|
Hi
I have gone through
various docs at check point site and thru mailing list advices including one
below.
I am trying to start SMTP security server on
PDS2100 box but no luck so far. I understand that fw daemon
has to start it after I upload the policy and
restart fw. It doesn't work. I am thinking of giving up on it.
Any ideas?
Thanks,
Naresh
---------------------------------------------------------------------------------------------------------------------------------
Bless me BOFH for I have sinned. My last
LARTing was 2 months ago....
I had to do the following: Replace a
Gauntlet proxy server on BSD with
FW-1 on NT.
This was first time
doing this on NT and I learned quite a bit. Here is
the
environment:
BSD box had been the firewall, DNS primary server for the
client's
domain, and advertised as the MX record for their domain.
Client
had internal MS Exchange box as his mail server, but was not
advertising this
box through DNS. Mail would come into the firewall and
get relayed to
the internal box. Customer wanted to duplicate this with
FW-1.
I
had to build the NT box offline as we were going to drop it in as
a
replacement.
LESSONS LEARNED:
1) Disable DNS if you are offline
from the DNS server. Make sure you
put the IP addresses of all the
interface cards in NT's hosts file.
Still disable DNS as sometimes NT will
still attempt a gethostbyname and
not always check it's hosts file.
2)
Be sure to patch to at least 3064 if you are going to use the SMTP
security
server. I patched to 3072 and am waiting for the inevitable
other
problems I haven't discovered yet to crop up.
3) I had to setup a
resource to block potential spam relays. Through
much help from this
list I was able to do so by defining an SMTP
resource. In this resource
I defined a Sender of "*" and a recipient of
"*@*myclientsdomain.com". I put
a rule in saying:
Any firewall smtp->relay_block_resource accept
long.
Now here was the kicker. Putting the IP address as the
default email
server in the SMTP Security server setup or in the resource
setup field
WOULD NOT WORK. It had to be the domain name of the
mailserver box.
FW-1 would always attempt to resolve the name via DNS so THE
MAILSERVER
HAD TO HAVE A DNS ENTRY. Not necessarily an MX record but at
least a
DNS entry. Putting it in the hosts table did not work. I am
used to
Unix where an nsswitch.conf file can be set to look first in hosts
table
then DNS, but I don't know the equivalent on NT.
4) For the SMTP
security server to work correctly with consistency I had
to have LOGGING
TURNED ON for that rule. When it was off it sometimes
would not
work.
The end result is that we didn't have to change DNS other than
adding
the internal mailhost with an entry (and PTR of course). Mail
come into
the external IP of the firewall and gets forwarded to the Exchange
box
just fine. Outgoing mail goes out fine by having the NT Exchange
server
make DIRECT connections and not attempting to relay out through
the
firewall.
Hopefully this will help someone else fighting the same
headache I've
been going through for the last week. My thanks to all on
the list who
pitched in with ideas and suggestions. Also I found
the
http://search.securepoint.com web site
an invaluable tool.
Mike
|
