[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] AW: [FW1] Open Relay AND SMTP Security Server
Hi André, in the smtp resource definition you can configure accepted recipient under the match-tab. this prevents from spaming. hope it helps :-) peter > -----Ursprüngliche Nachricht----- > Von: André Münch [SMTP:[email protected]] > Gesendet am: Freitag, 20. Oktober 2000 11:19 > An: [email protected] > Betreff: [FW1] Open Relay AND SMTP Security Server > > Hey there, > > all incoming mail is forwarded by the mail-relay in the DMZ (sendmail) to > the internel exchange mail server. All outgoing mail is forwarded by the > same mail relay. > > Now there is following rule: > > ANY -> mail_relay Smtp_Scan accept > > The resource Smtp_scan directs the mail traffic to the CVP-Server in an > other DMZ-segment. So far so good. > > I found out that the mail relay acts as an open relay. Why? I further > found out that the fw1 security server, which intercepts the connection, > establishes the connection to the mail relay after CVP cheching. Because > of the rule above, this is the same with incoming and outgoing mail. The > result is, that the ip-address of the internel fw1 interface in the > segment of the mail relay is the source ip address of all smtp packets. So > the relay can´t differentiate between both directions. So how to tell the > relay not to relay mail coming from outside to the outside? > This seems to be a problem. > One solution is to check outgoing mail after the relaying. I read > somewhere, that it´s not recommended to involve the fw1 Smtp-security > server for outgoing mail. Is this true? Maybe there are problems with NAT? > Another solution is to check the from and to fields with a resource of the > fw1 security server. This causes some aditional overhead besides the CVP > checking. > Any suggestions? > > thanks > > André > > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|