Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1246
Views
5
Helpful
1
Replies

Snort blocking encrypted email attachment

gilbert.aispuro1
Level 1
Level 1

‎07-15-2021 01:25 PM

Hello All,

Not sure if I'm in the right community but I have Snort running on all edge devices, and I'm seeing that encrypted emails and their attachments are not retrievable by the recipient. 

I know the domain of the end party trying to send the encrypted document but not sure how to apply a whitelist signature.

How do I go about this? I don't want to completely disable Snort. 

Edge Devices:

FTD's managed by FMC

SD-WAN cEDGE Routers

Labels:
1 Reply 1

Octavian Szolga
Level 4
Level 4

‎07-15-2021 02:26 PM

Hi Gilbert,

 

First, you need to confirm that your emails are indeed blocked by FTD.

You can check this by using nslookup/DNS and check the MX RR for the sending domain.

Then check FMC-> IPS Events/ File Events/Connection Events and look for drop/block events related to that specific IP.

Afterwards, if this is indeed the issue, you can create a separate firewall rule for SMTP traffic with the only purpose of attaching to it a custom IPS/AMP policy that does not block encrypted email attachments.

 

One reason for which your encrypted email attachments may not make it through the firewall is AMP (File Policy) where you might have enabled an advanced option like block encrypted archives/files or something similar.

Please take into account that encrypted file attachments can be blocked by FTD only if you're using plain old SMTP, that is with no STARTTLS.

 

BR,

Octavian

0 Helpful
Customers Also Viewed These Support Documents