OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archives: RE: proxy firewall and email

RE: proxy firewall and email

Subject: RE: proxy firewall and email
From: Dom De Vitto (domdevitto.com)
Date: Fri Jan 07 2000 - 06:00:16 CST

Firstly, Exchange 5.5 (&5.0?) has that daft 'encapsulated SMTP' bug,
so anyone can relay through 5.5 (unless it's fully patched up).
[ Exchange patches are like CERT advisories, always very late and
  always very serious. ]

Secondly, I thought Raptor had a list of (max 30?) domains that it
would accept for, so that should be setup, rather than accept any.

Thirdly, the mailer is broken if it even LOOKS at the From: field,
or anything else in the 'DATA' portion. SMTP is about transfer,
there is another RFC about what the 'DATA' bit means - most mailers
only prepend an appropriate 'Recieved' (as per the RFC) to the DATA.

Once you've punched the domain lists into raptor I see much of the
problem going away, if it isn't MAIL TO someonedomain the mail won't
ever be accepted by the raptor box. You may well want to enable MAPS
RBL'ing and as that means the FW does DNS lookups, a local caching DNS
server would help with speed & resiliance.

Best of luck,
Dom
PS.Wow, I get to answer a question from Phoneboy, I must be good or wrong :)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto
Secure Technologies Ltd. Mob. 07971 589 201
mailto:domdevitto.com Tel. 01202 738 767
http://www.devitto.com Fax. 08700 548 750
The views expressed herein are not necessarily those of me, I MaaaaaaaD.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

-----Original Message-----
From: owner-firewall-wizardslists.nfr.net
[mailto:owner-firewall-wizardslists.nfr.net]On Behalf Of
dwelchuswestmail.net
Sent: Wednesday, January 05, 2000 12:21 AM
To: neil.ratzlaffucop.edu
Cc: firewall-wizardslists.nfr.net
Subject: Re: proxy firewall and email

Exchange should be able to do some of this. Exchange 5.5 has the ability to turn off mail relaying (i.e. only send email to or from a particular domain). That way they could at least prevent people from using their SMTP server as a spam relay. It's possible the presence of Raptor may short-circuit that.

-- Dameon

On Mon, 03 January 2000, Neil Ratzlaff wrote:

> The Raptor firewall accepts all mail and passes it to the smtp server for
> delivery. If the recipient is not a valid user, the mail gets bounced by
> the smtp server, but to the address in the From field, not to the sender or
> last smtp server. Since you can put anything you want to in that field,
> you can send spam via this relay, albeit perhaps slowly. The firewall does
> not keep a list of legitimate users, so it can't reject mail as it should.
>
> I am sure other places have dealt with this process, so how can I advise
> this site to fix their setup? I would expect that Raptor should be able to
> hook into Exchange to validate recipients, but the site admin tells me it
> can't. I would be happy to tell them how to make Raptor just check that
> the recipient domain is correct, which should be easy to check. A post
> from the May99 archive of this list strongly suggests this is the correct
> way to proceed. 

--
Dameon D. Welch, a.k.a. PhoneBoy (dwelchphoneboy.com)
Check Point FireWall-1 FAQs at http://www.phoneboy.com/fw1/
The views expressed herein are not necessarily those of anyone else.
--
Signup for your free USWEST.mail Email account http://www.uswestmail.net

This archive was generated by hypermail 2b27 : Fri Jan 07 2000 - 18:19:04 CST