Hello all,
I am Trying to redirect all my incoming email
traffic from a server to another. The goal with this is to make all email
traffic go through an email firewall before it
reaches the corporate server (without using CVP). To make things clear here
is the configuration we have:
- a VPN-1 Checkpoint FW1 - on one of its
interface: access to the outside - on another interface: the DMZ with hosts
mailgate (the firewall) with private IP1 and mailserver(the corporate server)
with private IP2 - on another interface: the
corporate network
So far all incoming traffic was sent to mailserver.
The object that define mailserver in the firewall specifies a static
address translation from private address IP2 to
the public address IPpu. Apart from this two objects "SMTP ressource"
specify the control of the SMTP traffic (incoming
and outgoing). In the "Match" tab of these objetcts filters say which
emails to let in and out. In the General tab no
Mail Server is specified, that is FW1 is supposed to redirect traffic to
the server specified in smtp.conf with the
default_server tab (so far it says IP2)
To redirect all traffic to mailgate I remove object
mailserver from my rules and I replace it with an object mailgate. mailgate is defined with static IP translation from IP1 to
IPpu. I also modified my Ressource objects, specifying in the Mail Server tab "mailgate" (after having defined mailgate in
the /etc/hosts of the firewall)
Now when I tried to send email from outside, the
firewall kept sending traffic to mailserver, so thinking that the Mail
Server tab of the SMTP Ressource object did not
work for me I changed the entry in the smtp.conf file, specifying IP1
instead. I restarted FW1 but the traffic kept
being sent to mailserver instead.
Then I removed the IP translation in the object
mailserver thinking that this could be it but it did not work. But this time
instead of forwarding traffic to mailserver it just didn't forward traffic at
all to either of them, even though the log says that the traffic to mailgate is
accepted on the port 25.
So....my question is: is there a reason why
FW1 would not want to forward traffic to mailgate ? Is there a file
somewhere that specifies allowed hosts to forward
SMTP traffic to, etc.
One last point: the entry in the DNS of our
provider says:
foo.com IN MX 10
mailserver.foo.com mailserver.foo.com IN A IPpu
So if I understand this right all mail traffic to
foo.com will be sent to IPpu. Do I have to modify the entry
foo.com IN MX 10 mailserver.foo.com
to
foo.com IN MX 10 mailgate.foo.com
or can I just redirect trafic with FW1 on my site
from mailserver to mailgate. How would you do that anyway ?
Thank you for all your
help Kepa
|