[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] SMTP incoming traffic redirection
Hi Kepa, They do not directly email is forwarded to a seperate server, only those users who need external access get it. Regards Russell Kepa Beracochea wrote: > > Thanks Russell > All this makes sense...and brings up a few more questions > How can employees retrieve messages from the outside if your server is > sitting in your private network? (with simple POP or through HTTP interface) > or... should they not ? Maybe leaving port 110 open to the outside > represents a security breach ? > About the DNS stuff, I'm not sure to get your information right: is the > external DNS a DNS that sits in your DMZ zone and the internal one in your > private network ? Or is there just one in the DMZ ? How many DNS should you > be running ? > Thanks again > Kepa > > ----- Original Message ----- > From: "Russell Aspinwall" <[email protected]> > To: <[email protected]> > Sent: Wednesday, May 29, 2002 8:43 AM > Subject: Re: [FW-1] SMTP incoming traffic redirection > > Hi Kepa, > > The reason the internal mail server in sitting on the internal network > is for safety. > > 1. Assuming that the Mail Relay is compromised it will be very easy to > access your internal server while it is sitting on the DMZ. > > 2. An internal server should be trusted, why place it into an untrusted > region like a DMZ. > > 3. By having the internal server on the internal network then the only > way for the Mail Relay to talk to it is via the SMTP Security Server on > the FW an additional protection particularly if you are using CVP. > > 4. Running your own internal DNS server hides your internal network > details, the external DNS should only provide information you need to > provide eg DNS, WWW and FTP details. > > Regards > > Russell > > Kepa Beracochea wrote: > > > > Russell, > > > > Thanks a bunch for the information. I have several questions about your > > input, but first I think I found the problem I had (though I haven't been > > able to test it yet) > > To forward all smtp traffic to my mail relay (or mailgate as I called it) > I > > need to modify an entry in the routing table of the firewall, as follow: > > > > destination gateway > > old IPpu IP2 > > new IPpu IP1 > > > > where > > IPpu = public address of mail server > > IP2 = private IP of mail server > > IP1 = private IP of mail relay > > > > You pretty much described the arquitecture we're trying to implement > > (sendmail, Linux, m4 macro file, etc), only both the mail server and the > > mail relay are in the DMZ (firewall configuration differ). > > > > So I guess my first question is what's the advantage of having the mail > > server inside your private network. So far it has been alone sitting in > the > > DMZ so I'd like to have a good reason before I put it on our private > segment > > (and change its IP, clients MUA configuration, etc) > > > > Another thing is that we don't have a private DNS for the company (we use > > external ones from our provider). Although this doesn't fit into the > subject > > of the mailing list, could someone tell me what's the advantage of having > a > > private DNS and what information needs to be transmitted to the provider > to > > handle our own DNS, what´s the procedure, etc. I'd be greateful if someone > > could point me to some information on that. > > > > Thanks again Russell > > > > Kepa. > > > > PS: by the way our mail relay uses mailscanner > > http://www.sng.ecs.soton.ac.uk/mailscanner/readme.shtml > > > > ----- Original Message ----- > > From: "Russell Aspinwall" <[email protected]> > > To: <[email protected]> > > Sent: Tuesday, May 28, 2002 2:19 PM > > Subject: Re: [FW-1] SMTP incoming traffic redirection > > > > > Hi Kepa, > > > > > > The Email Server which is accessible from the Internet and is sitting in > > > a DMZ is called a Mail Relay. All the computer does is accept Email and > > > forward it to the Internal Mail Server which is sitting in your private > > > network. > > > > > > Using FW-1 create the Mail Relay object which will have NAT defined as > > > it sits on your DMZ, then create the Internal Mail Server object. Then > > > create four rules > > > > > > 1. not Internal_nets Mail_Relay SMTP accept > > > 2. Mail_Relay not Internal_nets SMTP accept > > > 3. Mail_Relay internal_email_srv SMTP->filter-incoming > > > accept > > > 4. internal-email_srv Mail_Relay SMTP->filter-outgoing > > > accept > > > > > > For reliability, cheapness and security use a PC running Solaris 8 x86 > > > or Linux and configure Sendmail. Below is the m4 file for Solaris which > > > will generate a sendmail.cf file used to run Sendmail. > > > > > > divert(0)dnl > > > VERSIONID(`@(#)main-v7sun.mc 1.2 (Sun) 01/27/98') > > > OSTYPE(solaris2.ml)dnl > > > DOMAIN(solaris-antispam)dnl > > > FEATURE(`relay_entire_domain')dnl > > > FEATURE(`access_db',`hash /etc/mail/access')dnl > > > MAILER(local)dnl > > > MAILER(smtp)dnl > > > > > > In this case your Internal DNS servers needs to know that the Mail Relay > > > is the smart host which can handle other domains. While the Mail Relay > > > needs to forward all Email to the internal Email Server. > > > > > > <-- extract sendmail.cf --> > > > # who I send unqualified names to (null means deliver locally) > > > DRinternal.email.server > > > > > > # who gets all local email traffic ($R has precedence for unqualified > > > names) > > > DHinternal.email.server > > > <-- extract sendmail.cf --> > > > > > > It is possible to use www.ravantivirus.com on both Solaris and Linux to > > > virus check all Email before it hits your internal server without > > > putting addditional load on the Firewall. > > > > > > Hope that helps > > > > > > Russell > > > > > > > > > > Kepa Beracochea wrote: > > > > > > > > Hello all, > > > > > > > > I am Trying to redirect all my incoming email traffic from a server to > > > > another. The goal with this is to make all email traffic go through an > > > > email firewall before it reaches the corporate server (without using > > > > CVP). > > > > To make things clear here is the configuration we have: > > > > > > > > - a VPN-1 Checkpoint FW1 > > > > - on one of its interface: access to the outside > > > > - on another interface: the DMZ with hosts mailgate (the firewall) > > > > with private IP1 and mailserver(the corporate server) with private IP2 > > > > - on another interface: the corporate network > > > > > > > > So far all incoming traffic was sent to mailserver. The object that > > > > define mailserver in the firewall specifies a static address > > > > translation from private address IP2 to the public address IPpu. Apart > > > > from this two objects "SMTP ressource" specify the control of the SMTP > > > > traffic (incoming and outgoing). In the "Match" tab of these objetcts > > > > filters say which emails to let in and out. In the General tab no Mail > > > > Server is specified, that is FW1 is supposed to redirect traffic to > > > > the server specified in smtp.conf with the default_server tab (so far > > > > it says IP2) > > > > > > > > To redirect all traffic to mailgate I remove object mailserver from my > > > > rules and I replace it with an object mailgate. mailgate is defined > > > > with static IP translation from IP1 to IPpu. I also modified my > > > > Ressource objects, specifying in the Mail Server tab "mailgate" (after > > > > having defined mailgate in the /etc/hosts of the firewall) > > > > > > > > Now when I tried to send email from outside, the firewall kept sending > > > > traffic to mailserver, so thinking that the Mail Server tab of the > > > > SMTP Ressource object did not work for me I changed the entry in the > > > > smtp.conf file, specifying IP1 instead. I restarted FW1 but the > > > > traffic kept being sent to mailserver instead. > > > > > > > > Then I removed the IP translation in the object mailserver thinking > > > > that this could be it but it did not work. But this time instead of > > > > forwarding traffic to mailserver it just didn't forward traffic at all > > > > to either of them, even though the log says that the traffic to > > > > mailgate is accepted on the port 25. > > > > > > > > So....my question is: is there a reason why FW1 would not want to > > > > forward traffic to mailgate ? Is there a file > > > > > > > > somewhere that specifies allowed hosts to forward SMTP traffic to, > > > > etc. > > > > > > > > One last point: the entry in the DNS of our provider says: > > > > > > > > foo.com IN MX 10 mailserver.foo.com > > > > mailserver.foo.com IN A IPpu > > > > > > > > So if I understand this right all mail traffic to foo.com will be sent > > > > to IPpu. Do I have to modify the entry > > > > > > > > foo.com IN MX 10 mailserver.foo.com > > > > > > > > to > > > > > > > > foo.com IN MX 10 mailgate.foo.com > > > > > > > > or can I just redirect trafic with FW1 on my site from mailserver to > > > > mailgate. > > > > How would you do that anyway ? > > > > > > > > Thank you for all your help > > > > Kepa ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|