>>>given the large number of exploits that are designed to root exchange servers...
Huh? And what would those be? -----Original Message----- From: Bob Webber/Markham/Contr/AT&T/IJV [mailto:[EMAIL PROTECTED]] Sent: Friday, October 26, 2001 9:11 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] CheckPoint FireWall-1 "INSECURE" SMTP server - BIG HOL E!! My $.02: It would be appropriate to do that if and ONLY if the mail server were on a DMZ. I don't think it would be a good idea to forward connections from the internet to a system which is at the very heart of the internal network. I would expect that practically every host on the internal network can route to the mail server. If it gets compromised, the bad guys have access to pretty much everything. Of course, since it is an m$ exchange server, that makes it an even more dangerous practice, given the large number of exploits that are designed to root exchange servers... Bob Webber AT&T Global Network Services Tel: (905) 762-7433 Fax: (905) 762-7497 Notes: Bob Webber/Markham/IBM@IBMCA Internet: [EMAIL PROTECTED] "Logic merely enables one to be wrong with authority" - Doctor Who FW1-List <[EMAIL PROTECTED]>@beethoven.us.checkpoint.com> on 10/25/2001 10:19:21 PM Please respond to Mailing list for discussion of Firewall-1 <[EMAIL PROTECTED]> Sent by: Mailing list for discussion of Firewall-1 <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] cc: Subject: Re: [FW-1] CheckPoint FireWall-1 "INSECURE" SMTP server - BIG HOL E!! Why not just let the FW-1 machine forward the port 25 traffic to the mail server and let it (the mailserver)do the mail scanning. I run an Exchange 2000 Server behind a FW-1 4.1sp4 machine and have NAV for Exchange 2.5 running and it catches everything that has hit it so far. I'm very proactive when it comes to keeping the NAV piece up to date. Then simply configure you mailserver as either allowing relaying or not. That way if you set it to no relaying, then either the mail that comes in goes to a mailbox or it gets sent back to the sender. Otherwise, if you turn on relaying, then configure which domains it can relay to. I personally don't allow relaying so I don't see the "big hole" that everyone is complaining about. Rob. -----Original Message----- From: Firewall-1 (Joe Voisin) [mailto:[EMAIL PROTECTED]] Posted At: Tuesday, October 23, 2001 12:29 PM Posted To: FW1-List Conversation: Re: [FW-1] CheckPoint FireWall-1 "INSECURE" SMTP server - BIG HOL E!! Subject: Re: [FW-1] CheckPoint FireWall-1 "INSECURE" SMTP server - BIG HOL E!! I had the same problem when using a SMTP Scanning relay (Mcafee) It was receiving the mail, scanning it and then relaying it to the mail servers. I was blacklisted at orbz.org for nearly a day. I had to revert back to using a linux box to answer port 25 connections, then relay valid mail to the SMTP scanner which in turn delivers the mail to the mail servers. QUITE a pain in the butt.. I have also tried using the SMTP CVP scanning, but it does exactly the same thing. I think it's more an issue with the anti-virus software than checkpoint's CVP implementation... Regardless, I would always prefer to have something a bit more robust handling the inbound email. I can't really say that I would be comfortable having Exchange server accepting SMTP connections from the internet... Joe ====================================================================== Joseph Voisin, Systems and Network Administrator, Engel Canada Inc. www.engelmachinery.com | [EMAIL PROTECTED] | (519)836-0220 x436 ====================================================================== -----Original Message----- From: Miles D. Oliver [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 23, 2001 10:53 AM To: [EMAIL PROTECTED] Subject: [FW-1] CheckPoint FireWall-1 "INSECURE" SMTP server - BIG HOLE!! The Check Point Firewall-1 secure SMTP server will allow for mail relaying. We have setup many installations of Trend Micros InterScan Viruswall, the CVP version to scan incoming mail for our customers. We have recently noticed that many of our customers have been 'BLACKLISTED' for of e-mail relaying when an SMTP resource that uses the Check Point Firewall-1 Secure SMTP server. Defining a domain or multiple domains in the recipient field The 'match' tab for all SMTP resources will only prevent a small amount of mail relaying. It only checks against the characters EXPLICLTY defined in the recipent field of the match tab. For example: 220 CheckPoint FireWall-1 secure SMTP server helo lgi.com 250 Hello lgi.com, pleased to meet you mail from:<[EMAIL PROTECTED] 250 <[EMAIL PROTECTED]>... Sender ok rcpt to:<[EMAIL PROTECTED]> 450 Mailbox unavailable. Mail sent from [EMAIL PROTECTED] to [EMAIL PROTECTED], only the domain will be checked and relaying will be denied. However, When the recipient is defined using special characters such as the "%" character will allow mail to be relayed. For Example: 220 CheckPoint FireWall-1 secure SMTP server helo lgi.com 250 Hello lgi.com, pleased to meet you mail from:<[EMAIL PROTECTED]> 250 <[EMAIL PROTECTED]>... Sender ok rcpt to:<[EMAIL PROTECTED]> 250 <[EMAIL PROTECTED] Recipient ok Mail sent from [EMAIL PROTECTED] to [EMAIL PROTECTED] will allow the mail to be relayed to [EMAIL PROTECTED] THROUGH the Check Point SMTP secure server. Big problem... This should not be happening. We have had to make adjustments to all of our InterScan Viruswall implementations with CVP. We have had to implement a mail server in a DMZ to accept all mail for the domain using Sendmail 8.12.1 use its anti-relaying functions, Change all MX records to the Internet and then allow the mail server to in the DMZ to then forward mail to the internal mail server through the firewall to use the CVP resource, scan the mail, and into to the internal mail server. While many should say that it is not a good idea to have the Check Point firewall to relay checking' and it should be handled by a REAL mail server my question is... Why does all the documentation that I have read for configuring using CVP resources is that the using the firewall should be the the 'inbound' point for incoming mail? I've looked all over Check Point's website for any information about mail relaying and there is NOTHING in the Secure Knowledge base about this BUG in the SMTP Secure server. So, In a nutshell, If you are using InterScan Viruswall or any of the Other CVP based tools, be prepared to setup an additional mail server to initially receive the incoming mail and then forward it to the firewall to use your defined SMTP resource. In my opinion The Check Point SMTP secure server is INSECURE and does not work as it should and if it is to be accepting mail to pass to a CVP resource for scanning and then delivery to the internal mail server. It should NOT allow relaying. Don't use it unless you are prepared to be 'BLACKLISTED'. -- Miles D. Oliver Senior Systems Engineer - CCSA/CCSE LGI 10450 Shaker Drive Suite 208 Columbia Maryland USA 21046 VOICE 410-997-1393 FAX 410-720-1241 EMAIL [EMAIL PROTECTED] WEB www.lgi.com =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
