Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: [FW1] Open Relay AND SMTP Security Server

To: 'André Münch' <[email protected]>, [email protected]
Subject: AW: [FW1] Open Relay AND SMTP Security Server
From: "Roßmanith, Peter" <[email protected]>
Date: Fri, 20 Oct 2000 12:56:41 +0200
Sender: [email protected]

Hi André,
in the smtp resource definition you can configure accepted recipient under
the match-tab.
this prevents from spaming.

hope it helps
:-)
peter

> -----Ursprüngliche Nachricht-----
> Von:	André Münch [SMTP:[email protected]]
> Gesendet am:	Freitag, 20. Oktober 2000 11:19
> An:	[email protected]
> Betreff:	[FW1] Open Relay AND SMTP Security Server
> 
> Hey there,
>  
> all incoming mail is forwarded by the mail-relay in the DMZ (sendmail) to
> the internel exchange mail server. All outgoing mail is forwarded by the
> same mail relay.
>  
> Now there is following rule:
>  
> ANY ->    mail_relay    Smtp_Scan    accept
>  
> The resource Smtp_scan directs the mail traffic to the CVP-Server in an
> other DMZ-segment. So far so good.
>  
> I found out that the mail relay acts as an open relay. Why? I further
> found out that the fw1 security server, which intercepts the connection,
> establishes the connection to the mail relay after CVP cheching. Because
> of the rule above, this is the same with incoming and outgoing mail. The
> result is, that the ip-address of the internel fw1 interface in the
> segment of the mail relay is the source ip address of all smtp packets. So
> the relay can´t differentiate between both directions. So how to tell the
> relay not to relay mail coming from outside to the outside? 
> This seems to be a problem. 
> One solution is to check outgoing mail after the relaying. I read
> somewhere, that it´s not recommended to involve the fw1 Smtp-security
> server for outgoing mail. Is this true? Maybe there are problems with NAT?
> Another solution is to check the from and to fields with a resource of the
> fw1 security server. This causes some aditional overhead besides the CVP
> checking.
> Any suggestions?
>  
> thanks
>  
> André
>  
>  


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RES: [FW1] CVP compatible servers...
Next by Date: RE: [FW1] More Nat Confusion
Previous by thread: RES: [FW1] CVP compatible servers...
Next by thread: RE: [FW1] More Nat Confusion
Index(es):
- Date
- Thread