WFilter is able logging outgoing mail but not incoming.

[IT-RSMNLK]

The question was already on the forum but i found the answer not clear.



This was the answer:

the default exchange server protocol using outlook is not supported because it's traffic is encrypted



Our situation:

WFilter scans a mirror port on a switch. The source is the firewall port that handels all internet traffic.



Everything goes well except the incoming mail. We use Exchange 2010 and Outlook 2010.



Between the internet and the Exchange server there is only a firewall and a Trend Micro mailgateway with no mail encryption.

I understand that we can't read the internal e-mails, but I don't understand why we can read the outgoing mails and not the incoming mails.



In my understanding they take the same road only in opposite directions. Exchange server -> Internet. Internet -> Exchange server.



Especially with the incoming emails from an external source, I can't see why Outlook encryption should be involved.



Can someone help me explain why WFilter can't scan the incoming e-mails?



Kind regards,

Daan Udink

[imfirewall]

It depends on the email protocols you're using.



If you use pop3 or imap to receive emails, wfilter can record it.



Exchange server provides multiple connection protocols:

1. default exchange server protocol(encrypted and not supported by wfilter)

2. pop3 -- can be recorded

3. imap -- can be recorded





So it depends on how you setup your outlook client to receive emails.



There is a solution: you can block default exchange server protocol, to force the clients to use pop3 or imap instead. If you like this solution, I can write a guide for you.

[IT-RSMNLK]

We only have our firewall port mirrored. Not the mail server port. Behind the firewall is our TrendMicro IWSS mail gateway. So we only scan mails which are going to or coming from our mail gateway.



We are able to scan the outgoing mails, they go from the mail server to the mail gateway. Why can't we scan the incoming mails wich are going from the mail gateway to the mail server?

Both directions should be SMTP. (Or am I wrong?) And therefore I think readable.



We are not interested in mail between exchange and outlook.

[imfirewall]

You intend to monitor smtp relay traffic.



We need to setup such a environment to test. I will let you know the result. It shall take no longer than 2 weeks.

[IT-RSMNLK]

Are there already some results from the test environment?

[imfirewall]

The reason is wfilter does not recording incoming SMTP messages.



Now we're thinking about adding a protocol pattern definition to get it supported. I believe we will work out this solution in next Monday.

[IT-RSMNLK]

Thats good to know. Now we know is not the configuration but WFilter doesn't have the feature yet.

Is the feature been put in or are you still working it out?



If so, I would appreciate it if you can give me a message when the update is online.

[imfirewall]

It's more complicated than we thought. WFilter is designed to monitor and manage local network client computers' internet usage. However, this smtp relay behavior is smtp requests from internet ip addresses.





So monitoring of incoming smtp requires changes of WFilter basic module design, we plan to add this feature in next 4.1 version. I will let you know when it is ready.

[IT-RSMNLK]

Just read that 4.1 wil come out soon. Do you know if the feature to read incoming smtp will be in this version?

[imfirewall]

Yes. We've added this feature in the 4.1 version. And the 4.1 beta2 version will be released in two weeks.



Please notice, even in the 4.1 version, to record incoming smtp, a special setting is still required. Please let me know when you're ready, I will send you a setting file to enable it.