Loading...

Knowledge Center


SMTP communication over the Advanced Threat Defense Email Connector
Technical Articles ID:   KB90813
Last Modified:  8/15/2018

Environment

McAfee Advanced Threat Defense 4.x
McAfee Advanced Threat Defense 4.x Email Connector

Summary

This article explains how ATD Email Connector handles SMTP connection in both inbound and outbound directions, and provides the timeline of the events and scanning activity on ATD.

Abstract
Email Connector receives the email message, extracts the sample for scanning from the email, and submits it to ATD. The connector then forwards the scanned email to the smart host.
After the mail is delivered to the smart host, the Email Connector returns the SMTP status code for the DATA phase back to the sender MTA.

The Email Connector does not have an email queue. The connectors SMTP return code for the DATA phase depends on the result of the delivery attempt to the smart host.
If the delivery to the smart host is successful, the connector returns a successful SMTP status code back to the sender MTA. But if delivery fails, the connector returns an error in the form of an SMTP status code.

The sender MTA keeps the original email and resends it to the Email Connector when the error is detected.

Sequence of events in a successful email delivery:
  1. Email Connector receives inbound email from the sender MTA.
  2. Email Connector extracts attachments from the email.
  3. Email Connector submits samples to ATD for scanning.
  4. ATD scans the sample, and Email Connector waits scan results.
  5. ATD finishes scanning the samples.
  6. Email Connector receives the scan results.
  7. Email Connector adds scan results to the email in the email header section.
  8. Email Connector forwards the email with scan results to the smart host MTA.
  9. Email Connector returns SMTP code back to the sender MTA.
Here is the step-by-step explanation of each event:

Phase 1. Email Connector receives inbound email from the sender MTA.
ATD Email Connector receives inbound SMTP connection from your sender MTA. The Email Connector listens on the TCP port number which you specified as the listen port.
NOTE:
  • The listen port is specified at the Listen Port setting in the Manage, Email Connector, Configuration, Receiving Email.
  • The sender MTA must be listed under the Permitted Hosts setting in the Manage, Email Connector, Configuration, Receiving Email.
When the SMTP connection is established, the Email Connector and your sender MTA start the SMTP conversation. TLS enforcement between your sender MTA and Email Connector is handled at this stage. During this part of the conversation, the sender MTA sends the sender and return email addresses.

The sender MTA starts sending the email message to the Email Connector in the DATA phase of the SMTP conversation. When the contents of the email message are sent to the Email Connector, your sender MTA sends a sequence of specific bytes. These bytes, <CRLF>.<CRLF>, are known as final period. They are sent at the end of the email message in the DATA phase, to the Email Connector. Then your sender MTA waits for the SMTP status code from the Email Connector.

On the Email Connector side, after receiving the email message in the DATA phase (<CRLF>.<CRLF>), the Email Connector continues to the next phase of message handling.
NOTE: The Email Connector keeps the inbound SMTP connection open with the sender MTA without returning SMTP status code for the DATA phase.

Phase 2. Email Connector extracts attachments from the email.
Email Connector now has the email to scan. Email Connector extracts the attachments from the email. How it extracts them is based on the Scan these file types setting under Manage, Email Connector, Configuration, Scanning Email.

If the attachment file meets with the Filtering Rule criteria under Manage, Email Connector, Filtering Rules, the connector does not submit the attachment file to ATD for scanning. Otherwise, the attachment file is scanned.

Phase 3. Email Connector submits samples to ATD for scanning.
Email Connector calculates the MD5 hash of the sample, and stores it to the local scan cache to compare.
  • If the Email Connector previously handled the same MD5 hash, and its ATD scan results are also in the cache:
    The connector reuses the cached results instead of submitting the sample to the ATD, and then immediately continues to deliver the email to the smart host.
    NOTE: You can empty the scan results cache under Manage, Troubleshooting, Reset Email Reports and Cache, Clear Email Results Cache.
     
  • If not, the connector submits one or more samples to ATD for scanning using the atdec user account setting.
    NOTE: Email Connector still holds the inbound SMTP connection without returning status code back to your sender MTA at this stage.

Phase 4. ATD scans the sample, and Email Connector waits scan results.
ATD starts scanning the samples using the default analyzer profile of the atdec user. It can take a few minutes depending on your ATD's scanning load at the time, and whether the sandbox scanning runs against the samples. The Email Connector periodically polls the ATD scan results.
NOTE:
  • During this stage, the sample attachment file is visible under Analysis, Analysis Status with User as atdec.
  • Email Connector still holds the inbound SMTP connection without returning status code back to your sender MTA at this stage.
  • Sandbox scanning can take more than a couple of minutes to complete.
    You can configure how long your Email Connector waits for the scan results from ATD by the Maximum time per email to wait for all scans to complete setting under ATD Email Connector configuration.
If the connector submits samples to ATD but scanning does not complete within this wait time, the connector gives up waiting. It then moves to the delivery to the smart host stage by giving the scan verdict as Scan Timed Out.

Phase 5. ATD finishes scanning the sample.
ATD finishes scanning one or more samples. The scan results are listed under Analysis, Analysis Reports with User as atdec.

NOTE: The Email Connector still holds the inbound SMTP connection without returning status code back to your sender MTA at this stage.

Phase 6. Email Connector receives the scan results.
When the scan results are made available, Email Connector receives the results.

Phase 7. Email Connector adds scan results to the email in the email header section.
Email Connector adds the scan results to the email header section of the email message.

Phase 8. Email Connector forwards the email with scan results to the smart host MTA.
If the Email Connector is configured as Offline Mode, this process is skipped. Email Connector tries to open a new SMTP connection to the smart host, then tries to forward the changed email to the smart host. (The changed email has additional email headers of scan results.)

NOTE: The Email Connector still holds the inbound SMTP connection without returning a status code back to your sender MTA at this stage.

Phase 9. Email Connector returns SMTP code back to the sender MTA.
After the delivery attempt to the smart host, the Email Connector returns the SMTP status code back to the original sender MTA in the inbound SMTP connection.

When the Email Connector successfully forwards the scanned email at the previous stage, it returns a status code of 250. The code signifies the end of the DATA phase of the original email sent from the sender MTA to the Email Connector. The sender MTA either quits the SMTP connection, or starts another email delivery attempt to the Email Connector using the same SMTP connection.

But if the connector fails to forward the email to the smart host at the previous stage, the Email Connector returns either 4xx or 5xx status code back to the sender MTA.
It also sends a short description of the problem for troubleshooting, for example 442 Bad Connection, which means SMTP connection to the smart host was abnormally closed. It signifies the end of the DATA phase of the original email sent from the sender MTA to the Email Connector with Error at delivery. The sender MTA must handle the original email message accordingly; 4xx to retry, or 5xx to give up.

IMPORTANT: The Email Connector does not have a local email queue. If forwarding the email to the smart host fails, the Email Connector does not keep the scanned email for retry.
Instead it returns a 4xx or 5xx SMTP status code. It is the sender MTA's responsibility to handle the error.

Sender MTA Perspective
From the sender MTA perspective, it receives the SMTP status code of the DATA phase only after the Email Connector finishes the phase of delivery to the smart host. It can take a long time if ATD performs sandbox scanning against the attachment files.

To receive the SMTP status code from Email Connector correctly, the sender MTA must wait longer than the Maximum time per email to wait for all scans to complete setting.
This setting is configured under Manage, Email Connector, Configuration, Scanning Email. Configure your sender MTA to wait longer than the Maximum time per email.... Setting.
A short timeout period for waiting for the SMTP status code for the DATA phase might cause issues. For example, the sender MTA might treat the SMTP connection as timed out while ATD scans the sample.

NOTE: For the Maximum time per email to wait for all scans to complete setting, McAfee recommends using 600 seconds, which is the default value.

Attachment

mta_atd_ec_interaction.pdf
328K • < 1 minute @ broadband


Rate this document

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.