We have the intention of examining incoming mails for security purposes. In order to do so we figured out the solution will include:
Network TAP - To copy all SMTP traffic to the firewall
Firewall - The firewall in turn will get the traffic from the TAP and forward it to the Exchange server
Exchange server - The exchange server (also acts as a DC for the domain which all the mails are sent to) will get the traffic from the firewall and store the mails for our analysis.
After setting up this infrastructure we noticed that there is one basic problem: The firewall sees the traffic only when running 'tcpdump' (because the interface turns to promiscuous mode). What we did then was assigning the firewall the public IP addresses which the MX record for our domain refers to. This also didn't work and the firewall did not regard the SMTP traffic as if it is sent to it, and nothing really happened.
I concluded that the problem is that in order for this to work there has to be a TCP 3-way handshake and a REAL session in order for everything to work. With the TAP obviously this is not achieved.
To the questions: 1. Are the assumptions correct? 2. Is there any way to achieve the task at hand?
