Hi
I have gone through
various docs at check point site and thru mailing list advices including one
below.
I am trying to start SMTP security server on
PDS2100 box but no luck so far. I understand that fw daemon
has to start it after I upload the policy and
restart fw. It doesn't work. I am thinking of giving up on it.
Any ideas?
Thanks,
Naresh
---------------------------------------------------------------------------------------------------------------------------------
Bless me BOFH for I have sinned. My last
LARTing was 2 months ago....
I had to do the following: Replace a
Gauntlet proxy server on BSD with FW-1 on NT.
This was first time
doing this on NT and I learned quite a bit. Here is the
environment: BSD box had been the firewall, DNS primary server for the
client's domain, and advertised as the MX record for their domain. Client
had internal MS Exchange box as his mail server, but was not advertising this
box through DNS. Mail would come into the firewall and get relayed to
the internal box. Customer wanted to duplicate this with FW-1.
I
had to build the NT box offline as we were going to drop it in as
a replacement.
LESSONS LEARNED: 1) Disable DNS if you are offline
from the DNS server. Make sure you put the IP addresses of all the
interface cards in NT's hosts file. Still disable DNS as sometimes NT will
still attempt a gethostbyname and not always check it's hosts file.
2)
Be sure to patch to at least 3064 if you are going to use the SMTP security
server. I patched to 3072 and am waiting for the inevitable other
problems I haven't discovered yet to crop up.
3) I had to setup a
resource to block potential spam relays. Through much help from this
list I was able to do so by defining an SMTP resource. In this resource
I defined a Sender of "*" and a recipient of "*@*myclientsdomain.com". I put
a rule in saying: Any firewall smtp->relay_block_resource accept
long.
Now here was the kicker. Putting the IP address as the
default email server in the SMTP Security server setup or in the resource
setup field WOULD NOT WORK. It had to be the domain name of the
mailserver box. FW-1 would always attempt to resolve the name via DNS so THE
MAILSERVER HAD TO HAVE A DNS ENTRY. Not necessarily an MX record but at
least a DNS entry. Putting it in the hosts table did not work. I am
used to Unix where an nsswitch.conf file can be set to look first in hosts
table then DNS, but I don't know the equivalent on NT.
4) For the SMTP
security server to work correctly with consistency I had to have LOGGING
TURNED ON for that rule. When it was off it sometimes would not
work.
The end result is that we didn't have to change DNS other than
adding the internal mailhost with an entry (and PTR of course). Mail
come into the external IP of the firewall and gets forwarded to the Exchange
box just fine. Outgoing mail goes out fine by having the NT Exchange
server make DIRECT connections and not attempting to relay out through
the firewall.
Hopefully this will help someone else fighting the same
headache I've been going through for the last week. My thanks to all on
the list who pitched in with ideas and suggestions. Also I found
the http://search.securepoint.com web site
an invaluable tool.
Mike
|