NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Secure SMTP server used for spam relay



>I don't understand. To get anything into the firewall, it has to have a
>destination of ourdomain.com, or it has to come from your internal mail
>server. How does setting the sender to ourdomain.com allow external
machines
>(not your mail server) to relay through the firewall?
I don't understand either especially since it has to come from the internal
mail server

>I'd rather let my end MTA handle this than the firewall MTA.
Well it's also what I would like to do but I was never able to do that.
I tried turning the secure SMTP server off then put a translation rule to
translate all incoming smtp to the firewall into incoming smtp to the
mailserver. But no matter what rule I put "accept incoming smtp with
mailserver as destination" or "accept incoming smtp with firewall as
destination" it gets rejected.
How do I set up mail rules without using the secure SMTP server ?

Thanks
Francis

-----Original Message-----
From: Crist Clark [mailto:[email protected]]
Sent: Monday, 26 August, 2002 19:40
To: [email protected]
Subject: Re: [FW-1] Secure SMTP server used for spam relay


Francis Lachance wrote:
>
> Hi,
>
> It seems our CheckPoint FW-1 was used to relay spam mail, here are  the
> details.
>
> CheckPoint FW-1 4.1 SP6 on NT 4
>
> We have no DMZ so our mail server is on the internal segment and have only
> two valid address available to us (one for the fw external interface and
one
> for the router).
> We have a little mail server inside used by only a few users.The FW-1 SMTP
> Security Server is enabled and I have the following rules for SMTP:
> >From Any to firewall smtp(incoming) accept
> >From mailserver to Any smtp(outgoing) accept
> The incoming resource states that the sender can be anybody (*) but the
> recipients has to be in our domain (*@ourdomain.com)
> The outgoing resource states that the sender has to be in our domain
> (*@ourdomain.com) and the recipients can be anybody.
>
> The security group found out that spammers were using the firewall to
relay
> mail by changing the sender to be [email protected].

I don't understand. To get anything into the firewall, it has to have a
destination of ourdomain.com, or it has to come from your internal mail
server. How does setting the sender to ourdomain.com allow external machines
(not your mail server) to relay through the firewall?

> Since we only have a few users I changed the incoming resource to state
that
> the recipients can only be specific users
> ({user1,user2,user3}@ourdomain.com).

OK. Personally, I'd rather let my end MTA handle this than the firewall MTA.

> Same thing for the outgoing resource the sender has to match a valid user
to
> send.

The sender field in SMTP can be set arbitrarily. This is just a little
security
by obscurity.

> After these changes I feeled we were ok but the security group stated that
> we were still vulnerable to spammers and therefore had to disable our smtp
> service. What they do is they run the chkspam perl script
> (http://vancouver-webpages.com/pub/chkspam) against our firewall external
> interface and get the following results:
> 220 CheckPoint Firewall-1 secure SMTP server
> requires HELO: NO

OK, who cares.

> allows VRFY username verification: YES

Yes, the firewall _always_ responds to _any_ VRFY with a 250. This result
is meaningless.

> allows EXPN forwarding expansion: NO
> allows bogus From: header: YES

An MTA shouldn't care about the From: in the mail data.

> allows simple mail relaying: YES

Obviously. This is what it is there for. It relays your mail to your
internal mailserver.

> may allow UUCP mail relaying: NO
> allows other mail relaying: NO

This is what's really important here and it passes these rather simplt
checks.
--
Crist J. Clark                               [email protected]
Globalstar CommunicationsThe information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.
If the reader of this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or
copying of this communication is strictly prohibited.  If you have
received this e-mail in error, please contact [email protected]

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.