I am working on AWS Network Firewall with Suricata rule to filter specific source IP address to different destination by FQDN, mainly for HTTP and HTTPS.
As I see HTTPS is use TLS SNI to filter, is it also possible to apply on SMTP over TLS?
Sample rule in strict rule order:
pass tls 172.31.10.11/32 any -> $EXTERNAL_NET 587 (tls.sni; dotprefix; content:".us-west-2.amazonaws.com"; nocase; endswith; msg:"matching TLS allowlisted FQDNs - .us-west-2.amazonaws.com"; flow:to_server, established; sid:107; rev:1;)
pass tcp 172.31.10.11/32 any <> $EXTERNAL_NET 587 (sid:501; rev:1;)
However, if I am not including the last rule, it cannot pass any traffic on 587 port.
Is TLS control able to apply on SMTP, similar as HTTPS that only allow to specific destination by FQDN?
Thank you and appreciated for any help.
CodePudding user response:
SNI is not typically required with SMTP. Servers usually don't expect it since there is typically only a single server with a single hostname on a specific IP address, even if this server is responsible for multiple mail domains. Thus clients might or might not add SNI and servers will usually ignore this.
There are some servers out there which support SNI for some time like Postfix since 2019. But many servers and clients do not, so one cannot rely on this.