topic Re: Enabling SMTP port for mail security appliance in the DMZ in Firewall and Security Management

Enabling SMTP port for mail security appliance in the DMZ

PRICE_ETIENNE — Mon, 30 Sep 2019 14:38:24 GMT

Is there a reason why a mail security appliance that's located at the DMZ cannot send mail to outside of my organization? Port 25 is enabled on the firewall. SmartView tracker does not show dropped smtp traffic from the host. Even a simple telnet from the appliance on port 25 is dropped.

Any suggestion would greatly be appreciated.

Thanks

Re: Enabling SMTP port for mail security appliance in the DMZ

PhoneBoy — Tue, 01 Oct 2019 23:02:38 GMT

Does a tcpdump show the traffic even entering the Security Gateway?

Re: Enabling SMTP port for mail security appliance in the DMZ

PRICE_ETIENNE — Wed, 02 Oct 2019 13:03:00 GMT

It does not look like the traffic is leaving the firewall. All I see on the tcpdump is TCP Retransmission error to the destination SMTP server.

Ex.

6 30.999253 21.168.1.101 173.194.204.26 TCP 74 [TCP Retransmission] 34749 → 25 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1483731605 TSecr=0 WS=4

Re: Enabling SMTP port for mail security appliance in the DMZ

G_W_Albrecht — Wed, 02 Oct 2019 13:23:34 GMT

What about the access policy rule for DMZ with service SMTP ?

Re: Enabling SMTP port for mail security appliance in the DMZ

PhoneBoy — Wed, 02 Oct 2019 17:30:55 GMT

This probably needs some fw ctl debug to see where it's getting dropped in the process.
Something like fw ctl debug -m fw + drop with all the other necessary commands.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk98799

Re: Enabling SMTP port for mail security appliance in the DMZ

Dale_Lobb — Wed, 02 Oct 2019 20:48:01 GMT

Check SmartLog for Anti-Bot blade entries calling out possibly malicious e-mail or SPAM from your DMZ appliance.

The situation sounds somewhat similar to another community discussion we are having: "Having issues with firewall dropping mail as spam" https://community.checkpoint.com/t5/IPS-Anti-Virus-Anti-Bot-Anti/Having-issues-with-firewall-dropping-mail-as-spam/m-p/63874#M1855

Re: Enabling SMTP port for mail security appliance in the DMZ

weimin — Mon, 20 Jan 2020 14:06:45 GMT

How about this issue ? I met the SMTP issue after upgrade R80.10 from R75.47.

This issue cased a lot of email have been delayed, even some emails can’t be received. It affects customer’s business seriously.

I tried to capture packet form new appliance, no found abnormal SMTP traffic. After rollback to old checkpoint appliance, the SMTP traffic is normal.

New appliance only enable firewall blade.

I have uploaded capture traffic, the traffic is not normal in red.

Re: Enabling SMTP port for mail security appliance in the DMZ

PhoneBoy — Mon, 20 Jan 2020 22:30:51 GMT

No attachments to your post.
Also, if it's firewall only (no other blades), this should be a relatively simple issue to troubleshoot.
What precise rules (provide screenshot) are being used to permit access via SMTP?

Re: Enabling SMTP port for mail security appliance in the DMZ

weimin — Tue, 21 Jan 2020 00:36:31 GMT

I have the policy that any to mail serve ip address service any policy. See attached screenshot.

Mail server ip: 202.38.134.236 , Tcpdump found lot of retransmission, attached screenshot.

And I tried to fw ctl zdebug + drop | grep 202.38.134.236 ,but no found.

Do we have any specific setting relevant SMTP on R80.X verion and above ?

Re: Enabling SMTP port for mail security appliance in the DMZ

PhoneBoy — Tue, 21 Jan 2020 01:52:25 GMT

Still no attachments.
Retransmissions are usually indicative of lower-level networking issues.
If you experience the issue in R80.10 but not in R75.47 with the same hardware, it could easily be network driver related.
Please engage with the TAC on this issue.