Checkpoint FW-1 v3.0b Mail Proxy

Lart lart@hacksec.org
Sat, 28 Nov 1998 12:01:17 -0500


Luke Gill wrote:
> 
> While reviewing a FW-1 install for a client, I was told by the contractor
> who installed the FW-1 that there is a problem with the mail proxy included
> with FW-1.  He mentioned that the mail proxy will drop messages under a
> "high traffic environment".  I found this interesting as I had not heard
> this before.  My client under advice from the installation contractor
> installed a port 25 filter on the FW-1 and sends all mail to a Linux box
> inside the intranet with Qmail running on it.
> 
> I was wondering how severe is the mail proxy bug?  and also if it is fixed
> in v4.0?  Also, what experiences have the rest of you had with qmail?

I'm not a real fan of putting ANY services on a firewall.  Especially
the CP SMTP security server.  It blabs to anyone who wants to know what
fw you are running.  If the script kiddies want to find out what fw I'm
running, they'll have to work harder than that.

In FW-1 4.0, the SMTP server is much better (doesn't toss messages away,
actually uses MX records, etc), but I still don't like that idea.

It would be my preference to have your FW-1 box with 3 interfaces, and
stick some kind of *nix in the DMZ running qmail, and set up qmail to
use /var/qmail/control/smtproutes to shoot the mail back into your
internal network.

So, essentially, your FW rules would look like:

Any			dmz-mail-server		smtp	Accept
dmz-mail-server		internal-mail-server	smtp	Accept

How about relay protection?  Suppose your want to allow relay from the
networks 1.1.1.0/24, and 1.2.3.0/24.  Run qmail-smtpd from tcpserver
(0.80 or higher), and make an /etc/tcp.smtp.cdb file that contains:

127.0.0.1:allow,RELAYCLIENT=""
1.1.1.:allow,RELAYCLIENT=""
1.2.3.:allow,RELAYCLIENT=""
:allow

The magic invocation for tcpserver/qmail-smtpd is:

tcpserver -R -x/etc/tcp.smtp.cdb -c 100 -v -u <uid of qmaild user> \
   -g <gid nofiles group> 0 smtp \
   /var/qmail/bin/qmail-smtpd 2>&1 | splogger smtpd 2 &

Why tcpserver and not tcp-wrappers?  tcpserver is faster than inetd,
doesn't choke under a high load, and has integrated access control,
instead of having to combine inetd w/tcpd.

--lart