Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Stopping SMTP Relay on CP FW4.1

To: [email protected]
Subject: Re: [FW-1] Stopping SMTP Relay on CP FW4.1
From: Yves Belle-Isle <[email protected]>
Date: Tue, 18 Dec 2001 09:01:47 -0500
In-reply-to: <000601c187a8$bcf8c500$5f060b0a@ukluk000>
References: <005701c1873c$8f6f2d20$278938d4@markpc>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

The solution i posted works, and me too use post.office as my
mail server behing the FW-1:

Internet -> FW-1 -> CVP to antivirus -> CVP from Antivirus -> FW-1 -> Post.Office

I need to accept around 25 domains name.

All my post.office filters works correctly. Which one are you talking of ?
because i use lots of domain names in my filters...

Anyway if you filter SMTP RELAYING at the FW-1 you don't need to do it
again in post.office even if I do it...

I don't use Encryption right now so don't know for that second problem

At 09:45 2001-12-18 -0000, Richard Marshall wrote:
>Hi,
>
>I have tried this solution a couple of times and have had lots of relay
>problems! The filter rules on our mail server appear not to work (we are
>using post.office) and so have to limit relaying by specifing allowed IP
>numbers (instead of allowed domains). However, when we use CVP it makes all
>mail appear to come form the firewall, which is of course an allowed IP!
>
>I have had to remove the CVP scanning until i can make FW-1 effectivley
>block 'unwanted' mail. (I can't get this to work now because it is trying to
>encrpyt mail from the firewall spool to our server despite the firewall
>being outside the encryption domain. (and despite rules higher up the
>rulebase that should prevent this from happening!)
>
>If you can get round these problems (or if you don't have these probs to
>start) then CVP works fine!
>
>Rich
>
>-----Original Message-----
>From: Mailing list for discussion of Firewall-1
>[mailto:[email protected]]On Behalf Of Mark
>Pace Balzan
>Sent: 17 December 2001 20:51
>To: [email protected]
>Subject: Re: [FW-1] Stopping SMTP Relay on CP FW4.1
>
>
>Hi All,
>
>I am also currently working on testing Trendmicro's Viruswall solution for a
>mail server behind FW-1 using CVP
>
>From what I have read in the archives, FW-1 is by default an open relay, and
>the solution to stop this is to specify the domains you MX for in the
>firewall config (which you specifically allow), and then deny all weird
>characters and other domains. All domains are also in the mail server config
>of course.
>
>Or else have some other mail server before the firewall to take care of the
>relaying,...something like a bastion host from what I gather to cover up for
>FW-1
>
>
>A question to all of you you out there who have 100+ domains on your mail
>servers:
>
>- Is the above the only way (or ways) to go about it, assuming you must use
>CVP (at least for now)
>- Has Checkpoint released a fix ?
>
>Or are all people with many domains not using CVP at all, and leaving it all
>up to the mail server ?
>In this case is your anti-virus installed on the same machine as the mail
>server ?
>
>
>Many thanks
>
>
>
>Mark
>
>
>----- Original Message -----
>From: "Yves Belle-Isle" <[email protected]>
>To: <[email protected]>
>Sent: Monday, December 17, 2001 9:11 PM
>Subject: Re: [FW-1] Stopping SMTP Relay on CP FW4.1
>
>
>> It's because % and ! in address mail are used to do redirection of email
>> with construct like: somebody%[email protected]
>> which in some case would be seen as mail for YourDomain and
>> processed as mail for OtherDomain. As they are not legally used
>> as mail address we can safely drop and email address with those
>>
>> If you want to know if your mail server is really protected by
>> your FW-1 you can use mail-abuse.org test procedure as described at
>> http://www.mail-abuse.org/tsi/ar-test.html
>>
>> To use it from your MAIL SERVER console do a telnet to :
>> relay-test.mail-abuse.org
>>
>> YOU MUST DO IT FROM YOUR MAIL SERVER !
>>
>> That will try to connect to your port 25 (Filtered by your FW-1)
>> and will try a lots of way to relay email from your server.
>>
>> It will show in the telnet window all those it try and a final
>> result message. With my filter in place you should see this final one:
>>
>> System appeared to reject relay attempts
>>
>> Try it...
>>
>> At 15:44 2001-12-17 +0600, [email protected] wrote:
>> >Hi Yves
>> >
>> >I just read that you solutions did work. I would like to try this too.
>Can
>> >you pl tell me the significance of
>> >"*{*%*,*!*}*" for match recipient? what excatly are redirection
>> >charactors?
>> >
>> >I am pretty new to firewall admin
>> >
>> >Thanks
>> >
>> >Yves Belle-Isle <[email protected]> wrote on 14-12-2001 20:06
>> >
>> >
>> >You have to block SMTP relaying on on the FW-1 in a
>> >SMTP Security ressource because by default the FW-1
>> >SMTP Security server is wide open to SMTP relaying.
>> >
>> >Use objects/rules like this:
>> >
>> >   First: Name: SMTP-Reject_dest
>> >          Comment: Reject common redirection characters
>> >          Exception Track: Log
>> >          Notify Sender On Error
>> >          Match Recipient: *{*%*,*!*}*
>> >          Strip MIME of type:
>> >          Don't Accept Mail Larger Than 999999 KB
>> >          CVP Server Anti_Virus
>> >          CVP Read/Write
>> >          Allowed Chars: 8-bit
>> >
>> >   Second: Name: SMTP-RCV
>> >           Comment: Receive email for our domains
>> >           Exception Track: Log
>> >           Notify Sender On Error
>> >           Match Recipient: {*@ourdomain_1.com,...,*@ourdomain_N.com}
>> >           Strip MIME of type:
>> >           Don't Accept Mail Larger Than 999999 KB
>> >           CVP Server Anti_Virus
>> >           CVP Read/Write
>> >           Allowed Chars: 8-bit
>> >
>> >With the two following roules:
>> >
>> >Source Destination     Service                  Action Track Comment
>> >any    our_SMTP_Server smtp -> SMTP-Reject_dest Reject Long  EMAIL with
>redirect characters
>> >any    our_SMTP_Server smtp -> SMTP-RCV         Accept Long  EMAIL for
>our domains
>> >
>> >All other incoming traffic is dropped by the catch all rule.
>> >
>> >If we put only the second rule with nothing in the Match Recepient,
>> >anyone can do SMTP relay thru our FW-1 Security server !
>> >
>>
>>
>> ------------------------------------------------------------
>> Yves Belle-Isle V.P. VE2YBI YB17        Email: [email protected]
>> Responsable des Systemes                Tel:>> Sogi Informatique Ltee.                 Fax:>> ------------------------------------------------------------
>>
>> =================================================
>> To unsubscribe from this mailing list,
>> please see the instructions at
>> http://www.checkpoint.com/services/mailing.html
>> =================================================
>> To set vacation, Out Of Office, or away messages,
>> send an email to [email protected]
>> in the BODY of the email add:
>> set fw-1-mailinglist nomail
>> =================================================
>> If you have any questions on how to change your
>> subscription options, email Ron Alcatraz at:
>> [email protected]
>> =================================================
>>
>
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>If you have any questions on how to change your
>subscription options, email Ron Alcatraz at:
>[email protected]
>=================================================
>
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>If you have any questions on how to change your
>subscription options, email Ron Alcatraz at:
>[email protected]
>=================================================
>

------------------------------------------------------------
Yves Belle-Isle V.P. VE2YBI YB17        Email: [email protected]
Responsable des Systemes                Tel:Sogi Informatique Ltee.                 Fax:------------------------------------------------------------

=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
If you have any questions on how to change your
subscription options, email Ron Alcatraz at:
[email protected]
=================================================

References:
- Re: [FW-1] Stopping SMTP Relay on CP FW4.1
  - From: Mark Pace Balzan <[email protected]>
- Re: [FW-1] Stopping SMTP Relay on CP FW4.1
  - From: Richard Marshall <[email protected]>

Prev by Date: Re: [FW-1] Stopping SMTP Relay on CP FW4.1
Next by Date: Re: [FW-1] Stopping SMTP Relay on CP FW4.1
Previous by thread: Re: [FW-1] Stopping SMTP Relay on CP FW4.1
Next by thread: Re: [FW-1] Stopping SMTP Relay on CP FW4.1
Index(es):
- Date
- Thread