[/\][/\][/\][/\][/\][/\][/\][/\][/\][/\][/\][/\][/\][/\][/\][/\][/\][/\][/\][/\]
[/\][/\] AUTOMATED E-MAIL REPLY [/\][/\]
[/\][/\][/\][/\][/\][/\][/\][/\][/\][/\][/\][/\][/\][/\][/\][/\][/\][/\][/\][/\]
I will be out of the office until Monday, January 3, 2000. If your e-mail is of an
urgent matter, please call the Division of Information Technology's Help Desk at (909)
955-5948.
Thank You,
-Ray Pegis
>>> "[EMAIL PROTECTED]" 12/27/99 01:00 >>>
Firewalls-Digest Monday, December 27 1999 Volume 08 : Number 744
In this issue:
Re: Exchange with checkpoint unable to send to alt mx entries
See the end of the digest for information on subscribing to the Firewalls
or Firewalls-Digest mailing lists and on how to retrieve back issues.
----------------------------------------------------------------------
Date: Sun, 26 Dec 1999 20:43:17 -0500
From: Chris Brenton <[EMAIL PROTECTED]>
Subject: Re: Exchange with checkpoint unable to send to alt mx entries
Jerald Josephs wrote:
>
> Inquire whether he is using the SMTP Security Server
> on the FireWall-1 platform to check outbound mail for
> Content Security.
My guess would be "yes". At the very least, they are using the security
server as an SMTP relay.
> The FW-1 SMTP Security Server is not able to do
> MX lookups, so if the first mail relay is not responding,
> the email will not go out.
Quite true. The whole process goes something like this:
The internal mail server has an outbound SMTP message to deliver
The internal mail server performs an MX record lookup
The internal mail system attempts to deliver the message to the lowest
MX value
FW-1 SMTP security server grabs the message
The IP address of the final destination is recorded
The message is processed against any filtering rules
Delivery is attempted to the IP address of the final destination
So its easy to see why this whole thing falls apart. If the lowest MX
record value is not on-line and using the IP address recorded by the
SMTP security server, the message will never get delivered. I've see 1+
year old messages still sitting in queue.
This error can be cleared my manually editing the file and replacing the
destination IP address with that of a higher preference MX system. This
will allow you to clean out the queue but does not "fix" the problem as
the next message sent to the same domain will die as well.
> The solution at his site would to explicitly define a SMTP service
> rule before all other SMTP resource rule that would allow his
> Exchange Server to send out SMTP to any destination. This would
> prevent the SMTP Security Server from attempting to resolve an MX
> record.
Agreed. Use the SMTP security server to process inbound messages while
allowing the internal mail system to transmit outbound directly. The
other option is a separate box (like a Linux system) which acts as a
dedicated mail relay.
> I am sure the Exchange Server can do multiple MX lookups.
Without breaking a sweat. ;)
Cheers,
Chris
- --
**************************************
[EMAIL PROTECTED]
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
- -
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
------------------------------
End of Firewalls-Digest V8 #744
*******************************
To unsubscribe from Firewalls-Digest, send the following command
in the body of a message to "[EMAIL PROTECTED]":
unsubscribe firewalls-digest
If you want to subscribe or unsubscribe an address other than the
account the mail is coming from, such as a local redistribution list,
then append that address to the command; for example, to subscribe
"local-firewalls":
subscribe firewalls-digest [EMAIL PROTECTED]
A non-digest (direct mail) version of this list is also available; to
subscribe to that instead, replace all instances of "firewalls-digest"
in the commands above with "firewalls".
Compressed back issues are available for anonymous FTP from
Lists.GNAC.NET, in pub/firewalls/digest/vNN.nMMM.Z (where "NN"
is the volume number, and "MMM" is the issue number).
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
