Lotus Protector Interop Guide. Mail Encryption Mail Security Version 1.4

Transcription

1 Lotus Protector Mail Security and Mail Encryption Interop Guide Lotus Protector Interop Guide Mail Encryption Mail Security Version 1.4

2 Lotus Protector Mail Security and Mail Encryption Configuration Guide Table of Contents Table of Contents Introduction Conventions Overview Mail Architecture Mail Flow Deployment Considerations Policy Considerations Infrastructure DNS DMZ Routing Domino Server Mail Encryption Configuration Initial Configuration Interface Settings Exit Learn Mode Default Policies Request SSL Certificates Mail Configuration Outbound Mail Inbound Mail Verify Mail Routing Enable Mail Encryption Web Messenger Mail Security Configuration Setup Network Configuration Mail Relays Mail Flow Policy Management Check for Mail Encryption Processing Inbound Policy Outbound Policy

3 Lotus Protector Mail Security and Mail Encryption Interop Guide Introduction This guide outlines the steps required to configure interoperability between Lotus Protector Mail Encryption and Mail Security In this configuration, Mail Encryption is configured in gateway mode and acts as an arm of Mail Security. Mail Security will send mail to Mail Encryption on an asneeded basis. For example, inbound encrypted mail or outbound mail that matches a keyword can be configured to loop through the Mail Encryption Server for processing. Conventions The term interesting mail is used to describe messages that match a policy or filter, such as all mail from the finance department. For brevity, the guide does not instruct the user to press the save button after each step. Industry acronyms such as IP, SMTP, and HTTP are not spelled out.

4 Lotus Protector Mail Security and Mail Encryption Configuration Guide Overview Mail Architecture As shown in Figure 1, Ethernet interfaces on the Mail Encryption and Mail Security systems are placed within the DMZ. In this topology, the sole Mail Encryption physical interface sends and receives mail, requires STARTTLS, and is assigned one IP address. Mail Security is also configured with a single IP address assigned to a single physical interface. Mail Flow Figure 1: Secure Mail Flow The internal mail transfer agent (MTA), Lotus Domino, will direct all mail to mail.example.com. External MTAs will also send mail to mail.example.com. Mail Encryption will send also send mail to mail.example.com. Mail Security will distinguish inbound and outbound mail coming from all sources.

5 Lotus Protector Mail Security and Mail Encryption Interop Guide Inbound mail that is encrypted and/or signed will follow the path from right to left shown in Figure 1. Outbound mail in need of encryption and/or digital signing flows from left to right. Any inbound or outbound mail that is processed by Mail Encryption will be sent back to Mail Security for final delivery. Not all mail will follow the path shown in Figure 1. Inbound mail that is not encrypted and/or signed will be received by Mail Security and sent directly to the internal Domino server. Likewise, outbound mail that does not match the user-defined policy requirements specified on Mail Security will be sent from the Domino server to the Mail Security and then directly to the recipient s server. Deployment Considerations Mail Security will examine plain-text contents of all message fields and attachments. Binary format files will not be examined. Refer to Mail Security documentation to determine what additional DLP options are available if review of binary attachments is required. The configuration outlined in this guide assumes that Mail Encryption is operating in gateway mode and will not operate in end-to-end mode. Deploying two instances of Mail Encryption (before and after the gateway) was not tested. The Mail Encryption Web Messenger feature is supported and tested in this configuration. Although it would be possible for Mail Encryption to directly deliver inbound and outbound mail, it is impractical for a number of reasons. Most significantly, unencrypted messages returned to Mail Security can be filtered for content before the message is delivered internally. Direct outbound mail delivery by Mail Encryption to the Internet is not recommended in this configuration because bypassing Mail Security reduces the value of Mail Security s reporting engine. Also, Mail Security will still be sending plaintext mail, so using Mail Encryption for direct outbound delivery would increase the number of advertised traffic sources from the enterprise and provide an additional point of attack. Policy Considerations Generally, all policy decisions (such as Encrypt if a keyword is in the body of the message ) will be defined on Mail Security. However, if there are any internal Mail Encryption desktop users, Mail Encryption policy is predominant. An example: Mail Encryption is configured to encrypt all mail and Mail Security is configured to send messages to Mail Encryption if the subject line contains Top Secret. An internal Mail Encryption Satellite user retrieves the encrypt all policy from the Mail Encryption Server. The message may be encrypted even if it does not contain Top Secret in the subject line. By contrast, assume the internal Mail Encryption Satellite user writes a Top Secret message to a yahoo.com user, but the Mail Encryption policy is set to only encrypt when the Confidential flag is set. The message is sent as clear text by the user, and may be sent by Mail Security to Mail Encryption for encryption, but Mail Encryption passes the message back to Mail Security unencrypted. This policy conflict could take place with or without internal Mail Encryption Satellite users. Given Mail Security s role as a policy engine, it makes sense to define as many policy decisions as possible on Mail Security and create simpler policies (such as If recipient key not found, use Web Messenger ) on Mail Encryption to avoid logical conflicts.

6 Lotus Protector Mail Security and Mail Encryption Configuration Guide Infrastructure DNS The following records must be placed into the example.com DNS. Without DNS entries, Mail Encryption will not function properly. Name Type Purpose keys.example.com A, PTR Mail routing and TLS from Mail Security. Users seeking Mail Encryption Web Messenger and Keyserver systems. mail.example.com MX, A, PTR MX: Mail directed to example.com from external senders. A, PTR: Used by Domino server, Mail Encryption, and TLS to this interface DMZ Routing Table 1: DNS Entries Mail Encryption expects that outbound traffic will arrive via Mail Security s IP address. All other IPs are considered untrusted. Because Mail Security sends both inbound and outbound mail to Mail Encryption for processing, two distinct source IPs must be configured on Mail Encryption. Mail Security will determine whether a message requires processing and direct it to the appropriate inbound or outbound interface on Mail Encryption. Domino Server All mail exiting the enterprise needs to be directed through Lotus Mail Security for policy inspection. Internal Domino/other MTAs should be configured to relay all mail to mail.example.com/ This option, Relay host for messages leaving the local internet domain: is located in Configuration -> Server -> Configurations, under the Basics tab for your specific Domino server.

7 Lotus Protector Mail Security and Mail Encryption Interop Guide Mail Encryption Configuration Initial Configuration Follow the instructions in the Mail Encryption Administrator s Guide. Select Gateway Placement and use mail.example.com as the Mail Server. The Mail Encryption Server is named keys.example.com. Ensure that the system is properly licensed for encryption and proxy services. Interface Settings Figure 1: Network Configuration Network configuration can be reviewed and modified on the System -> Network page.

8 Lotus Protector Mail Security and Mail Encryption Configuration Guide Exit Learn Mode After the initial installation of Mail Encryption, be sure to license your server. To ensure that mail will be processed by Mail Encryption, you must then de-activate Learn Mode by unchecking the box shown in Figure 2: Figure 2: Uncheck Learn Mode Default Policies To avoid policy conflicts, PGP Universal policy should be simplified. Select the Outbound policy chain, as show in Figure 3. In this integration guide, PGP Universal is set up as a gateay. As such, ensure tht the No Encryption for Interal Users and Passthrough if User Did Not Authenticate rules are disabled - as shown in Figure 4 - because they are meant for internal placement. Furthermore, disable the Always Encrypt Sensitive Messages rule because all compliance policies are being implemented on Mail Security.

9 Lotus Protector Mail Security and Mail Encryption Interop Guide Figure 3: Select Outbound Policy Chain

10 Lotus Protector Mail Security and Mail Encryption Configuration Guide Figure 4: Disable Default Policy In order to ensure outbound mail arriving on port 26 of the local connector is properly processed, an additional policy should be added. Two conditions are configured in this example, matching the port and IP address of the local connector, as shown in Figure 5. Matching the IP address is not explicitly required but included here in case additional connectors are present or added later.

11 Lotus Protector Mail Security and Mail Encryption Interop Guide Figure 5: Outbound Policy Conditions Figure 6 shows the action that will be taken if the mail matches the defined conditions. The message should be encrypted using the recipient s key. If this key is unavailable, Web Messenger functionality will be used to allow the recipient to view the message in a secure environment. Figure 6: Outbound Policy Actions

12 Lotus Protector Mail Security and Mail Encryption Configuration Guide Request SSL Certificates If a publicly signed certificate is desired, generate an SSL Certificate Signing Request (CSR), as shown in Figure 3. Send the request along with payment to a Certificate Authority (CA) and install the certificate using the Import button on the same screen. Note that the domain field is actually prompting for the fully-qualified domain name of the Mail Encryption Server. Figure 7: Generate CSR for SSL Certificate

13 Lotus Protector Mail Security and Mail Encryption Interop Guide Mail Configuration Two proxies are necessary to allow for proper mail processing. The outbound proxy will encrypt or perform other actions on messages destined for recipients outside of the example.com domain. The inbound proxy attempts to decrypt messages identified by policies on Mail Security. Outbound Mail The outbound mail proxy should be connected to the IP address where Mail Security will forward messages requiring encryption. After processing, mail will be returned to Mail Security for proxy to its final destination. Figure 8: Outbound Proxy Configuration. The outbound Local Connector should be configured to accept mail on port 26. This allows Mail Encryption to separate it from incoming mail which may require decryption. This connector can be set to STARTTLS Allow to permit secure mail transfer via a TLS connection. Addition of the second connector, as show in Figure 6, enables this process. Access to the outbound mail proxy should be restricted to connections from Mail Security. Select the Restrict Access button shown in Figure 6. The pop-up shown in Figure 7 ensure access to keys-trust ( ) is only permitted from mail.example.com ( ).

14 Lotus Protector Mail Security and Mail Encryption Configuration Guide Figure 9: Restrict Outbound Access Look for this checkmark on Figure 6 to confirm successful configuration. Inbound Mail As with outbound messages, all inbound mail sent to Mail Encryption will be processed and sent back to mail.example.com. The standard SMTP port on the interface ( :25) should be selected as the Local Connector. Mail should be directed back to Mail Security ( ) after processing rather than directly on to the internal MTA. This will allow analysis of content which may previously have been unreadable due to encryption. As with outbound mail, a second Local Connector enabling TLS communication may be added. This Local Connector must reside on a different port than the other; port 466 is used in this example.

15 Lotus Protector Mail Security and Mail Encryption Interop Guide Verify Mail Routing Figure 10: Inbound Proxy Configuration Successful completion of the mail configuration shown in Figure 6 should result in the creation of the new mail route shown in Figure 8. If not, you should manually create the route. The route ensures that mail addressed to internal users will be sent back to Mail Security for policy and spam processing after decryption. Figure 11 : Verify Mail Routes

16 Lotus Protector Mail Security and Mail Encryption Configuration Guide Mail Security Configuration Mail Security resides in a DMZ that permits access to a DNS server, Mail Encryption, and the public Internet. All policy controls for this architecture reside within Mail Security. Interesting mail will be detected via policy and rerouted to Mail Encryption for additional processing. Setup Network Configuration Only one external interface is required on Mail Security. If this was not set during initial system setup, it can be configured from the System - > Networking menu. Ensure that the interface is set to enabled and the IP address matches access restrictions/proxy settings on Mail Encryption. Figure 1 2: Mail Security Network Setup Mail Relays Mail Security needs to be configured to know both its local mail domains as well as systems authorized to relay outbound mail. Both options are set under the STMP - > Configuration menu shown in Figure 13. In this example, the local domain example.com is configured with an internal MTA Mail Security will use this address for mail delivery once a message has successfully passed through policy checks. Systems or networks which are authorized to use Mail Security for outbound mail must be specified in the Relay Hosts section. In this example /24 is authorized a range that includes the internal MTA and the interface of Mail Encryption.

17 Lotus Protector Mail Security and Mail Encryption Interop Guide Figure 13: Mail Domain and Relay Setup Mail Flow Mail Security has a single mail flow that processes both inbound and outbound mail. Policy rules are created that determine which direction the mail is travelling and what actions need to be taken on a given message. Mail that is sent to Mail Encryption for processing will be returned to Mail Security for final delivery. Policy Management Mail Security has a number of default policies which demonstrate its ability to check for for spam, viruses, and other conditions. In order to ensure that policies such as these are always applied, they should remain at the top of the list. After these tests, messages will be examined to determine their needs for further processing by Mail Encryption. Checks will also be added to determine whether a message has already been processed and is awaiting final delivery. Figure 14: Mail Flow Policies

18 Lotus Protector Mail Security and Mail Encryption Configuration Guide Check for Mail Encryption Processing If a message has been sent to Mail Encryption for encryption or decryption, a Mail Encryption address will appear in its header. A policy check for the address is performed on the received field, as shown in Figure 15. This policy has its resultant action set to Allow as it is a terminal checks on the mail flow. Note that this policy is placed after content inspection but prior to policies determining the need for Mail Encryption processing. This placement guarantees that mail will take a clear text pass through the policy list while preventing a mail loop between Mail Security and Mail Encryption. Figure 1 5: PGP Processed Outbound and Inbound Policies Inbound Policy Inbound messages may be signed and/or encrypted in a variety of formats. Underlined conditions 1-8 in Table 2 should be included in the decryption policy. Underlined rules are recommended. The last four conditions are optional. An inbound message should be sent to Mail Encryption for processing if any of the conditions in the filter are met. Condition Message Part Matching Value 1 Header specific word(s) X-PGP-Universal

19 Lotus Protector Mail Security and Mail Encryption Interop Guide Condition Message Part Matching Value 2 Header specific word(s) 3 Header specific word(s) 4 Header specific word(s) 5 Header specific word(s) 6 Header specific word(s) 7 Any part of specific message phrase 8 Any part of specific message word(s) 9 Any part of specific message phrase 10 Any part of specific message word(s) 11 Any part of specific message word(s) 12 Any part of specific message word(s) Table 2: Encryption & Signature Conditions multipart/encrypted multipart/signed application/pkcs7-mime application/x-pkcs7-mime application/pkcs7-signature -----BEGIN PGP -----BEGIN=20PGP * PGP LS0tLS1CRUdJTiBQR1Ag LS0tQkVHSU4gUSeQI LS0tLUJFR0lOIFBHUC The conditions defined in Table 2 can be checked using a single analysis module keyword search rule. Mail Security will only search parts of the message itself. It will not inspect attachments for content. Figure 16 shows the rule created to implement the inbound decryption policy check. This policy should be applied to all messages with a recipient identified as a member of the My Domains group.

20 Lotus Protector Mail Security and Mail Encryption Configuration Guide Figure 1 6: Inbound Policy Check If the analysis module validates the check, the message must be relayed to Mail Encryption for decryption. The response policy to accomplish this is show in Figure 17: Figure 17: Forward for Decryption Once the message has been processed by PGP Universal, it will be returned to Mail Security and queued for final delivery after meeting the Inbound Action policy address check. Outbound Policy

21 Lotus Protector Mail Security and Mail Encryption Interop Guide An outbound filter will re-route messages to Mail Encryption when the contents of the message match a policy condition. These policies must come after checks to determine whether a message has already passed through Mail Encryption to prevent mail loops. If multiple, independent conditions could result in the re-routing of a message to Mail Encryption, you can place them in separate rules for easier maintenance. The rule in Figure 18 will route certain messages to Mail Encryption. The condition requires that messages contain the case-insensitive phrase Top Secret in the subject line of the outbound message. Figure 1 8: Outbound Policy Check The action associated with this rule is similar to the inbound decryption check. If the analysis module matches the message, the response policy shown in Figure 19 will forward the message to the encryption interface of Mail Encryption.

22 Lotus Protector Mail Security and Mail Encryption Configuration Guide Figure 19: Forward for Encryption Once encryption is completed, the message is relayed back to Mail Security. The message header will then match the Outbound Action policy and be queued for final delivery.