[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] AW: SMTP troubles with FW-1, eSafe and a Notes SMTP Relay
hi vitaly this was the only way how trendmicro viruswall smtp service will and f/w 1 and cvp protocol was going to run without any problems. if you have any other idea, i love input for input. hints to my interpretation of the working and failures of fw1-sendmail deamon i found at trendmicros support pages http://solutionbank.antivirus.com/solutions/solutionDetail.asp?solutionID=62 44 next: >>>>>This way priv_dmz2_tmvw is left without FW-1 SMTP protection. Why not >>>>>just remove the second rule? Things should work anyway, provided that >>>>>pub_intra_mail is your MX. priv_dmz2_tmvw is a rfc-1918 class c address and could only be reached from internal. i can live with this, but i will check if it is possible to checkout/delete the rule. i´m thankful for deleting all unneccessaery rules out of the base. thanx for your tips frank -----Ursprüngliche Nachricht----- Von: Vitaly Fedrushkov [mailto:[email protected]] Gesendet: Dienstag, 13. Februar 2001 20:22 An: Sommerfeld, Frank Cc: 'GARCIA Frédéric'; [email protected] Betreff: Re: SMTP troubles with FW-1, eSafe and a Notes SMTP Relay Good $daytime, > Date: Mon, 12 Feb 2001 21:48:47 +0100 > From: "Sommerfeld, Frank" <[email protected]> > To: 'GARCIA Frédéric' <[email protected]>, > [email protected] > Subject: AW: [FW1] SMTP troubles with FW-1, eSafe and a Notes SMTP Relay > the problem is the sendmail deamon from checkpoints firewall. it > makes a dns name resolution of the mail-server. but it asks only the > first mx server (the one with the highest priority). if this server > is not available, it will not send the email and tries to resend it > every x-minutes (belongs to the configuration for f/w1, > configuration tool). AFAIK that's not quite right. FW-1 mail dequeuer tries to deliver to the same address that was used by original sender, not nesessary being the best MX. For example, it can copy sophisticated behavior of one's mailertable. The problem arises when original connection is being intercepted by SMTP security server. The positive reply is spoofed without any checking of target host existance. This (a) leaves sender happy, and (b) renders MXes unusable. In particular, if best MX is unreachable, no mail will ever be delivered. This behavior was expected (among my support crew) to be fixed in SP3. Nope, AFAICT. > - priv_dmz2_tmvw, pub_dnsservers, dns, allow > - any, priv_dmz2_tmvw, smtp, allow > - priv_dmz2_tmvw, any, smtp, allow > - any, pub_intra_mail, smtp->ZR_TMVW_SMTP,allow > - priv_intra_mail, any, smtp->ZR_TMVW_SMTP,allow This way priv_dmz2_tmvw is left without FW-1 SMTP protection. Why not just remove the second rule? Things should work anyway, provided that pub_intra_mail is your MX. Regards, Willy. -- "No easy hope or lies | Vitaly "Willy the Pooh" Fedrushkov Shall bring us to our goal, | Control Systems and Processes Division But iron sacrifice | LUKOIL Company, Chelyabinsk Branch Of Body, Will and Soul." | mailto:[email protected] +7 3512 620367 R.Kipling |..................... Scanned by Trend Micro Viruswall Verion 3.4 .............................. ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|