[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] SMTP incoming traffic redirection
Hi Kepa, The Email Server which is accessible from the Internet and is sitting in a DMZ is called a Mail Relay. All the computer does is accept Email and forward it to the Internal Mail Server which is sitting in your private network. Using FW-1 create the Mail Relay object which will have NAT defined as it sits on your DMZ, then create the Internal Mail Server object. Then create four rules 1. not Internal_nets Mail_Relay SMTP accept 2. Mail_Relay not Internal_nets SMTP accept 3. Mail_Relay internal_email_srv SMTP->filter-incoming accept 4. internal-email_srv Mail_Relay SMTP->filter-outgoing accept For reliability, cheapness and security use a PC running Solaris 8 x86 or Linux and configure Sendmail. Below is the m4 file for Solaris which will generate a sendmail.cf file used to run Sendmail. divert(0)dnl VERSIONID(`@(#)main-v7sun.mc 1.2 (Sun) 01/27/98') OSTYPE(solaris2.ml)dnl DOMAIN(solaris-antispam)dnl FEATURE(`relay_entire_domain')dnl FEATURE(`access_db',`hash /etc/mail/access')dnl MAILER(local)dnl MAILER(smtp)dnl In this case your Internal DNS servers needs to know that the Mail Relay is the smart host which can handle other domains. While the Mail Relay needs to forward all Email to the internal Email Server. <-- extract sendmail.cf --> # who I send unqualified names to (null means deliver locally) DRinternal.email.server # who gets all local email traffic ($R has precedence for unqualified names) DHinternal.email.server <-- extract sendmail.cf --> It is possible to use www.ravantivirus.com on both Solaris and Linux to virus check all Email before it hits your internal server without putting addditional load on the Firewall. Hope that helps Russell > Kepa Beracochea wrote: > > Hello all, > > I am Trying to redirect all my incoming email traffic from a server to > another. The goal with this is to make all email traffic go through an > email firewall before it reaches the corporate server (without using > CVP). > To make things clear here is the configuration we have: > > - a VPN-1 Checkpoint FW1 > - on one of its interface: access to the outside > - on another interface: the DMZ with hosts mailgate (the firewall) > with private IP1 and mailserver(the corporate server) with private IP2 > - on another interface: the corporate network > > So far all incoming traffic was sent to mailserver. The object that > define mailserver in the firewall specifies a static address > translation from private address IP2 to the public address IPpu. Apart > from this two objects "SMTP ressource" specify the control of the SMTP > traffic (incoming and outgoing). In the "Match" tab of these objetcts > filters say which emails to let in and out. In the General tab no Mail > Server is specified, that is FW1 is supposed to redirect traffic to > the server specified in smtp.conf with the default_server tab (so far > it says IP2) > > To redirect all traffic to mailgate I remove object mailserver from my > rules and I replace it with an object mailgate. mailgate is defined > with static IP translation from IP1 to IPpu. I also modified my > Ressource objects, specifying in the Mail Server tab "mailgate" (after > having defined mailgate in the /etc/hosts of the firewall) > > Now when I tried to send email from outside, the firewall kept sending > traffic to mailserver, so thinking that the Mail Server tab of the > SMTP Ressource object did not work for me I changed the entry in the > smtp.conf file, specifying IP1 instead. I restarted FW1 but the > traffic kept being sent to mailserver instead. > > Then I removed the IP translation in the object mailserver thinking > that this could be it but it did not work. But this time instead of > forwarding traffic to mailserver it just didn't forward traffic at all > to either of them, even though the log says that the traffic to > mailgate is accepted on the port 25. > > So....my question is: is there a reason why FW1 would not want to > forward traffic to mailgate ? Is there a file > > somewhere that specifies allowed hosts to forward SMTP traffic to, > etc. > > One last point: the entry in the DNS of our provider says: > > foo.com IN MX 10 mailserver.foo.com > mailserver.foo.com IN A IPpu > > So if I understand this right all mail traffic to foo.com will be sent > to IPpu. Do I have to modify the entry > > foo.com IN MX 10 mailserver.foo.com > > to > > foo.com IN MX 10 mailgate.foo.com > > or can I just redirect trafic with FW1 on my site from mailserver to > mailgate. > How would you do that anyway ? > > Thank you for all your help > Kepa ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|