[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] CheckPoint FireWall-1 "INSECURE" SMTP server - BIG HOLE!!
We also experienced this problem quite some time ago. Solution was to define an SMTP resource that matches {*%*,*!*}@domainname and then we just deny this. I agree that it would be nice to have a checkbox to disallow some special characters. > > I had the same problem when using a SMTP Scanning relay (Mcafee) > > It was receiving the mail, scanning it and then relaying it to the mail > servers. > > I was blacklisted at orbz.org for nearly a day. I had to revert back to > using a linux box to answer port 25 connections, then relay valid mail to > the SMTP scanner which in turn delivers the mail to the mail servers. QUITE > a pain in the butt.. > > I have also tried using the SMTP CVP scanning, but it does exactly the same > thing. I think it's more an issue with the anti-virus software than > checkpoint's CVP implementation... > > Regardless, I would always prefer to have something a bit more robust > handling the inbound email. I can't really say that I would be comfortable > having Exchange server accepting SMTP connections from the internet... > > Joe > > > ====================================================================== > Joseph Voisin, Systems and Network Administrator, Engel Canada Inc. > www.engelmachinery.com | [email protected] |> ====================================================================== > > > -----Original Message----- > From: Miles D. Oliver [mailto:[email protected]] > Sent: Tuesday, October 23, 2001 10:53 AM > To: [email protected] > Subject: [FW-1] CheckPoint FireWall-1 "INSECURE" SMTP server - BIG HOLE!! > > The Check Point Firewall-1 secure SMTP server will allow for mail > relaying. > > We have setup many installations of Trend Micros InterScan Viruswall, the > CVP version to scan incoming mail for our customers. > > We have recently noticed that many of our customers have been > 'BLACKLISTED' for of e-mail relaying when an SMTP resource that uses > the Check Point Firewall-1 Secure SMTP server. > > Defining a domain or multiple domains in the recipient field The 'match' > tab for all SMTP resources will only prevent a small amount of mail > relaying. It only checks against the characters EXPLICLTY defined in the > recipent field of the match tab. > > For example: > > 220 CheckPoint FireWall-1 secure SMTP server > helo lgi.com > 250 Hello lgi.com, pleased to meet you > mail from:<[email protected] > 250 <[email protected]>... Sender ok > rcpt to:<[email protected]> > 450 Mailbox unavailable. > > Mail sent from [email protected] to [email protected], only the domain will > be checked and relaying will be denied. > > However, When the recipient is defined using special characters such as > the "%" character will allow mail to be relayed. > > For Example: > > 220 CheckPoint FireWall-1 secure SMTP server > helo lgi.com > 250 Hello lgi.com, pleased to meet you > mail from:<[email protected]> > 250 <[email protected]>... Sender ok > rcpt to:<jane%[email protected]> > 250 <jane%hotmail.com@lg... Recipient ok > > Mail sent from [email protected] to jane%[email protected] will allow > the mail to be relayed to [email protected] THROUGH the Check Point SMTP > secure server. > > Big problem... This should not be happening. > > We have had to make adjustments to all of our InterScan Viruswall > implementations with CVP. > > We have had to implement a mail server in a DMZ to accept all mail for > the domain using Sendmail 8.12.1 use its anti-relaying functions, Change all > MX records to the Internet and then allow the mail server to in the DMZ to > then forward mail to the internal mail server through the firewall to use > the CVP resource, scan the mail, and into to the internal mail server. > > While many should say that it is not a good idea to have the Check Point > firewall to relay checking' and it should be handled by a REAL mail server > my question is... > > Why does all the documentation that I have read for configuring using > CVP resources is that the using the firewall should be the the 'inbound' > point for incoming mail? > > I've looked all over Check Point's website for any information about > mail relaying and there is NOTHING in the Secure Knowledge base about this > BUG in the SMTP Secure server. > > So, In a nutshell, If you are using InterScan Viruswall or any of the > Other CVP based tools, be prepared to setup an additional mail server to > initially receive the incoming mail and then forward it to the firewall to > use your defined SMTP resource. > > In my opinion The Check Point SMTP secure server is INSECURE and does not > work as it should and if it is to be accepting mail to pass to a CVP > resource for scanning and then delivery to the internal mail server. > > It should NOT allow relaying. > > Don't use it unless you are prepared to be 'BLACKLISTED'. > > -- > Miles D. Oliver > Senior Systems Engineer - CCSA/CCSE > LGI > 10450 Shaker Drive Suite 208 > Columbia Maryland USA 21046 > VOICE> FAX> EMAIL [email protected] > WEB www.lgi.com > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== Ivan E. Auger [email protected] Director, Computational Molecular Biology & Statistics Core Consultant, Computer Systems Wadsworth Center - New York State Health Dept. =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|