NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] SMTP incoming traffic redirection



Hi Kepa,

The reason the internal mail server in sitting on the internal network
is for safety.

1. Assuming that the Mail Relay is compromised it will be very easy to
access your internal server while it is sitting on the DMZ.

2. An internal server should be trusted, why place it into an untrusted
region like a DMZ.

3. By having the internal server on the internal network then the only
way for the Mail Relay to talk to it is via the SMTP Security Server on
the FW an additional protection particularly if you are using CVP.

4. Running your own internal DNS server hides your internal network
details, the external DNS should only provide information you need to
provide eg DNS, WWW and FTP details.

Regards

Russell


Kepa Beracochea wrote:
>
> Russell,
>
> Thanks a bunch for the information. I have several questions about your
> input, but first I think I found the problem I had (though I haven't been
> able to test it yet)
> To forward all smtp traffic to my mail relay (or mailgate as I called it) I
> need to modify an entry in the routing table of the firewall, as follow:
>
>         destination    gateway
> old    IPpu            IP2
> new   IPpu            IP1
>
> where
> IPpu = public address of mail server
> IP2 = private IP of mail server
> IP1 = private IP of mail relay
>
> You pretty much described the arquitecture we're trying to implement
> (sendmail, Linux, m4 macro file, etc), only both the mail server and the
> mail relay are in the DMZ (firewall configuration differ).
>
> So I guess my first question is what's the advantage of having the mail
> server inside your private network. So far it has been alone sitting in the
> DMZ so I'd like to have a good reason before I put it on our private segment
> (and change its IP, clients MUA configuration, etc)
>
> Another thing is that we don't have a private DNS for the company (we use
> external ones from our provider). Although this doesn't fit into the subject
> of the mailing list, could someone tell me what's the advantage of having a
> private DNS and what information needs to be transmitted to the provider to
> handle our own DNS, what´s the procedure, etc. I'd be greateful if someone
> could point me to some information on that.
>
> Thanks again Russell
>
> Kepa.
>
> PS: by the way our mail relay uses mailscanner
> http://www.sng.ecs.soton.ac.uk/mailscanner/readme.shtml
>
> ----- Original Message -----
> From: "Russell Aspinwall" <[email protected]>
> To: <[email protected]>
> Sent: Tuesday, May 28, 2002 2:19 PM
> Subject: Re: [FW-1] SMTP incoming traffic redirection
>
> > Hi Kepa,
> >
> > The Email Server which is accessible from the Internet and is sitting in
> > a DMZ is called a Mail Relay. All the computer does is accept Email and
> > forward it to the Internal Mail Server which is sitting in your private
> > network.
> >
> > Using FW-1 create the Mail Relay object which will have NAT defined as
> > it sits on your DMZ, then create the Internal Mail Server object. Then
> > create four rules
> >
> > 1.  not Internal_nets      Mail_Relay          SMTP      accept
> > 2.  Mail_Relay             not Internal_nets   SMTP      accept
> > 3.  Mail_Relay             internal_email_srv  SMTP->filter-incoming
> > accept
> > 4.  internal-email_srv     Mail_Relay          SMTP->filter-outgoing
> > accept
> >
> > For reliability, cheapness and security use a PC running Solaris 8 x86
> > or Linux and configure Sendmail. Below is the m4 file for Solaris which
> > will generate a sendmail.cf file used to run Sendmail.
> >
> > divert(0)dnl
> > VERSIONID(`@(#)main-v7sun.mc    1.2 (Sun) 01/27/98')
> > OSTYPE(solaris2.ml)dnl
> > DOMAIN(solaris-antispam)dnl
> > FEATURE(`relay_entire_domain')dnl
> > FEATURE(`access_db',`hash /etc/mail/access')dnl
> > MAILER(local)dnl
> > MAILER(smtp)dnl
> >
> > In this case your Internal DNS servers needs to know that the Mail Relay
> > is the smart host which can handle other domains. While the Mail Relay
> > needs to forward all Email to the internal Email Server.
> >
> > <-- extract sendmail.cf -->
> > # who I send unqualified names to (null means deliver locally)
> > DRinternal.email.server
> >
> > # who gets all local email traffic ($R has precedence for unqualified
> > names)
> > DHinternal.email.server
> > <-- extract sendmail.cf -->
> >
> > It is possible to use www.ravantivirus.com on both Solaris and Linux to
> > virus check all Email before it hits your internal server without
> > putting addditional load on the Firewall.
> >
> > Hope that helps
> >
> > Russell
> >
> >
> > > Kepa Beracochea wrote:
> > >
> > > Hello all,
> > >
> > > I am Trying to redirect all my incoming email traffic from a server to
> > > another. The goal with this is to make all email traffic go through an
> > > email firewall before it reaches the corporate server (without using
> > > CVP).
> > > To make things clear here is the configuration we have:
> > >
> > > - a VPN-1 Checkpoint FW1
> > > - on one of its interface: access to the outside
> > > - on another interface: the DMZ with hosts mailgate (the firewall)
> > > with private IP1 and mailserver(the corporate server) with private IP2
> > > - on another interface: the corporate network
> > >
> > > So far all incoming traffic was sent to mailserver. The object that
> > > define mailserver in the firewall specifies a static address
> > > translation from private address IP2 to the public address IPpu. Apart
> > > from this two objects "SMTP ressource" specify the control of the SMTP
> > > traffic (incoming and outgoing). In the "Match" tab of these objetcts
> > > filters say which emails to let in and out. In the General tab no Mail
> > > Server is specified, that is FW1 is supposed to redirect traffic to
> > > the server specified in smtp.conf with the default_server tab (so far
> > > it says IP2)
> > >
> > > To redirect all traffic to mailgate I remove object mailserver from my
> > > rules and I replace it with an object mailgate. mailgate is defined
> > > with static IP translation from IP1 to IPpu. I also modified my
> > > Ressource objects, specifying in the Mail Server tab "mailgate" (after
> > > having defined mailgate in the /etc/hosts of the firewall)
> > >
> > > Now when I tried to send email from outside, the firewall kept sending
> > > traffic to mailserver, so thinking that the Mail Server tab of the
> > > SMTP Ressource object did not work for me I changed the entry in the
> > > smtp.conf file, specifying IP1 instead. I restarted FW1 but the
> > > traffic kept being sent to mailserver instead.
> > >
> > > Then I removed the IP translation in the object mailserver thinking
> > > that this could be it but it did not work. But this time instead of
> > > forwarding traffic to mailserver it just didn't forward traffic at all
> > > to either of them, even though the log says that the traffic to
> > > mailgate is accepted on the port 25.
> > >
> > > So....my question is: is there a reason  why FW1 would not want to
> > > forward traffic to mailgate ? Is there a file
> > >
> > > somewhere that specifies allowed hosts to forward SMTP traffic to,
> > > etc.
> > >
> > > One last point: the entry in the DNS of our provider says:
> > >
> > > foo.com IN MX 10 mailserver.foo.com
> > > mailserver.foo.com IN A IPpu
> > >
> > > So if I understand this right all mail traffic to foo.com will be sent
> > > to IPpu. Do I have to modify the entry
> > >
> > > foo.com IN MX 10 mailserver.foo.com
> > >
> > > to
> > >
> > > foo.com IN MX 10 mailgate.foo.com
> > >
> > > or can I just redirect trafic with FW1 on my site from mailserver to
> > > mailgate.
> > > How would you do that anyway ?
> > >
> > > Thank you for all your help
> > > Kepa
> >
> > =================================================
> > To set vacation, Out Of Office, or away messages,
> > send an email to [email protected]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [email protected]
> > =================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================

--
Network and Systems Administrator           Flomerics Ltd
Email: russell.aspinwall at flomerics.co.uk 81 Bridge Road
Telephone: 020-8941-8810 x3116              Hampton Court
Facsimile: 020-8941-8730                    Surrey, KT8 9HH, UK

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.