はじめに
HAT(Host Access Table)でreject対象のメールはデフォルトではSMTPコネクションの開始時点で接続が拒否される動作となるため、メールの送信元のIPアドレスおよびそれをDNSで逆引きしたホスト名がログに記録されますが、送信元メールアドレスおよび宛先メールアドレスの情報は記録がされません。HAT delayed rejectionを有効化することによって、HATでreject対象のメールについて、SMTP通信のRCPT TOコマンドのやり取りまでコネクションが維持される動作となるため、送信元メールアドレスおよび宛先メールアドレスがログに記録されるようになります。そのため、HATでreject対象のメールについてもより詳細な情報の取得が可能となります。本記事では、HAT delayed rejectionの有効化の方法と有効化した場合のログ出力の変更点について紹介します。
HAT delayed rejection有効化の方法
HAT delayed rejectionはCLIからのみ設定が可能です。設定はグローバル設定となるため、リスナー単位で設定することはできません。以下がCLIから有効化する方法となります。
ironport.test.local> listenerconfig
Currently configured listeners:
1. Data1 (on Data1, 192.168.10.176, 2001:db8::) SMTP TCP Port 25 Public
2. Data2 (on Data2) SMTP TCP Port 25 Private
Choose the operation you want to perform:
- NEW - Create a new listener.
- EDIT - Modify a listener.
- DELETE - Remove a listener.
- SETUP - Change global settings.
[]> SETUP
Enter the global limit for concurrent connections to be allowed across all listeners.
[50]>
Listener Data1 Policy $CYBERSEC_AWARENESS_ALLOWED max concurrency value of 300 will be limited to 50 by this
concurrency setting.
Listener Data1 Policy $TRUSTED max concurrency value of 300 will be limited to 50 by this concurrency setting.
Listener Data2 Policy $RELAYED max concurrency value of 600 will be limited to 50 by this concurrency setting.
Enter the global limit for concurrent TLS connections to be allowed across all listeners.
[100]>
Concurrent TLS connections value of 100 will be limited to 50 by the global limit for concurrent connections.
Enter the maximum number of message header lines. 0 indicates no limit.
[1000]>
Enter the maximum size of the subject. 0 indicates no limit.
[1048576]>
Enter the rate at which injection control counters are reset.
[1h]>
Enter the timeout for unsuccessful inbound connections.
[5m]>
Enter the maximum connection time for inbound connections.
[15m]>
What hostname should Received: headers be stamped with?
1. The hostname of the Virtual Gateway(tm) used for delivering the message
2. The hostname of the interface the message is received on
[2]>
The system will always add a Message-ID header to outgoing messages that don't already have one. Would you like to do the same for incoming messages? (Not recommended.) [N]>
By default connections with a HAT REJECT policy will be closed with a banner message at the start of the SMTP conversation. Would you like to do the rejection at the message recipient level instead for more detailed logging of rejected
mail? [N]> Y
Do you want to modify the SMTP RCPT TO reject response in this case? [N]>
Currently configured listeners:
1. Data1 (on Data1, 192.168.10.176, 2001:db8::) SMTP TCP Port 25 Public
2. Data2 (on Data2) SMTP TCP Port 25 Private
Choose the operation you want to perform:
- NEW - Create a new listener.
- EDIT - Modify a listener.
- DELETE - Remove a listener.
- SETUP - Change global settings.
[]>
ironport.test.local> commit
Please enter some comments describing your changes:
[]> Enabled HAT delayed rejection.
Do you want to save the current configuration for rollback? [Y]>
Changes committed: Mon Jul 24 11:16:05 2023 JST
ログの出力例
以下は、HAT delayed rejectionを有効にする前と有効にした後での、HAT reject対象のメールを受信した際のログ出力例となります。
※SMTP対話ログはデフォルトでは有効になっていません。
有効にした後は送信元メールアドレスおよび宛先メールアドレスがログに記録されていることが確認できます。
HAT delayed rejectionの有効化前
IronPortテキストメールログ
Mon Jul 24 11:12:25 2023 Info: New SMTP ICID 53398 interface Data1 (192.168.10.176) address 192.168.10.171 reverse dns host host.example.local verified yes
Mon Jul 24 11:12:25 2023 Info: ICID 53398 REJECT SG None match ALL SBRS rfc1918 country not applicable
Mon Jul 24 11:12:25 2023 Info: ICID 53398 close
SMTP対話ログ
Mon Jul 24 11:12:25 2023 Info: ICID 53398 address 192.168.10.171 dns host host.example.local sbrs rfc1918
Mon Jul 24 11:12:25 2023 Info: ICID 53398 >> 554 ironport.test.local
Mon Jul 24 11:12:25 2023 Info: ICID 53398 close
HAT delayed rejectionの有効化後
IronPortテキストメールログ
Mon Jul 24 11:35:02 2023 Info: New SMTP ICID 53404 interface Data1 (192.168.10.176) address 192.168.10.171 reverse dns host host.example.local verified yes
Mon Jul 24 11:35:02 2023 Info: ICID 53404 REJECT SG None match ALL SBRS rfc1918 country not applicable
Mon Jul 24 11:35:02 2023 Info: ICID 53404 Delayed HAT REJECT continuing session for recipient logging (192.168.10.171)
Mon Jul 24 11:35:02 2023 Info: ICID 53404 Delayed HAT REJECT Message from: sender@example.local (192.168.10.171)
Mon Jul 24 11:35:02 2023 Info: ICID 53404 Delayed HAT REJECT Message recipient: <recipient1@test.local> (192.168.10.171)
Mon Jul 24 11:35:02 2023 Info: ICID 53404 Delayed HAT REJECT Message recipient: <recipient2@test.local> (192.168.10.171)
Mon Jul 24 11:35:02 2023 Info: ICID 53404 close
SMTP対話ログ
Mon Jul 24 11:35:02 2023 Info: ICID 53404 address 192.168.10.171 dns host host.example.local sbrs rfc1918
Mon Jul 24 11:35:02 2023 Info: ICID 53404 >> 220 ironport.test.local ESMTP
Mon Jul 24 11:35:02 2023 Info: ICID 53404 << EHLO win10
Mon Jul 24 11:35:02 2023 Info: ICID 53404 >> 250-ironport.test.local\r\n250-8BITMIME\r\n250 SIZE 10485760
Mon Jul 24 11:35:02 2023 Info: ICID 53404 << MAIL FROM:<sender@example.local>
Mon Jul 24 11:35:02 2023 Info: ICID 53404 >> 250 sender <sender@example.local> ok
Mon Jul 24 11:35:02 2023 Info: ICID 53404 << RCPT TO:<recipient1@test.local>
Mon Jul 24 11:35:02 2023 Info: ICID 53404 >> 250 recipient <recipient1@test.local> ok
Mon Jul 24 11:35:02 2023 Info: ICID 53404 << RCPT TO:<recipient2@test.local>
Mon Jul 24 11:35:02 2023 Info: ICID 53404 >> 250 recipient <recipient2@test.local> ok
Mon Jul 24 11:35:02 2023 Info: ICID 53404 << DATA
Mon Jul 24 11:35:02 2023 Info: ICID 53404 >> 550 #5.7.1 Your access to submit messages to this e-mail system has been rejected.
Mon Jul 24 11:35:02 2023 Info: ICID 53404 close
参考記事
電子メールを受信するためのゲートウェイの設定
https://www.cisco.com/c/ja_jp/td/docs/security/esa/esa14-2/user_guide/b_ESA_Admin_Guide_14-2/b_ESA_Admin_Guide_12_1_chapter_0100.html
ホスト アクセス テーブルを使用した接続を許可するホストの定義https://www.cisco.com/c/ja_jp/td/docs/security/esa/esa14-2/user_guide/b_ESA_Admin_Guide_14-2/b_ESA_Admin_Guide_12_1_chapter_0110.html
