[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Stopping SMTP Relay on CP FW4.1
The solution i posted works, and me too use post.office as my mail server behing the FW-1: Internet -> FW-1 -> CVP to antivirus -> CVP from Antivirus -> FW-1 -> Post.Office I need to accept around 25 domains name. All my post.office filters works correctly. Which one are you talking of ? because i use lots of domain names in my filters... Anyway if you filter SMTP RELAYING at the FW-1 you don't need to do it again in post.office even if I do it... I don't use Encryption right now so don't know for that second problem At 09:45 2001-12-18 -0000, Richard Marshall wrote: >Hi, > >I have tried this solution a couple of times and have had lots of relay >problems! The filter rules on our mail server appear not to work (we are >using post.office) and so have to limit relaying by specifing allowed IP >numbers (instead of allowed domains). However, when we use CVP it makes all >mail appear to come form the firewall, which is of course an allowed IP! > >I have had to remove the CVP scanning until i can make FW-1 effectivley >block 'unwanted' mail. (I can't get this to work now because it is trying to >encrpyt mail from the firewall spool to our server despite the firewall >being outside the encryption domain. (and despite rules higher up the >rulebase that should prevent this from happening!) > >If you can get round these problems (or if you don't have these probs to >start) then CVP works fine! > >Rich > >-----Original Message----- >From: Mailing list for discussion of Firewall-1 >[mailto:[email protected]]On Behalf Of Mark >Pace Balzan >Sent: 17 December 2001 20:51 >To: [email protected] >Subject: Re: [FW-1] Stopping SMTP Relay on CP FW4.1 > > >Hi All, > >I am also currently working on testing Trendmicro's Viruswall solution for a >mail server behind FW-1 using CVP > >From what I have read in the archives, FW-1 is by default an open relay, and >the solution to stop this is to specify the domains you MX for in the >firewall config (which you specifically allow), and then deny all weird >characters and other domains. All domains are also in the mail server config >of course. > >Or else have some other mail server before the firewall to take care of the >relaying,...something like a bastion host from what I gather to cover up for >FW-1 > > >A question to all of you you out there who have 100+ domains on your mail >servers: > >- Is the above the only way (or ways) to go about it, assuming you must use >CVP (at least for now) >- Has Checkpoint released a fix ? > >Or are all people with many domains not using CVP at all, and leaving it all >up to the mail server ? >In this case is your anti-virus installed on the same machine as the mail >server ? > > >Many thanks > > > >Mark > > >----- Original Message ----- >From: "Yves Belle-Isle" <[email protected]> >To: <[email protected]> >Sent: Monday, December 17, 2001 9:11 PM >Subject: Re: [FW-1] Stopping SMTP Relay on CP FW4.1 > > >> It's because % and ! in address mail are used to do redirection of email >> with construct like: somebody%[email protected] >> which in some case would be seen as mail for YourDomain and >> processed as mail for OtherDomain. As they are not legally used >> as mail address we can safely drop and email address with those >> >> If you want to know if your mail server is really protected by >> your FW-1 you can use mail-abuse.org test procedure as described at >> http://www.mail-abuse.org/tsi/ar-test.html >> >> To use it from your MAIL SERVER console do a telnet to : >> relay-test.mail-abuse.org >> >> YOU MUST DO IT FROM YOUR MAIL SERVER ! >> >> That will try to connect to your port 25 (Filtered by your FW-1) >> and will try a lots of way to relay email from your server. >> >> It will show in the telnet window all those it try and a final >> result message. With my filter in place you should see this final one: >> >> System appeared to reject relay attempts >> >> Try it... >> >> At 15:44 2001-12-17 +0600, [email protected] wrote: >> >Hi Yves >> > >> >I just read that you solutions did work. I would like to try this too. >Can >> >you pl tell me the significance of >> >"*{*%*,*!*}*" for match recipient? what excatly are redirection >> >charactors? >> > >> >I am pretty new to firewall admin >> > >> >Thanks >> > >> >Yves Belle-Isle <[email protected]> wrote on 14-12-2001 20:06 >> > >> > >> >You have to block SMTP relaying on on the FW-1 in a >> >SMTP Security ressource because by default the FW-1 >> >SMTP Security server is wide open to SMTP relaying. >> > >> >Use objects/rules like this: >> > >> > First: Name: SMTP-Reject_dest >> > Comment: Reject common redirection characters >> > Exception Track: Log >> > Notify Sender On Error >> > Match Recipient: *{*%*,*!*}* >> > Strip MIME of type: >> > Don't Accept Mail Larger Than 999999 KB >> > CVP Server Anti_Virus >> > CVP Read/Write >> > Allowed Chars: 8-bit >> > >> > Second: Name: SMTP-RCV >> > Comment: Receive email for our domains >> > Exception Track: Log >> > Notify Sender On Error >> > Match Recipient: {*@ourdomain_1.com,...,*@ourdomain_N.com} >> > Strip MIME of type: >> > Don't Accept Mail Larger Than 999999 KB >> > CVP Server Anti_Virus >> > CVP Read/Write >> > Allowed Chars: 8-bit >> > >> >With the two following roules: >> > >> >Source Destination Service Action Track Comment >> >any our_SMTP_Server smtp -> SMTP-Reject_dest Reject Long EMAIL with >redirect characters >> >any our_SMTP_Server smtp -> SMTP-RCV Accept Long EMAIL for >our domains >> > >> >All other incoming traffic is dropped by the catch all rule. >> > >> >If we put only the second rule with nothing in the Match Recepient, >> >anyone can do SMTP relay thru our FW-1 Security server ! >> > >> >> >> ------------------------------------------------------------ >> Yves Belle-Isle V.P. VE2YBI YB17 Email: [email protected] >> Responsable des Systemes Tel:>> Sogi Informatique Ltee. Fax:>> ------------------------------------------------------------ >> >> ================================================= >> To unsubscribe from this mailing list, >> please see the instructions at >> http://www.checkpoint.com/services/mailing.html >> ================================================= >> To set vacation, Out Of Office, or away messages, >> send an email to [email protected] >> in the BODY of the email add: >> set fw-1-mailinglist nomail >> ================================================= >> If you have any questions on how to change your >> subscription options, email Ron Alcatraz at: >> [email protected] >> ================================================= >> > >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >To set vacation, Out Of Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >If you have any questions on how to change your >subscription options, email Ron Alcatraz at: >[email protected] >================================================= > >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >To set vacation, Out Of Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >If you have any questions on how to change your >subscription options, email Ron Alcatraz at: >[email protected] >================================================= > ------------------------------------------------------------ Yves Belle-Isle V.P. VE2YBI YB17 Email: [email protected] Responsable des Systemes Tel:Sogi Informatique Ltee. Fax:------------------------------------------------------------ ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= If you have any questions on how to change your subscription options, email Ron Alcatraz at: [email protected] =================================================
|