Test DLP with backup IronPort

chmeehan0421 · ‎12-01-2010

I have a backup Ironport that I recently upgrade to the latest version of AsyncOS 7.1.2-020. My DLP trial key expires in a few days but is activated and I have setup a test policy.

I configured a Mozilla thunderbird client to use the internal private IP as it's smtp server and attemtpted to send some HIPPA and so on through it. First thing I got was address rejected. If I add the public free email domain to the RAT the message will make it to my free personal account but does not get flagged as outgoing mail, but incoming mail. Therefore, I don't think my DLP policy is being hit.

Can anyone assist with a good method of testing this with a backup appliance and a simple mail client?

Any help is appreciated.

Thanks.

Chris

Andreas Mueller · ‎12-02-2010

Hello Chris,

no problem to test this with a normal mailclient (I do use Thunderbird too when running test on our lab appliances). There is no difference of activating DLP inbound or outbound, but note that in your setup you have sent the test message through a public listener with a simple ACCEPT policy, this is considered an inbound connection. So for this setup you'd have to enable DLP in you inbound mail policy. If you want to use Thunderbird to generate outbound messages, you have two possibilities:

1. Add a sendergroup RELAYLIST (or whatever name you prefer) to the HAT of your public listener, assign it to a RELAY mail flow policy, and add the IP address of the computer/server where Thunderbird is installed on to the sendergroup. Also place this group on top of your HAT.

2. Create a private listener on a different interface, or on the same interface as your public listener, with a different port (i.e. 26). Configure Thunderbird to to use this listeners IP/port. Also add the IP of the computer/server Thunderbird runs on in the RELAYLIST of that listener (private listener always come with one).

BTW, basic rules how AsynncOS considers a connection to be inbound or outbound:

Public Listener, non relay mail flow policy --> Inbound

Private listener OR Relay mail flow policy OR SMTP authentication -> Outbound

Like I said before, it does not really matter if the message is inbound or outbound, you just have to make sure DLP is enabled on your Inbound or Outbound Mail Policies. Also, for testing purposes on a production system, we recomment to create a separate mail policy for a specific sender or recipient, and enable DLP for this policy only.

Hope that helps,

Andreas

chmeehan0421 · ‎12-02-2010

Andreas -

Thank so much, that really clarifies things better. I knew the ironport was for some reason interpretting that as an inbound message.

On a side note, for any inbound mail policies, default or a newly created one, I can't set a DLP policy. Should I be able to?

However, I setup a new outbound mail policy with the default DLP items selected. I can confirm in the mail logs that my Thunderbird

sender is in fact hitting the DLP policy but part of my output for the message transaction states the following.

MID 123: DLP no violation.

In the body of my message I put both a SSN and a CC#.

I have set the policy to deliver the message but modify the subject to let me know it was a hit.

Any help is appreciated.

Thanks.

Chris

chmeehan0421 · ‎12-02-2010

Andreas - Please disregard. I got it. I did some reading up on content classifiers and now know what will

trigger a violation.

For anyone else out there testing for the first time. A plain SSN or CC will not work trigger a violation using the default classifiers without supporting information such as expiration date or birth date. Examples are in the online help under "Content Matching Classifiers"

Andreas. Thanks again.

Chris