cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
IRomich96
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 6

McAfee DLP Prevent and Postfix MTA

Jump to solution
Hello evetyone, I am trying to configure Postfix to redirect emails to McAfee DLP Prevent. But the postfix cannot check for a missing header. Is there a ready-made instruction for configuring a postfix? Or is it better to use another MTA?
1 Solution

Accepted Solutions
IRomich96
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 6

Re: McAfee DLP Prevent and Postfix MTA

Jump to solution

I solved this problem with using multi instance in postfix (http://www.postfix.org/MULTI_INSTANCE_README.html).

I set DLP Prevent as relayhost for first instance and create header check for X-RCIS-Action.

If message header has "Allow" value, message sent to the second instance, which has empty relayhost.

View solution in original post

5 Replies
IRomich96
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 6

Re: McAfee DLP Prevent and Postfix MTA

Jump to solution

I solved this problem with using multi instance in postfix (http://www.postfix.org/MULTI_INSTANCE_README.html).

I set DLP Prevent as relayhost for first instance and create header check for X-RCIS-Action.

If message header has "Allow" value, message sent to the second instance, which has empty relayhost.

View solution in original post

Re: McAfee DLP Prevent and Postfix MTA

Jump to solution

Hello,

I'm working on the Postfix MTA, too but I can't find any documents on integrate Postfix with DLP Prevent. The email is sent outside normally. Do you have any instructions or documents related to this issue? Thank you so much.

This is my model in lab environment.

model.PNG

 

IRomich96
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 6

Re: McAfee DLP Prevent and Postfix MTA

Jump to solution

Hi @phamanh1652 ,

 

I didn't find any docs on integrate McAfee DLP Prevent and Postfix too.
I used multi instance feature in Postfix. You can read about this feature in http://www.postfix.org/MULTI_INSTANCE_README.html
The first instance receive email from email server and send it to Prevent for analysis. The Prevent appliance send email to the first instance of Postfix after complete the analysis. If X-RCIS-Action header equal Allow, the email messsage forward to the second instance with empty relayhost. Both Postfix instances on the same host and are using deifferent ports (for example, 25 and 10025).

Firstly, I created the default instance.

Then ran: postmulti -e init

Then I created the second instance with the following command:
postmulti -I postfix-out -G mta -e create

I added 2 lines to /etc/postfix/main.cf for the first instance:
relayhost=<Prevent_IP>
header_checks = regexp:/etc/postfix/header_checks

I added the following lines to /etc/postfix/header_checks for the first instance:
if /X-RCIS-Action:/
/X-RCIS-Action: BLOCK/ REJECT
/X-RCIS-Action: QUART/ HOLD
/X-RCIS-Action: REDIR/ REDIRECT **personal information omitted**
/X-RCIS-Action: SCANFAIL/ REJECT SCANFAIL error on DLP Prevent
/X-RCIS-Action: BOUNCE/ DISCARD
/X-RCIS-Action: .*/ FILTER smtp:localhost:10025
endif

For the second instance I made the following changes:
Added line to /etc/postfix-out/main.cf:
relayhost=

And line to /etc/postfix-out/master.cf:
:10025 instead smtp

Re: McAfee DLP Prevent and Postfix MTA

Jump to solution

Hi @IRomich96 ,

Thank you so much for your guide, the DLP Prevent received the email traffic, but it all went to the temporarily rejected. As the multi-tenant postfix link, must I create a postfix-in tenant?mail prevent.PNG

 

Update:

DLP Prevent received and delivered the emails but the external user doesn't receive any emails. Is it because of the empty relayhost?

IRomich96
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 6

Re: McAfee DLP Prevent and Postfix MTA

Jump to solution

Hi @phamanh1652 ,

 

I created default tenant (postfix) and the second tenant - postfix out.
For troubleshooting you can see logs on Postfix. If you wrong configured Prevent relayhost or routing rules on Postfix, you see in logs error related with continuous resend email between Postfix and Prevent appliance. After multiple retries, the Prevent rejects the message.

 

The empty relayhost is used so that Postfix can find the correct server for the mail domain.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community