NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Stopping SMTP Relay on CP FW4.1

Hi,

I have tried this solution a couple of times and have had lots of relay
problems! The filter rules on our mail server appear not to work (we are
using post.office) and so have to limit relaying by specifing allowed IP
numbers (instead of allowed domains). However, when we use CVP it makes all
mail appear to come form the firewall, which is of course an allowed IP!

I have had to remove the CVP scanning until i can make FW-1 effectivley
block 'unwanted' mail. (I can't get this to work now because it is trying to
encrpyt mail from the firewall spool to our server despite the firewall
being outside the encryption domain. (and despite rules higher up the
rulebase that should prevent this from happening!)

If you can get round these problems (or if you don't have these probs to
start) then CVP works fine!

Rich

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On Behalf Of Mark
Pace Balzan
Sent: 17 December 2001 20:51
To: [email protected]
Subject: Re: [FW-1] Stopping SMTP Relay on CP FW4.1


Hi All,

I am also currently working on testing Trendmicro's Viruswall solution for a
mail server behind FW-1 using CVP

>From what I have read in the archives, FW-1 is by default an open relay, and
the solution to stop this is to specify the domains you MX for in the
firewall config (which you specifically allow), and then deny all weird
characters and other domains. All domains are also in the mail server config
of course.

Or else have some other mail server before the firewall to take care of the
relaying,...something like a bastion host from what I gather to cover up for
FW-1


A question to all of you you out there who have 100+ domains on your mail
servers:

- Is the above the only way (or ways) to go about it, assuming you must use
CVP (at least for now)
- Has Checkpoint released a fix ?

Or are all people with many domains not using CVP at all, and leaving it all
up to the mail server ?
In this case is your anti-virus installed on the same machine as the mail
server ?


Many thanks



Mark


----- Original Message -----
From: "Yves Belle-Isle" <[email protected]>
To: <[email protected]>
Sent: Monday, December 17, 2001 9:11 PM
Subject: Re: [FW-1] Stopping SMTP Relay on CP FW4.1


> It's because % and ! in address mail are used to do redirection of email
> with construct like: somebody%[email protected]
> which in some case would be seen as mail for YourDomain and
> processed as mail for OtherDomain. As they are not legally used
> as mail address we can safely drop and email address with those
>
> If you want to know if your mail server is really protected by
> your FW-1 you can use mail-abuse.org test procedure as described at
> http://www.mail-abuse.org/tsi/ar-test.html
>
> To use it from your MAIL SERVER console do a telnet to :
> relay-test.mail-abuse.org
>
> YOU MUST DO IT FROM YOUR MAIL SERVER !
>
> That will try to connect to your port 25 (Filtered by your FW-1)
> and will try a lots of way to relay email from your server.
>
> It will show in the telnet window all those it try and a final
> result message. With my filter in place you should see this final one:
>
> System appeared to reject relay attempts
>
> Try it...
>
> At 15:44 2001-12-17 +0600, [email protected] wrote:
> >Hi Yves
> >
> >I just read that you solutions did work. I would like to try this too.
Can
> >you pl tell me the significance of
> >"*{*%*,*!*}*" for match recipient? what excatly are redirection
> >charactors?
> >
> >I am pretty new to firewall admin
> >
> >Thanks
> >
> >Yves Belle-Isle <[email protected]> wrote on 14-12-2001 20:06
> >
> >
> >You have to block SMTP relaying on on the FW-1 in a
> >SMTP Security ressource because by default the FW-1
> >SMTP Security server is wide open to SMTP relaying.
> >
> >Use objects/rules like this:
> >
> >   First: Name: SMTP-Reject_dest
> >          Comment: Reject common redirection characters
> >          Exception Track: Log
> >          Notify Sender On Error
> >          Match Recipient: *{*%*,*!*}*
> >          Strip MIME of type:
> >          Don't Accept Mail Larger Than 999999 KB
> >          CVP Server Anti_Virus
> >          CVP Read/Write
> >          Allowed Chars: 8-bit
> >
> >   Second: Name: SMTP-RCV
> >           Comment: Receive email for our domains
> >           Exception Track: Log
> >           Notify Sender On Error
> >           Match Recipient: {*@ourdomain_1.com,...,*@ourdomain_N.com}
> >           Strip MIME of type:
> >           Don't Accept Mail Larger Than 999999 KB
> >           CVP Server Anti_Virus
> >           CVP Read/Write
> >           Allowed Chars: 8-bit
> >
> >With the two following roules:
> >
> >Source Destination     Service                  Action Track Comment
> >any    our_SMTP_Server smtp -> SMTP-Reject_dest Reject Long  EMAIL with
redirect characters
> >any    our_SMTP_Server smtp -> SMTP-RCV         Accept Long  EMAIL for
our domains
> >
> >All other incoming traffic is dropped by the catch all rule.
> >
> >If we put only the second rule with nothing in the Match Recepient,
> >anyone can do SMTP relay thru our FW-1 Security server !
> >
>
>
> ------------------------------------------------------------
> Yves Belle-Isle V.P. VE2YBI YB17        Email: [email protected]
> Responsable des Systemes                Tel:> Sogi Informatique Ltee.                 Fax:> ------------------------------------------------------------
>
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> If you have any questions on how to change your
> subscription options, email Ron Alcatraz at:
> [email protected]
> =================================================
>

=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
If you have any questions on how to change your
subscription options, email Ron Alcatraz at:
[email protected]
=================================================

=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
If you have any questions on how to change your
subscription options, email Ron Alcatraz at:
[email protected]
=================================================


 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.