Search
	display results
words begin exact words any words part
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] SMTP incoming traffic redirection

To: [email protected]
Subject: Re: [FW-1] SMTP incoming traffic redirection
From: David Gillett <[email protected]>
Date: Wed, 29 May 2002 08:37:59 -0700
Importance: Normal
In-reply-to: <00a001c20707$3ac88320$9801100a@KEPA>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>
  The "usual" way to do this is to put a DNS server (pair) in the DMZ (or
colocated externally) to serve requests from the outside (it only knows
about servers you want the world to see), and another on the internal
network that knows about internal machines and will forward internal
resolution requests for outside domains.  (Whether these should both claim
to be authoritative for the same zone, or whether you should create a fake
".internal" zone, is open to debate -- each approach has benefits and
drawbacks.)
  You can configure BIND 9 to serve up different data files for the same
zone, depending on the network from which the request originates.  This
would allow a server in the DMZ to perform in both roles without a fake
zone.

Dave Gillett


> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:[email protected]]On Behalf Of Kepa
> Beracochea
> Sent: Wednesday, May 29, 2002 04:52
> To: [email protected]
> Subject: Re: [FW-1] SMTP incoming traffic redirection
>
>
> Thanks Russell
> All this makes sense...and brings up a few more questions
> How can employees retrieve messages from the outside if your server is
> sitting in your private network? (with simple POP or through
> HTTP interface)
> or... should they not ? Maybe leaving port 110 open to the outside
> represents a security breach ?
> About the DNS stuff, I'm not sure to get your information
> right: is the
> external DNS a DNS that sits in your DMZ zone and the
> internal one in your
> private network ? Or is there just one in the DMZ ? How many
> DNS should you
> be running ?
> Thanks again
> Kepa
>
> ----- Original Message -----
> From: "Russell Aspinwall" <[email protected]>
> To: <[email protected]>
> Sent: Wednesday, May 29, 2002 8:43 AM
> Subject: Re: [FW-1] SMTP incoming traffic redirection
>
>
> Hi Kepa,
>
> The reason the internal mail server in sitting on the internal network
> is for safety.
>
> 1. Assuming that the Mail Relay is compromised it will be very easy to
> access your internal server while it is sitting on the DMZ.
>
> 2. An internal server should be trusted, why place it into an
> untrusted
> region like a DMZ.
>
> 3. By having the internal server on the internal network then the only
> way for the Mail Relay to talk to it is via the SMTP Security
> Server on
> the FW an additional protection particularly if you are using CVP.
>
> 4. Running your own internal DNS server hides your internal network
> details, the external DNS should only provide information you need to
> provide eg DNS, WWW and FTP details.
>
> Regards
>
> Russell
>
>
> Kepa Beracochea wrote:
> >
> > Russell,
> >
> > Thanks a bunch for the information. I have several
> questions about your
> > input, but first I think I found the problem I had (though
> I haven't been
> > able to test it yet)
> > To forward all smtp traffic to my mail relay (or mailgate
> as I called it)
> I
> > need to modify an entry in the routing table of the
> firewall, as follow:
> >
> >         destination    gateway
> > old    IPpu            IP2
> > new   IPpu            IP1
> >
> > where
> > IPpu = public address of mail server
> > IP2 = private IP of mail server
> > IP1 = private IP of mail relay
> >
> > You pretty much described the arquitecture we're trying to implement
> > (sendmail, Linux, m4 macro file, etc), only both the mail
> server and the
> > mail relay are in the DMZ (firewall configuration differ).
> >
> > So I guess my first question is what's the advantage of
> having the mail
> > server inside your private network. So far it has been
> alone sitting in
> the
> > DMZ so I'd like to have a good reason before I put it on our private
> segment
> > (and change its IP, clients MUA configuration, etc)
> >
> > Another thing is that we don't have a private DNS for the
> company (we use
> > external ones from our provider). Although this doesn't fit into the
> subject
> > of the mailing list, could someone tell me what's the
> advantage of having
> a
> > private DNS and what information needs to be transmitted to
> the provider
> to
> > handle our own DNS, what´s the procedure, etc. I'd be
> greateful if someone
> > could point me to some information on that.
> >
> > Thanks again Russell
> >
> > Kepa.
> >
> > PS: by the way our mail relay uses mailscanner
> > http://www.sng.ecs.soton.ac.uk/mailscanner/readme.shtml
> >
> > ----- Original Message -----
> > From: "Russell Aspinwall" <[email protected]>
> > To: <[email protected]>
> > Sent: Tuesday, May 28, 2002 2:19 PM
> > Subject: Re: [FW-1] SMTP incoming traffic redirection
> >
> > > Hi Kepa,
> > >
> > > The Email Server which is accessible from the Internet
> and is sitting in
> > > a DMZ is called a Mail Relay. All the computer does is
> accept Email and
> > > forward it to the Internal Mail Server which is sitting
> in your private
> > > network.
> > >
> > > Using FW-1 create the Mail Relay object which will have
> NAT defined as
> > > it sits on your DMZ, then create the Internal Mail Server
> object. Then
> > > create four rules
> > >
> > > 1.  not Internal_nets      Mail_Relay          SMTP      accept
> > > 2.  Mail_Relay             not Internal_nets   SMTP      accept
> > > 3.  Mail_Relay             internal_email_srv
> SMTP->filter-incoming
> > > accept
> > > 4.  internal-email_srv     Mail_Relay
> SMTP->filter-outgoing
> > > accept
> > >
> > > For reliability, cheapness and security use a PC running
> Solaris 8 x86
> > > or Linux and configure Sendmail. Below is the m4 file for
> Solaris which
> > > will generate a sendmail.cf file used to run Sendmail.
> > >
> > > divert(0)dnl
> > > VERSIONID(`@(#)main-v7sun.mc    1.2 (Sun) 01/27/98')
> > > OSTYPE(solaris2.ml)dnl
> > > DOMAIN(solaris-antispam)dnl
> > > FEATURE(`relay_entire_domain')dnl
> > > FEATURE(`access_db',`hash /etc/mail/access')dnl
> > > MAILER(local)dnl
> > > MAILER(smtp)dnl
> > >
> > > In this case your Internal DNS servers needs to know that
> the Mail Relay
> > > is the smart host which can handle other domains. While
> the Mail Relay
> > > needs to forward all Email to the internal Email Server.
> > >
> > > <-- extract sendmail.cf -->
> > > # who I send unqualified names to (null means deliver locally)
> > > DRinternal.email.server
> > >
> > > # who gets all local email traffic ($R has precedence for
> unqualified
> > > names)
> > > DHinternal.email.server
> > > <-- extract sendmail.cf -->
> > >
> > > It is possible to use www.ravantivirus.com on both
> Solaris and Linux to
> > > virus check all Email before it hits your internal server without
> > > putting addditional load on the Firewall.
> > >
> > > Hope that helps
> > >
> > > Russell
> > >
> > >
> > > > Kepa Beracochea wrote:
> > > >
> > > > Hello all,
> > > >
> > > > I am Trying to redirect all my incoming email traffic
> from a server to
> > > > another. The goal with this is to make all email
> traffic go through an
> > > > email firewall before it reaches the corporate server
> (without using
> > > > CVP).
> > > > To make things clear here is the configuration we have:
> > > >
> > > > - a VPN-1 Checkpoint FW1
> > > > - on one of its interface: access to the outside
> > > > - on another interface: the DMZ with hosts mailgate
> (the firewall)
> > > > with private IP1 and mailserver(the corporate server)
> with private IP2
> > > > - on another interface: the corporate network
> > > >
> > > > So far all incoming traffic was sent to mailserver. The
> object that
> > > > define mailserver in the firewall specifies a static address
> > > > translation from private address IP2 to the public
> address IPpu. Apart
> > > > from this two objects "SMTP ressource" specify the
> control of the SMTP
> > > > traffic (incoming and outgoing). In the "Match" tab of
> these objetcts
> > > > filters say which emails to let in and out. In the
> General tab no Mail
> > > > Server is specified, that is FW1 is supposed to
> redirect traffic to
> > > > the server specified in smtp.conf with the
> default_server tab (so far
> > > > it says IP2)
> > > >
> > > > To redirect all traffic to mailgate I remove object
> mailserver from my
> > > > rules and I replace it with an object mailgate.
> mailgate is defined
> > > > with static IP translation from IP1 to IPpu. I also modified my
> > > > Ressource objects, specifying in the Mail Server tab
> "mailgate" (after
> > > > having defined mailgate in the /etc/hosts of the firewall)
> > > >
> > > > Now when I tried to send email from outside, the
> firewall kept sending
> > > > traffic to mailserver, so thinking that the Mail Server
> tab of the
> > > > SMTP Ressource object did not work for me I changed the
> entry in the
> > > > smtp.conf file, specifying IP1 instead. I restarted FW1 but the
> > > > traffic kept being sent to mailserver instead.
> > > >
> > > > Then I removed the IP translation in the object
> mailserver thinking
> > > > that this could be it but it did not work. But this
> time instead of
> > > > forwarding traffic to mailserver it just didn't forward
> traffic at all
> > > > to either of them, even though the log says that the traffic to
> > > > mailgate is accepted on the port 25.
> > > >
> > > > So....my question is: is there a reason  why FW1 would
> not want to
> > > > forward traffic to mailgate ? Is there a file
> > > >
> > > > somewhere that specifies allowed hosts to forward SMTP
> traffic to,
> > > > etc.
> > > >
> > > > One last point: the entry in the DNS of our provider says:
> > > >
> > > > foo.com IN MX 10 mailserver.foo.com
> > > > mailserver.foo.com IN A IPpu
> > > >
> > > > So if I understand this right all mail traffic to
> foo.com will be sent
> > > > to IPpu. Do I have to modify the entry
> > > >
> > > > foo.com IN MX 10 mailserver.foo.com
> > > >
> > > > to
> > > >
> > > > foo.com IN MX 10 mailgate.foo.com
> > > >
> > > > or can I just redirect trafic with FW1 on my site from
> mailserver to
> > > > mailgate.
> > > > How would you do that anyway ?
> > > >
> > > > Thank you for all your help
> > > > Kepa
> > >
> > > =================================================
> > > To set vacation, Out Of Office, or away messages,
> > > send an email to [email protected]
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your
> > > subscription options, email
> > > [email protected]
> > > =================================================
> >
> > =================================================
> > To set vacation, Out Of Office, or away messages,
> > send an email to [email protected]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [email protected]
> > =================================================
>
> --
> Network and Systems Administrator           Flomerics Ltd
> Email: russell.aspinwall at flomerics.co.uk 81 Bridge Road
> Telephone: 020-8941-8810 x3116              Hampton Court
> Facsimile: 020-8941-8730                    Surrey, KT8 9HH, UK
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
Follow-Ups:
- Re: [FW-1] SMTP incoming traffic redirection
  - From: Kepa Beracochea <[email protected]>
References:
- Re: [FW-1] SMTP incoming traffic redirection
  - From: Kepa Beracochea <[email protected]>
Prev by Date: Re: [FW-1] AW: [FW-1] ques
Next by Date: Re: [FW-1] UNSUBSCRIBE - Balh Blah Blah
Previous by thread: Re: [FW-1] SMTP incoming traffic redirection
Next by thread: Re: [FW-1] SMTP incoming traffic redirection
Index(es):
- Date
- Thread