NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] AW: SMTP troubles with FW-1, eSafe and a Notes SMTP Relay



hi vitaly
this was the only way how trendmicro viruswall smtp service will and f/w 1
and cvp protocol was going to run without any problems. if you have any
other idea, i love input for input. 
hints to my interpretation of the working and failures of fw1-sendmail
deamon i found at trendmicros support pages
http://solutionbank.antivirus.com/solutions/solutionDetail.asp?solutionID=62
44

next:
>>>>>This way priv_dmz2_tmvw is left without FW-1 SMTP protection.  Why not
>>>>>just remove the second rule?  Things should work anyway, provided that
>>>>>pub_intra_mail is your MX.

priv_dmz2_tmvw is a rfc-1918 class c address and could only be reached from
internal. i can live with this, but i will check if it is possible to
checkout/delete the rule. i´m thankful for deleting all unneccessaery rules
out of the base.

thanx for your tips
frank


-----Ursprüngliche Nachricht-----
Von: Vitaly Fedrushkov [mailto:[email protected]]
Gesendet: Dienstag, 13. Februar 2001 20:22
An: Sommerfeld, Frank
Cc: 'GARCIA Frédéric'; [email protected]
Betreff: Re: SMTP troubles with FW-1, eSafe and a Notes SMTP Relay


Good $daytime,

> Date: Mon, 12 Feb 2001 21:48:47 +0100
> From: "Sommerfeld, Frank" <[email protected]>
> To: 'GARCIA Frédéric' <[email protected]>,
>      [email protected]
> Subject: AW: [FW1] SMTP troubles with FW-1, eSafe and a Notes SMTP Relay

> the problem is the sendmail deamon from checkpoints firewall. it
> makes a dns name resolution of the mail-server. but it asks only the
> first mx server (the one with the highest priority). if this server
> is not available, it will not send the email and tries to resend it
> every x-minutes (belongs to the configuration for f/w1,
> configuration tool).

AFAIK that's not quite right.  FW-1 mail dequeuer tries to deliver to
the same address that was used by original sender, not nesessary being
the best MX.  For example, it can copy sophisticated behavior of one's
mailertable.

The problem arises when original connection is being intercepted by
SMTP security server.  The positive reply is spoofed without any
checking of target host existance.  This (a) leaves sender happy, and
(b) renders MXes unusable.  In particular, if best MX is unreachable,
no mail will ever be delivered.

This behavior was expected (among my support crew) to be fixed in SP3.
Nope, AFAICT.

> - priv_dmz2_tmvw, pub_dnsservers, dns, allow
> - any, priv_dmz2_tmvw, smtp, allow 
> - priv_dmz2_tmvw, any, smtp, allow
> - any, pub_intra_mail, smtp->ZR_TMVW_SMTP,allow
> - priv_intra_mail, any, smtp->ZR_TMVW_SMTP,allow

This way priv_dmz2_tmvw is left without FW-1 SMTP protection.  Why not
just remove the second rule?  Things should work anyway, provided that
pub_intra_mail is your MX.

  Regards,
  Willy.

--
"No easy hope or lies        | Vitaly "Willy the Pooh" Fedrushkov
 Shall bring us to our goal, | Control Systems and Processes Division
 But iron sacrifice          | LUKOIL Company, Chelyabinsk Branch
 Of Body, Will and Soul."    | mailto:[email protected]  +7 3512 620367
                   R.Kipling |.....................    Scanned by Trend Micro Viruswall Verion 3.4   ..............................



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.