We also experienced this problem quite some time ago. Solution was to
define an SMTP resource that matches {*%*,*!*}@domainname and then we just
deny this. I agree that it would be nice to have a checkbox to disallow some
special characters.
>
> I had the same problem when using a SMTP Scanning relay (Mcafee)
>
> It was receiving the mail, scanning it and then relaying it to the mail
> servers.
>
> I was blacklisted at orbz.org for nearly a day. I had to revert back to
> using a linux box to answer port 25 connections, then relay valid mail to
> the SMTP scanner which in turn delivers the mail to the mail servers. QUITE
> a pain in the butt..
>
> I have also tried using the SMTP CVP scanning, but it does exactly the same
> thing. I think it's more an issue with the anti-virus software than
> checkpoint's CVP implementation...
>
> Regardless, I would always prefer to have something a bit more robust
> handling the inbound email. I can't really say that I would be comfortable
> having Exchange server accepting SMTP connections from the internet...
>
> Joe
>
>
> ======================================================================
> Joseph Voisin, Systems and Network Administrator, Engel Canada Inc.
> www.engelmachinery.com | [EMAIL PROTECTED] | (519)836-0220 x436
> ======================================================================
>
>
> -----Original Message-----
> From: Miles D. Oliver [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, October 23, 2001 10:53 AM
> To: [EMAIL PROTECTED]
> Subject: [FW-1] CheckPoint FireWall-1 "INSECURE" SMTP server - BIG HOLE!!
>
> The Check Point Firewall-1 secure SMTP server will allow for mail
> relaying.
>
> We have setup many installations of Trend Micros InterScan Viruswall, the
> CVP version to scan incoming mail for our customers.
>
> We have recently noticed that many of our customers have been
> 'BLACKLISTED' for of e-mail relaying when an SMTP resource that uses
> the Check Point Firewall-1 Secure SMTP server.
>
> Defining a domain or multiple domains in the recipient field The 'match'
> tab for all SMTP resources will only prevent a small amount of mail
> relaying. It only checks against the characters EXPLICLTY defined in the
> recipent field of the match tab.
>
> For example:
>
> 220 CheckPoint FireWall-1 secure SMTP server
> helo lgi.com
> 250 Hello lgi.com, pleased to meet you
> mail from:<[EMAIL PROTECTED]
> 250 <[EMAIL PROTECTED]>... Sender ok
> rcpt to:<[EMAIL PROTECTED]>
> 450 Mailbox unavailable.
>
> Mail sent from [EMAIL PROTECTED] to [EMAIL PROTECTED], only the domain will
> be checked and relaying will be denied.
>
> However, When the recipient is defined using special characters such as
> the "%" character will allow mail to be relayed.
>
> For Example:
>
> 220 CheckPoint FireWall-1 secure SMTP server
> helo lgi.com
> 250 Hello lgi.com, pleased to meet you
> mail from:<[EMAIL PROTECTED]>
> 250 <[EMAIL PROTECTED]>... Sender ok
> rcpt to:<[EMAIL PROTECTED]>
> 250 <[EMAIL PROTECTED] Recipient ok
>
> Mail sent from [EMAIL PROTECTED] to [EMAIL PROTECTED] will allow
> the mail to be relayed to [EMAIL PROTECTED] THROUGH the Check Point SMTP
> secure server.
>
> Big problem... This should not be happening.
>
> We have had to make adjustments to all of our InterScan Viruswall
> implementations with CVP.
>
> We have had to implement a mail server in a DMZ to accept all mail for
> the domain using Sendmail 8.12.1 use its anti-relaying functions, Change all
> MX records to the Internet and then allow the mail server to in the DMZ to
> then forward mail to the internal mail server through the firewall to use
> the CVP resource, scan the mail, and into to the internal mail server.
>
> While many should say that it is not a good idea to have the Check Point
> firewall to relay checking' and it should be handled by a REAL mail server
> my question is...
>
> Why does all the documentation that I have read for configuring using
> CVP resources is that the using the firewall should be the the 'inbound'
> point for incoming mail?
>
> I've looked all over Check Point's website for any information about
> mail relaying and there is NOTHING in the Secure Knowledge base about this
> BUG in the SMTP Secure server.
>
> So, In a nutshell, If you are using InterScan Viruswall or any of the
> Other CVP based tools, be prepared to setup an additional mail server to
> initially receive the incoming mail and then forward it to the firewall to
> use your defined SMTP resource.
>
> In my opinion The Check Point SMTP secure server is INSECURE and does not
> work as it should and if it is to be accepting mail to pass to a CVP
> resource for scanning and then delivery to the internal mail server.
>
> It should NOT allow relaying.
>
> Don't use it unless you are prepared to be 'BLACKLISTED'.
>
> --
> Miles D. Oliver
> Senior Systems Engineer - CCSA/CCSE
> LGI
> 10450 Shaker Drive Suite 208
> Columbia Maryland USA 21046
> VOICE 410-997-1393
> FAX 410-720-1241
> EMAIL [EMAIL PROTECTED]
> WEB www.lgi.com
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
Ivan E. Auger
[EMAIL PROTECTED]
Director, Computational Molecular Biology & Statistics Core
Consultant, Computer Systems
Wadsworth Center - New York State Health Dept.
===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================
