That is why the 3rd rule needs to be any any smtp reject
I do not believe it is passing the rule 2 just dropping past to your any any accept rule?
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 06, 2000 4:14 PM
To: Dolinar, Jon
Cc: [EMAIL PROTECTED]
Subject: RE: [FW1] Blank MAIL FROM: field in SMTP Security Server
That's exactly what I did - from my post from 5/26:
-----------------
I've written two separate resource-based rules to handle these:
SRC DEST SERVICE ACTION
<any> <our mail server> smtp->to-clients accept
<any> <our mail server> smtp->from-clients accept
smtp->to-clients is a resource defined as: Match Tab -> Sender=blank,
Recipient=*@{domainA.com,domainB.com, etc}
smtp->from-clients is a resource defined as: Match Tab -> Sender
=@*{domainA.com,domainB.com, etc}, Recipient=blank
Both rules function as expected.... EXCEPT if the MAIL FROM: field in the
SMTP message itself is *BLANK* (i.e., <>). The second rule will still pass
the packet:
----------------
So, the second rule allows messages even when the "Sender" field is *BLANK*
That's the problem.
Dave Grabowski
System Arts, Inc.
(212) 604-9015 x316
[EMAIL PROTECTED]
"Dolinar, Jon"
<Jon.Dolinar@tri-c To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>,
.cc.oh.us> [EMAIL PROTECTED]
cc:
06/05/2000 03:25 Subject: RE: [FW1] Blank MAIL FROM: field in SMTP Security Server
PM
Can you add smtp resource rule for outgoing that look in order for your
domains: from *@domain1 to *, *@Domain2, to *,
then a rule that says drop/reject any smtp?
So that the sender of the message has to be in your domain?
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Monday, June 05, 2000 2:42 PM
To: [EMAIL PROTECTED]
Subject: Re: [FW1] Blank MAIL FROM: field in SMTP Security Server
Yes, it was a "telnet mailserver 25" -- from outside the firewall. In
essence, duplicating the problem that we are experiencing.
The SMTP server is unfortunately running Lotus Domino 5.0, and will
continue to use that for the forseeable future.
We're hosting e-mail for a number of domains, so we need to be able to a)
allow incoming mail to all of those domains from anyone, and b) allow our
clients to use this same mail server to send mail to anyone [but only those
clients]
It appears to me that there's a bug in FW-1, since it allows the sender to
be <>....
Anyone?
Dave Grabowski
System Arts, Inc.
(212) 604-9015 x316
[EMAIL PROTECTED]
������������������� Chad Graham
������������������� <[EMAIL PROTECTED]������� To:���� [EMAIL PROTECTED]
������������������� om>����������������� cc:
������������������� Sent by:������������ Subject:���� Re: [FW1] Blank MAIL
FROM: field in SMTP Security
������������������� [EMAIL PROTECTED]������� Server
������������������� m
������������������� 05/26/2000
������������������� 04:28 PM
Dave,
��� The example below, I assume was "telnet port 25". Was that done
on the SMTP server, or the firewall itself? The reason I ask, is because
you say it cant be recreated on the internal mail server, but you also
say the second smtp rule passes the mail. Is this server in a DMZ?
If it was done from the firewall and you have your security policy
enforce "inbound" traffic, traffic originating on the firewall will not
pass through the rulebase.
��� You dont mention what os the SMTP server is running. If you
are running Solaris with a version of Sendmail less than 8.9.1. I
would suggest upgrading to 8.9.1 (at least). Our mail server was
also being used to relay spam, upgrading sendmail cut that out.
I apologize if all I did was tell you stuff you already know, hope
some of this might help.
Chad Graham
CDI Engineering
[EMAIL PROTECTED] wrote:
>
> Escape character is '^]'.
> 220 CheckPoint FireWall-1 secure SMTP server
> helo abc123
> 250 Hello abc123, pleased to meet you
> mail from: <>
> 250� <>... Sender ok
> rcpt to: <[EMAIL PROTECTED]>
> 250� <[EMAIL PROTECTED] Recipient ok
> data
> 354 Enter mail, end with "." on a line by itself
> subject: this should not work!
>
> argh!
> .
> 250 Ok
> quit
> 221 Closing connection
> Connection closed by foreign host.
>
> The FW-1 log indicates that the second rule passes the message.
>
> Help! Our internal mail server is running Lotus Notes, and according to
our
> Notes Guy, he can't implement the same thing on the server itself. We'll
be
> moving away from this server within six months or so, but we're getting
hit
> with SPAM right now and it'd be great if we could stop it. We've been
given
> the scarlet letter by ORBS...
================================================================================
���� To unsubscribe from this mailing list, please see the instructions at
�������������� http://www.checkpoint.com/services/mailing.html
================================================================================
