[FW1] Blank MAIL FROM: field in SMTP Security Server

Fri, 26 May 2000 10:33:21 -0700 


I've gone through the archives of this list, and this same question was
asked a little more than a year ago. Lots of discussion ensued, but I
couldn't find the resolution.

Here's the story: We're running FW-1 4.0. Behind the firewall, we have a
mail server that hosts POP3 mailboxes for about a dozen different domains.
Users have configured their mail clients to use this server for both POP3
and their outgoing SMTP.

Because the clients use it, the SMTP server receives two types of e-mail:

1. Messages destined for mailboxes belonging to the various domains that we
host (domainA.com,domainB.com, etc)
2. Messages from users of the various domains that we host, going to any
other domain

I've written two separate resource-based rules to handle these:

SRC       DEST           SERVICE         ACTION
<any>          <our mail server>   smtp->to-clients          accept
<any>          <our mail server>   smtp->from-clients   accept

smtp->to-clients is a resource defined as: Match Tab -> Sender=blank,
Recipient=*@{domainA.com,domainB.com, etc}

smtp->from-clients is a resource defined as: Match Tab -> Sender
=@*{domainA.com,domainB.com, etc}, Recipient=blank

Both rules function as expected.... EXCEPT if the MAIL FROM: field in the
SMTP message itself is *BLANK* (i.e., <>). The second rule will still pass
the packet:

Escape character is '^]'.
220 CheckPoint FireWall-1 secure SMTP server
helo abc123
250 Hello abc123, pleased to meet you
mail from: <>
250  <>... Sender ok
rcpt to: <[EMAIL PROTECTED]>
250  <[EMAIL PROTECTED] Recipient ok
data
354 Enter mail, end with "." on a line by itself
subject: this should not work!

argh!
.
250 Ok
quit
221 Closing connection
Connection closed by foreign host.


The FW-1 log indicates that the second rule passes the message.

Help! Our internal mail server is running Lotus Notes, and according to our
Notes Guy, he can't implement the same thing on the server itself. We'll be
moving away from this server within six months or so, but we're getting hit
with SPAM right now and it'd be great if we could stop it. We've been given
the scarlet letter by ORBS...


Dave Grabowski
System Arts, Inc.
(212) 604-9015 x316
[EMAIL PROTECTED]



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to