email Connector, your sender MTA sends a sequence of specific bytes. These bytes On the Email Connector side, after it receives the email message in the DATA phase NOTE: The Email Connector keeps the inbound SMTP connection open with the sender MTA, without returning an SMTP status code for the DATA phase. Phase 2: Email Connector extracts attachments from the email The Email Connector now has the email to scan. The Email Connector extracts the attachments from the email. The extraction is based on the Scan these file types setting under Manage, Email Connector, Configuration, Scanning Email. If the attachment file matches the Filtering Rule criteria under Manage, Email Connector, Filtering Rules, the connector doesn't submit the attachment file to ATD/IS for scanning. Otherwise, the attachment file is scanned. Phase 3: Email Connector submits samples to ATD/IS for scanning The Email Connector calculates the MD5 hash of the sample, and stores it to the local scan cache for comparison:
Phase 4: ATD/IS scans the sample and the Email Connector waits for scan results ATD/IS scans the samples using the default analyzer profile of the NOTES:
Phase 5: ATD/IS finishes scanning the sample ATD/IS finishes scanning one or more samples. The scan results are listed under Analysis, Analysis Reports with User as NOTE: The Email Connector still holds the inbound SMTP connection without returning the status code back to your sender MTA. Phase 6: Email Connector receives the scan results When the scan results are available, the Email Connector receives the results. Phase 7: Email Connector adds scan results to the email in the email header section The Email Connector adds the scan results to the email header section of the email message. Phase 8: Email Connector forwards the email with scan results to the smart host MTA NOTE: If the Email Connector is configured under the Offline Mode, this process is skipped. The Email Connector tries to open a new SMTP connection with the smart host, and then tries to forward the changed email to the smart host. The changed email has extra email headers of scan results. NOTE: The Email Connector still holds the inbound SMTP connection without returning the status code back to your sender MTA. Phase 9: Email Connector returns the SMTP status code back to the sender MTA After the delivery attempt to the smart host, the Email Connector returns the SMTP status code back to the original sender MTA in the inbound SMTP connection. When the Email Connector successfully forwards the scanned email at the previous stage, it returns a status code of 250. The code signifies the end of the DATA phase of the original email sent from the sender MTA to the Email Connector. The sender MTA either quits the SMTP connection, or starts another email delivery attempt to the Email Connector using the same SMTP connection. But, if the connector fails to forward the email to the smart host at the previous stage, the Email Connector returns a status code of either 4xx or 5xx to the sender MTA. It also sends a short description of the problem for troubleshooting, for example IMPORTANT: The Email Connector doesn't have a local email queue. If forwarding the email to the smart host fails, the Email Connector doesn't keep the scanned email to retry. Instead, it returns a 4xx or 5xx SMTP status code. It's the sender MTA's responsibility to handle the error. Sender MTA Perspective From the sender MTA perspective, the SMTP status code of the DATA phase is received only after the Email Connector finishes the phase of delivery to the smart host. This step can take a long time if ATD/IS performs sandbox scanning against the attachment files. To receive the SMTP status code from the Email Connector correctly, the sender MTA must wait longer than the Maximum time per email to wait for all scans to complete setting. This setting is configured under Manage, Email Connector, Configuration, Scanning Email. Configure your sender MTA to wait longer than the Maximum time per email setting. A short timeout period for waiting for the SMTP status code for the DATA phase might cause issues. For example, the sender MTA might treat the SMTP connection as timed out while ATD/IS scans the sample. NOTE: For the Maximum time per email to wait for all scans to complete setting, we recommend using 600 seconds, which is the default value. AttachmentAffected ProductsLanguages:This article is available in the following languages: |
|