Welcome, Guest. Please login or register.
Did you miss your activation email?
Thursday 28 March 2024, 09:08:07 pm

Login with username, password and session length

The Latest Endian Firewall is now available for download HERE
14247 Posts in 4376 Topics by 6489 Members
Latest Member: GB-gattoboy
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  EFW SMTP, HTTP, SIP, FTP Proxy Support
| | |-+  SMTP proxy - the actual process.
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: 1 2 [All] Go Down Print
Author Topic: SMTP proxy - the actual process.  (Read 37433 times)
glynd
Full Member
***
Offline Offline

Posts: 10


« on: Wednesday 09 December 2009, 12:15:37 am »

I am just a little confused as to the route inbound and out bound mail takes.
We have a mail server on the green n/w.

Now my understanding is this for inbound:
Mail arrives at the red i/f on port 25. The proxy accepts it (I have smtp proxy enabled on the red i/f). It gets checked for spam/viruses and if it is clean, it is forwarded to port 25 on the mail server, which delivers it the recipient.

The same for outbound:
Mail is sent from the client to the mail server on port 25. The mail server attempts to send the mail to the recipient's mail server using a dns mx lookup. But I think somehow EFW gets a look in ( I have tried smtp proxy enabled, and in transparent mode but not sure of the differences), once EFW has done its checks it then sends it back to the local mail  server for delivery using the mx record. (I have smart host enable pointing at the local mail server)

Would someone please confirm or otherwise, my understanding of this process?

The documentation is a howto and doesn't explain too well how it works.

Cheers and TIA
Glyn
Logged
gyp_the_cat
Full Member
***
Offline Offline

Posts: 81



WWW
« Reply #1 on: Wednesday 16 December 2009, 09:09:08 pm »

Hi Glyn,

I think you're understanding it well.

Postfix (the SMTP proxy on Endian) acts as a Mail Transfer Agent (MTA), so it sit on the permiter of your network and delivers mail between the two with some security thrown in for good measure.

Your SMTP topology probably looks like this:

Hotmail.com  <----->  Endian <----->  Internal Mail Server

You're basically putting in an extra layer of security on your SMTP traffic is all Smiley

Gyp
Logged
b-morgan
Jr. Member
*
Offline Offline

Posts: 6


« Reply #2 on: Monday 08 March 2010, 08:40:57 am »

I'm switching to Endian from IPCop because I need the SMTP proxy.

I have a /29 netblock with the firewall assigned as x.x.x.133, gateway x.x.x.134. The configuration is RED/GREEN.

The mail server is assigned x.x.x.129 so on IPCop there is a port forward rule x.x.x.129:25 -> 192.168.0.40 and
an SNAT 192.168.0.40 -> x.x.x.129. The MX record points to x.x.x.129.

If I enable the SMTP proxy, do I still need the port forward? The SNAT? Does the MX record need to change?

Thanks for your help.

Regards,

Brad
Logged
gyp_the_cat
Full Member
***
Offline Offline

Posts: 81



WWW
« Reply #3 on: Monday 08 March 2010, 08:52:00 am »

Hi Morgan,

You won't regret making the switch Smiley

As long as your MX records point at x.x.x.129 and you give Endian the x.x.x.129 IP address on the RED interface you shouldn't need to change any DNS settings or implement any port forwards or anything like that.  Endian will quite happily proxy the connections across your network.  It'll also help to allow your internal email server to relay out via the Endian box too.

Just make sure you set up the SMTP features properly.

Just to clarify though is your firewall dealing with all your WAN IP addresses or just the x.x.x.133?

Gyp
Logged
b-morgan
Jr. Member
*
Offline Offline

Posts: 6


« Reply #4 on: Monday 08 March 2010, 09:22:34 am »

As long as your MX records point at x.x.x.129 and you give Endian the x.x.x.129 IP address on the RED interface you shouldn't need to change any DNS settings or implement any port forwards or anything like that.  Endian will quite happily proxy the connections across your network.  It'll also help to allow your internal email server to relay out via the Endian box too.

Just make sure you set up the SMTP features properly.

Just to clarify though is your firewall dealing with all your WAN IP addresses or just the x.x.x.133?

Thanks for the information. I've disabled the port 25 forward rule with a remark that the SMTP proxy is handling it. The firewall is handling all of the WAN IP addresses, x.x.x.129 - x.x.x.133.

The mail server will relay out through the Endian box. The mail server (SBS 2008 / Exchange 2007) is also providing OWA through ports 80 and 443. There's also a Terminal Services server on
a different IP. I'll look at reconfiguring the firewall to use the x.x.x.129 address instead of the current x.x.x.133. I can also change the MX record fairly easily (Web interface to the ISP, 300 second TTL).

With regards to SMTP features, I'm starting with Virus checking only. I'll progress forward as I become comfortable with Endian.

Regards,

Brad

Logged
gyp_the_cat
Full Member
***
Offline Offline

Posts: 81



WWW
« Reply #5 on: Monday 08 March 2010, 08:13:50 pm »

Excellent, looks like it's sorted Smiley

I'd heartily recommend you put in a  of RBLs too, bl.spamcop.net and zen.spamhaus.org are especially good and very very rarely give us any false positives.
Logged
david_thistlethwaite
Full Member
***
Offline Offline

Posts: 14


« Reply #6 on: Monday 05 April 2010, 06:38:44 am »

Strange I have a internal mail server, exchange, and I have the smtp proxy configured, and I have to have smtp port forward  from the red IF to the GREEN and only then does the smtp proxy work?

Any ideas???

David
Logged
gyp_the_cat
Full Member
***
Offline Offline

Posts: 81



WWW
« Reply #7 on: Wednesday 07 April 2010, 01:39:25 am »

Hi David,

Very strange  Huh

What are your mail logs telling you with regards to the email flow?  ("tail /var/log/mail.log" from the command line).

And what options do you have ticked on the management screen?  (Proxy - SMTP - Main).

Gyp
Logged
david_thistlethwaite
Full Member
***
Offline Offline

Posts: 14


« Reply #8 on: Wednesday 14 April 2010, 07:47:02 am »

Well I had a look at the mail flow logs with the NAT rule turned off and the smtp proxy on.

There was 0 mail flow, so the firewall was rejecting all smtp (25) traffic.
As soon as the NAT forwarding rule was turned back on all was well.

Seems pretty strange.

David
Logged
gyp_the_cat
Full Member
***
Offline Offline

Posts: 81



WWW
« Reply #9 on: Wednesday 14 April 2010, 07:42:46 pm »

Hi David,

Under Firewall - System Access - Show Rules of System Services

Do you have the line:

Quote
<ANY>     <ANY>     TCP/25      ALLOW      Service (SMTPD)

Because when I enable/disable under Proxy - SMTP the following the rule is created automatically for me:

Quote
Enabled: Yes    
Transparent on GREEN: No
Antivirus is enabled: Yes
Spamcheck is enabled: Yes   
File extensions are blocked: Yes    
Incoming mail enabled: Yes
Firewall logs outgoing connections: Yes

Could be a bug I suppose, but not sure.  If you've got a work around implemented that could be stopping the rule from being automatically created I suppose.

Gyp
Logged
david_thistlethwaite
Full Member
***
Offline Offline

Posts: 14


« Reply #10 on: Friday 16 April 2010, 02:40:43 am »

So I re-installed the firewall then

- implemented the proxy, no mail traffic
- added the nat rule to forward to the green ip -> mail flows as needed

I did check the system rules before and after the re-install,  and they were as they needed to be.
The smtp rule just does not work?

I am using endian community 2.3.0
what version are you running

Also do you know where I can find the firewall rules at the shell level, it may reveal a little more

Looks like a bug

David
Logged
gyp_the_cat
Full Member
***
Offline Offline

Posts: 81



WWW
« Reply #11 on: Friday 16 April 2010, 05:11:15 am »

Hi David,

Hm, does sound like a big then.

You may be best of registering it over at:

http://bugs.endian.com/main_page.php

I'm still on 2.2r3, and it works quite happily on mine.  Very very strange saying it doesn't create the rule automatically.

Gyp
Logged
david_thistlethwaite
Full Member
***
Offline Offline

Posts: 14


« Reply #12 on: Friday 16 April 2010, 05:21:50 am »

Oh, it creates the rule it just does not do anything.

David
Logged
Ajeris
Jr. Member
*
Offline Offline

Posts: 4


« Reply #13 on: Sunday 22 April 2012, 07:00:52 pm »

Hello, I have a mail server in the DMZ is setup SMTP millet green transparent orange red prohrachny active in this mode is almost worth waiting a  of minutes and then returned to the recipient unfolds like postfih mail back how to fix this error?
Logged
david_thistlethwaite
Full Member
***
Offline Offline

Posts: 14


« Reply #14 on: Sunday 22 April 2012, 07:51:49 pm »

Hello, I have a mail server in the DMZ is setup SMTP millet green transparent orange red prohrachny active in this mode is almost worth waiting a  of minutes and then returned to the recipient unfolds like postfih mail back how to fix this error?

Sorry I do not understand what you are asking?

David
Logged
Ajeris
Jr. Member
*
Offline Offline

Posts: 4


« Reply #15 on: Sunday 22 April 2012, 07:56:47 pm »

Hi David
sorry for my bad english Angry when you turn on smtp proxy in my letter back: mail loop: too many hops (too many 'Received:' header fields)

Hello, I have a mail server in the DMZ is setup SMTP millet green> transparent orange> transparent red>active in this mode is almost worth waiting a  of minutes and then returned to the recipient unfolds like postfix mail back how to fix this error?
Endian Firewall Community 2.5.1

how to disable the SMTP proxy for outbound traffic?
Help the council really need anti-spam filter
Help me plz
Logged
Pages: 1 2 [All] Go Up Print 
« previous next »
Jump to:  

Page created in 0.109 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com