[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Stopping SMTP Relay on CP FW4.1
Hi All, I am also currently working on testing Trendmicro's Viruswall solution for a mail server behind FW-1 using CVP >From what I have read in the archives, FW-1 is by default an open relay, and the solution to stop this is to specify the domains you MX for in the firewall config (which you specifically allow), and then deny all weird characters and other domains. All domains are also in the mail server config of course. Or else have some other mail server before the firewall to take care of the relaying,...something like a bastion host from what I gather to cover up for FW-1 A question to all of you you out there who have 100+ domains on your mail servers: - Is the above the only way (or ways) to go about it, assuming you must use CVP (at least for now) - Has Checkpoint released a fix ? Or are all people with many domains not using CVP at all, and leaving it all up to the mail server ? In this case is your anti-virus installed on the same machine as the mail server ? Many thanks Mark ----- Original Message ----- From: "Yves Belle-Isle" <[email protected]> To: <[email protected]> Sent: Monday, December 17, 2001 9:11 PM Subject: Re: [FW-1] Stopping SMTP Relay on CP FW4.1 > It's because % and ! in address mail are used to do redirection of email > with construct like: somebody%[email protected] > which in some case would be seen as mail for YourDomain and > processed as mail for OtherDomain. As they are not legally used > as mail address we can safely drop and email address with those > > If you want to know if your mail server is really protected by > your FW-1 you can use mail-abuse.org test procedure as described at > http://www.mail-abuse.org/tsi/ar-test.html > > To use it from your MAIL SERVER console do a telnet to : > relay-test.mail-abuse.org > > YOU MUST DO IT FROM YOUR MAIL SERVER ! > > That will try to connect to your port 25 (Filtered by your FW-1) > and will try a lots of way to relay email from your server. > > It will show in the telnet window all those it try and a final > result message. With my filter in place you should see this final one: > > System appeared to reject relay attempts > > Try it... > > At 15:44 2001-12-17 +0600, [email protected] wrote: > >Hi Yves > > > >I just read that you solutions did work. I would like to try this too. Can > >you pl tell me the significance of > >"*{*%*,*!*}*" for match recipient? what excatly are redirection > >charactors? > > > >I am pretty new to firewall admin > > > >Thanks > > > >Yves Belle-Isle <[email protected]> wrote on 14-12-2001 20:06 > > > > > >You have to block SMTP relaying on on the FW-1 in a > >SMTP Security ressource because by default the FW-1 > >SMTP Security server is wide open to SMTP relaying. > > > >Use objects/rules like this: > > > > First: Name: SMTP-Reject_dest > > Comment: Reject common redirection characters > > Exception Track: Log > > Notify Sender On Error > > Match Recipient: *{*%*,*!*}* > > Strip MIME of type: > > Don't Accept Mail Larger Than 999999 KB > > CVP Server Anti_Virus > > CVP Read/Write > > Allowed Chars: 8-bit > > > > Second: Name: SMTP-RCV > > Comment: Receive email for our domains > > Exception Track: Log > > Notify Sender On Error > > Match Recipient: {*@ourdomain_1.com,...,*@ourdomain_N.com} > > Strip MIME of type: > > Don't Accept Mail Larger Than 999999 KB > > CVP Server Anti_Virus > > CVP Read/Write > > Allowed Chars: 8-bit > > > >With the two following roules: > > > >Source Destination Service Action Track Comment > >any our_SMTP_Server smtp -> SMTP-Reject_dest Reject Long EMAIL with redirect characters > >any our_SMTP_Server smtp -> SMTP-RCV Accept Long EMAIL for our domains > > > >All other incoming traffic is dropped by the catch all rule. > > > >If we put only the second rule with nothing in the Match Recepient, > >anyone can do SMTP relay thru our FW-1 Security server ! > > > > > ------------------------------------------------------------ > Yves Belle-Isle V.P. VE2YBI YB17 Email: [email protected] > Responsable des Systemes Tel:> Sogi Informatique Ltee. Fax:> ------------------------------------------------------------ > > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > If you have any questions on how to change your > subscription options, email Ron Alcatraz at: > [email protected] > ================================================= > ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= If you have any questions on how to change your subscription options, email Ron Alcatraz at: [email protected] =================================================
|