Use Case: MTA Adapters

A new MTA adapter has been added to FortiSandbox for FSA_AWS or FSA_VM (where the serial number begins with FSA VM01). FortiSandbox extracts the .EML file, attachment files, and URLs in the email body and then sends them into the job queue.

To enable MTA adapters on FSA_AWS or FSA_VM:

1. On the FortiSandbox, go to Scan Input > Adapter.
2. The MTA adapter is disabled by default. To activate it, select the MTA adapter from the list and click Edit.

   

3. Configure the settings under Options and Connection:
   • Tag For Suspicious/Malicious Mails: Enter a tag. Malicious and suspicious email are forwarded with the specified tag if Quarantine Settings are disabled.
   • Relay Domain Name: FortiSandbox supports multiple domain names separated by a comma.
   • Next Hop Mail Server Name: Set as the IP or domain of the target email server.
4. Configure the settings under Quarantine Settings:
   • Email is quarantined by FortiSandbox if the content has the selected ratings, otherwise it is forwarded with the customized tag if the email is rated as malicious or suspicious.
   • Enabling the option to Send alert email to receivers when email is quarantined allows you to send customized alert emails when an email is quarantined. The email contains the information of the submission ID (SID) from FortiSandbox.

     

5. Select Apply.

To check and operate suspicious or malicious email quarantined by FortiSandbox:

1. On the FortiSandbox, go to Scan Input > Adapter.
2. Click Quarantine beside the MTA adapter.
   The Quarantine page allows you to view the quarantined email and apply search filters:
   • Click View Details to view the Scan Details page for the email.
   • Click Download Email File to download the original email.
   • Click Preview Email to preview the email.
   • Click Release Quarantine to release the email to the receiver.
   • Click Delete Quarantine to delete the quarantined email from the FortiSandbox database.

     

To log MTA adapter file submission events:

1. On the FortiSandbox, go to Scan Policy > General.
2. Under Enable log event of file submission, enable MTA Adapter.

   

To view debug logs of the MTA adapter in the CLI:

1. In the CLI console, enter the command diagnose-debug adapter_mta_relay and dignose-debug adapter_mta_mail.
   

   > diagnose-debug -h
   Usage: diagnose-debug [netshare|device|adapter] [device_serial_number]
   netshare: Network share daemon 
   device: OFTP daemon for FGT/FML/FCT devices. 
   adapter_cb: Daemon for third party appliance Bit9 + CARBON BLACK 
   adapter_icap: Daemon for Internet Content Adaptation Protocol (ICAP) 
   adapter_bcc: Daemon for BCC 
   adapter_mta_relay: Daemon for MTA Relay 
   adapter_mta_mail: Daemon for MTA Mail

   • Example of diagnose-debug adapter_mta_relay command.
     

     > diagnose-debug adapter_mta_relay
     2019-06-05 21:18:56 FSA-MTA: File from MTA Adapter was submitted. sha256=010ae06e0085f86dd23614aecd077bb844cc5de59cd5b27ccd172749d60df36f fname=4463239589762783574 client_ip=10.0.0.128

   • Example of diagnose-debug adapter_mta_mail command.

     > diagnose-debug adapter_mta_mail
     Jun  6 04:18:56 FSAVM0I000011483 mail.info postfix/qmgr[31350]: B7E0D3E405A: from=<jliang@test.fsa.com>, size=327092, nrcpt=1 (queue active)
     Jun  5 21:18:56 FSAVM0I000011483 mail.info postfix/smtp[32728]: B7E0D3E405A: to=<malware@mta.fsa.com>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.61, delays=0.51/0/0.02/0.07, dsn=2.0.0, status=sent (250 Ok)
     Jun  6 04:18:56 FSAVM0I000011483 mail.info postfix/qmgr[31350]: B7E0D3E405A: removed
     Jun  5 21:18:56 FSAVM0I000011483 mail.info postfix/smtpd[32498]: disconnect from unknown[207.102.138.11] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
     .......