Hey there,
all incoming mail is forwarded by the mail-relay in the DMZ
(sendmail) to the internel exchange mail server. All outgoing mail is forwarded
by the same mail relay.
Now there is following rule:
ANY -> mail_relay
Smtp_Scan accept
The resource Smtp_scan directs the mail traffic to the
CVP-Server in an other DMZ-segment. So far so good.
I found out that the mail relay acts as an open relay. Why? I
further found out that the fw1 security server, which intercepts the connection,
establishes the connection to the mail relay after CVP cheching. Because of the
rule above, this is the same with incoming and outgoing mail. The result is,
that the ip-address of the internel fw1 interface in the segment of the mail
relay is the source ip address of all smtp packets. So the relay
can´t differentiate between both directions. So how to tell the relay not to
relay mail coming from outside to the outside?
This seems to be a problem.
One solution is to check outgoing mail after the relaying. I
read somewhere, that it´s not recommended to involve the fw1 Smtp-security
server for outgoing mail. Is this true? Maybe there are problems with NAT?
Another solution is to check the from and to fields with a resource of the fw1
security server. This causes some aditional overhead besides the CVP
checking.
Any suggestions?
thanks
André
|