NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] RBL List?



> Don are you saying that I can connect my relay mail server direct to the
> internet (thus leaving the firewall hop out) and then relay mail through to
> an internal mail server?
No, I am saying that you put your email relay on a DMZ and behind the
firewall, but do _not_ use the security server on the firewall to handle
these connections. The relay on the DMZ then is the only system allowed to
make SMTP connections to the internal mail server.

-Don

> ===================================
> Don said:
> The best way to configure mail seems to be:
> Mail relay on the DMZ handling all inbound and outbound connections. This
> can be a stock MTA such as sendmail or postfix, or one of the anti-virus
> servers such as Mimesweeper acting as a relay.
>
> The DMZ server will talk to the internal server for all inbound and
> outbound email.
>
> The firewall simply adds another hop and a ton of complexity to the
> configuration. Considering the number of posts ot this list every week
> regarding problems with the SMTP security server, you really would be best
> off doing without it.
>
> Besides which, as I said, by running the security server, you are givnig
> an attacker an actual port on your firewall to connect to. If there is a
> hole in the security server, they can now compromise your firewall.
>
> -Don
>
> -----Original Message-----
> From: Don [mailto:[email protected]]
> Sent: Wednesday, May 15, 2002 5:19 PM
> To: [email protected]
> Subject: Re: [FW-1] RBL List?
>
>
> > Thanks for the response.  I know all about the security servers (all of
> > them) being terrible attempts at putting some extra security in FW-1 and I
> > agree with you on their shortcomings (I'm only using the SMTP security
> > server for inbound mail).  I figured that if I can have an added layer of
> > security for inbound mail, why not use them rather than having external
> mail
> > servers connect directly to my Sendmail servers through the FW.  My setup
> > now has the firewall (SMTP security servers) doing nothing more than
> > accepting the mail and fowarding it right to one of our two Sendmail
> servers
> > who in turn forwards the mail to one of two virus scanning servers and
> into
> > our internal Exchange environment.
> >
> > We originally had a security requirement for the Sendmail boxes, that
> > requirement is no longer needed.  Having said that, these boxes really
> > aren't doing anything useful in my opinion other than being another hop
> and
> > another set of boxes that have to be maintained.  My thinking is that the
> > firewall can just forward the mail directly to the virus scanning servers
> > and get rid of the Sendmail boxes all-together, it's not that we are
> > un-happy with them, I just don't feel they are providing anything we
> really
> > need at this point.
> >
> > Again, the only problem is that I have a requirement to setup the RBL in
> the
> > future so I am wondering if the Firewall can handle this.
> As far as I know, the SMTP security server will not support the RBL.
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.