NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] CheckPoint FireWall-1 "INSECURE" SMTP server - BIG HOLE!!



We also experienced this problem quite some time ago.  Solution was to
define an SMTP resource that matches {*%*,*!*}@domainname and then we just
deny this.  I agree that it would be nice to have a checkbox to disallow some
special characters.


>
> I had the same problem when using a SMTP Scanning relay (Mcafee)
>
> It was receiving the mail, scanning it and then relaying it to the mail
> servers.
>
> I was blacklisted at orbz.org for nearly a day.  I had to revert back to
> using a linux box to answer port 25 connections, then relay valid mail to
> the SMTP scanner which in turn delivers the mail to the mail servers.  QUITE
> a pain in the butt..
>
> I have also tried using the SMTP CVP scanning, but it does exactly the same
> thing.  I think it's more an issue with the anti-virus software than
> checkpoint's CVP implementation...
>
> Regardless, I would always prefer to have something a bit more robust
> handling the inbound email.  I can't really say that I would be comfortable
> having Exchange server accepting SMTP connections from the internet...
>
> Joe
>
>
> ======================================================================
> Joseph Voisin, Systems and Network Administrator, Engel Canada Inc.
> www.engelmachinery.com | [email protected] |> ======================================================================
>
>
> -----Original Message-----
> From: Miles D. Oliver [mailto:[email protected]]
> Sent: Tuesday, October 23, 2001 10:53 AM
> To: [email protected]
> Subject: [FW-1] CheckPoint FireWall-1 "INSECURE" SMTP server - BIG HOLE!!
>
>  The Check Point Firewall-1 secure SMTP server will allow for mail
> relaying.
>
>  We have setup many installations of Trend Micros InterScan Viruswall, the
> CVP version to scan incoming mail for our customers.
>
>  We have recently noticed that many of our customers have been
> 'BLACKLISTED' for of e-mail relaying when an SMTP resource that uses
> the Check Point Firewall-1 Secure SMTP server.
>
>  Defining a domain or multiple domains in the recipient field The 'match'
> tab for all SMTP resources will only prevent a small amount of mail
> relaying. It only checks against the characters EXPLICLTY defined in the
> recipent field of the match tab.
>
>  For example:
>
> 220 CheckPoint FireWall-1 secure SMTP server
> helo lgi.com
> 250 Hello lgi.com, pleased to meet you
> mail from:<[email protected]
> 250 <[email protected]>... Sender ok
> rcpt to:<[email protected]>
> 450 Mailbox unavailable.
>
>  Mail sent from [email protected] to [email protected], only the domain will
> be checked and relaying will be denied.
>
>  However, When the recipient is defined using special characters such as
> the "%" character will allow mail to be relayed.
>
>  For Example:
>
> 220 CheckPoint FireWall-1 secure SMTP server
> helo lgi.com
> 250 Hello lgi.com, pleased to meet you
> mail from:<[email protected]>
> 250 <[email protected]>... Sender ok
> rcpt to:<jane%[email protected]>
> 250 <jane%hotmail.com@lg... Recipient ok
>
>  Mail sent from [email protected] to jane%[email protected]  will allow
> the mail to be relayed to [email protected] THROUGH the Check Point SMTP
> secure server.
>
>  Big problem... This should not be happening.
>
>  We have had to make adjustments to all of our InterScan Viruswall
> implementations with CVP.
>
>  We have had to implement a mail server in a DMZ to accept all mail for
> the domain using Sendmail 8.12.1 use its anti-relaying functions, Change all
> MX records to the Internet and then allow the mail server to in the DMZ to
> then forward mail to the internal mail server through the firewall to use
> the CVP resource, scan the mail, and into to the internal mail server.
>
>  While many should say that it is not a good idea to have the Check Point
> firewall to relay checking' and it should be handled by a REAL mail server
> my question is...
>
>    Why does all the documentation that I have read for configuring using
> CVP resources is that the using the firewall should be the the 'inbound'
> point for incoming mail?
>
>   I've looked all over Check Point's website for any information about
> mail relaying and there is NOTHING in the Secure Knowledge base about this
> BUG in the SMTP Secure server.
>
>  So, In a nutshell,  If you are using InterScan Viruswall or any of the
> Other CVP based tools, be prepared to setup an additional mail server to
> initially receive the incoming mail and then forward it to the firewall to
> use your defined SMTP resource.
>
>  In my opinion The Check Point SMTP secure server is INSECURE and does not
> work as it should and if it is to be accepting mail to pass to a CVP
> resource for scanning and then delivery to the internal mail server.
>
> It should NOT allow relaying.
>
>  Don't use it unless you are prepared to be 'BLACKLISTED'.
>
> --
> Miles D. Oliver
>  Senior Systems Engineer - CCSA/CCSE
>  LGI
>  10450 Shaker Drive  Suite 208
>  Columbia Maryland USA 21046
>  VOICE>  FAX>  EMAIL  [email protected]
>  WEB    www.lgi.com
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================

Ivan E. Auger
[email protected]
Director, Computational Molecular Biology & Statistics Core
Consultant, Computer Systems
Wadsworth Center - New York State Health Dept.

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.