Sensor Deployment
Sensor deployment is dual delivery because it allows on-demand enforcement (for Office 365 and G Suite customers), and it lowers the risk from client change management.
Dual-Delivery
The Sensor essentially acts as an SMTP “message sink.” It accepts copies of email messages over SMTP and extracts in a streaming fashion the parts of messages necessary for threat analysis:
- Message metadata
- Attachments (when enabled)
- URLs (when enabled)
Message bodies are discarded. No SMTP messages leave the Sensor.
Dual-delivery is typically used for hosted email architectures such as Office365 and G Suite.
- Inbound mail sent to the first email platform hop (SEG may or may not be in front), which filters out spam, viruses, and other unwanted messages.
- Office 365 or G Suite sends a Journaled copy or bcc: copy of messages to the Sensor and continues original delivery.
- Sensor ingests journal copy for scoring and policy evaluation.
- Office 365 or G Suite delivers original messages to mailbox.
- Sensor will enforce policy using an API to access individual mailboxes.
- The policy enforcement action occurs at the mailbox based on policy result.
Dual-Delivery Sensor Architecture and Data Flows
Step 1
Messages arrive at the customer secure email gateway (SEG) or hosted mailstore and are accepted for spam and virus filtering.
Step 2
After first level spam and virus filtering, the customer SEG delivers a copy of message (via a dual delivery rule or journaling capability) to the CEP Sensor over an SMTP connection, typically on port 25 (although this can be configured to a different port when the CEP Sensor is installed). Inbound messages are queued while the Cloud Email Protection milter process parses the message data to be transmitted to the Cloud Email Protection pipeline for scoring and policy evaluation.
The parsed email message data is sent to the Cloud Email Protection pipeline over an HTTPS connection using port 443.