topic Re: Configuring Check Point Gateway to act as SMTP proxy/relay in Firewall and Security Management

Configuring Check Point Gateway to act as SMTP proxy/relay

Andrew-OCD — Tue, 30 Apr 2024 09:40:05 GMT

Dear CheckMates,

I am in the process of trying to replace a SOPHOS UTM with a Check Point 6400 appliance cluster.

Currently the SOPHOS is acting as an SMTP proxy/relay and the customer would like to have the Check Point take over this functionality.

I have so far not been able to clearly identify how to achieve this.

There is no mail server on the internal side that we can use. For the outgoing SMTP traffic the idea is to NAT the traffic to a dedicated IP address for the purposes of DMARC and other authorisation based on the SMTP IP address.

I was looking into the MTA option in the config but this is clearly more oriented towards acting as a man-in-the-middle between the external MTA and the Internal Mail Server.

Any suggestions would be greatly appreciated.

Best regards,

Andrew

Re: Configuring Check Point Gateway to act as SMTP proxy/relay

JP_Rex — Tue, 30 Apr 2024 11:08:14 GMT

ATRG: Mail Transfer Agent (MTA) (checkpoint.com)

The MTA is part of the Content Awareness

Regards

Peter

Re: Configuring Check Point Gateway to act as SMTP proxy/relay

JP_Rex — Tue, 30 Apr 2024 11:17:16 GMT

And in the Current Documentation:
Configuring the Security Gateway as a Mail Transfer Agent (checkpoint.com)

Re: Configuring Check Point Gateway to act as SMTP proxy/relay

JP_Rex — Tue, 30 Apr 2024 11:29:48 GMT

Hello Andrew,

the question is how do the Clients communicate with there Mailbox servers? And how do they send E-Mails. O365 uses https not smtp. Were are the Mailbox Servers?

Can you post a topology overview?

Regards

Peter

Re: Configuring Check Point Gateway to act as SMTP proxy/relay

Andrew-OCD — Wed, 01 May 2024 15:13:01 GMT

The devices in the internal VLANs do not use a mail server because they use outgoing SMTP only (e.g. Scan to email device), in the past they had the SOPHOS as their mail server and it acted as a Proxy/Relay and handled the smtp traffic directly off the devices. When the message was being transferred to the outside world it would have a dedicated NAT IP address associated with all outgoing SMTP traffic so that the upstream mail servers would recognise it in their DMARC verification and if they used any IP based filtering for inbound smtp.

Re: Configuring Check Point Gateway to act as SMTP proxy/relay

PhoneBoy — Wed, 01 May 2024 15:41:40 GMT

Our MTA is provided in the context of our Threat Prevention/DLP Features and uses Postfix.
You can edit the configuration as appropriate to support such a configuration: https://support.checkpoint.com/results/sk/sk101870
Whether this configuration would be formally supported is a separate question.

Re: Configuring Check Point Gateway to act as SMTP proxy/relay

JP_Rex — Thu, 02 May 2024 09:20:32 GMT

you don't have to change much, there is not one internal exchange server but many server using SMTP with an "open" MTA (use custom interfaces, not all external) and the forwarding Mail server is external.

It should work.

Re: Configuring Check Point Gateway to act as SMTP proxy/relay

Andrew-OCD — Fri, 02 Aug 2024 09:17:37 GMT

Thanks guys for your suggestions and help/support.

In the end the customer did not want to take any chances with the solution being not supported so I persuaded them to re-architect their solution and use an internal mail relay server which conformed to their internal security guidelines.

Again much appreciated.