Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PRICE_ETIENNE
Explorer

Enabling SMTP port for mail security appliance in the DMZ

Is there a reason why a mail security appliance that's located at the DMZ cannot send mail to outside of my organization? Port 25 is enabled on the firewall. SmartView tracker does not show dropped smtp traffic from the host. Even a simple telnet from the appliance on port 25 is dropped.

Any suggestion would greatly be appreciated.

Thanks

0 Kudos
9 Replies
PhoneBoy
Admin
Admin

Does a tcpdump show the traffic even entering the Security Gateway?
0 Kudos
PRICE_ETIENNE
Explorer

It does not look like the traffic is leaving the firewall. All I see on the tcpdump is TCP Retransmission error to the destination SMTP server. 

Ex.

6 30.999253 21.168.1.101 173.194.204.26 TCP 74 [TCP Retransmission] 34749 → 25 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1483731605 TSecr=0 WS=4

0 Kudos
G_W_Albrecht
Legend
Legend

What about the access policy rule for DMZ with service SMTP ?

CCSE CCTE CCSM SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

This probably needs some fw ctl debug to see where it's getting dropped in the process.
Something like fw ctl debug -m fw + drop with all the other necessary commands.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos
Dale_Lobb
Advisor

Check SmartLog for Anti-Bot blade entries calling out possibly malicious e-mail or SPAM from your DMZ appliance. 

The situation sounds somewhat similar to another community discussion we are having:  "Having issues with firewall dropping mail as spam"  https://community.checkpoint.com/t5/IPS-Anti-Virus-Anti-Bot-Anti/Having-issues-with-firewall-droppin...

 

0 Kudos
weimin
Ambassador
Ambassador

How about this issue ? I met the SMTP issue after upgrade R80.10 from R75.47.  

This issue cased a lot of email have been delayed, even some emails can’t be received. It affects customer’s business seriously.

  I tried to capture packet form new appliance, no found abnormal SMTP traffic. After rollback to old checkpoint appliance, the SMTP traffic is normal. 

New appliance only enable firewall blade. 

I have uploaded capture traffic, the traffic is not normal in red. 

0 Kudos
PhoneBoy
Admin
Admin

No attachments to your post.
Also, if it's firewall only (no other blades), this should be a relatively simple issue to troubleshoot.
What precise rules (provide screenshot) are being used to permit access via SMTP?
0 Kudos
weimin
Ambassador
Ambassador

I have the policy that any to mail serve ip address service any policy.  See attached screenshot. 

Mail server ip: 202.38.134.236 , Tcpdump found lot of retransmission, attached screenshot.  

And I tried to fw ctl zdebug + drop | grep 202.38.134.236 ,but no found. 

Do we have any specific setting relevant SMTP  on R80.X verion and above ? 

 

 

0 Kudos
PhoneBoy
Admin
Admin

Still no attachments.
Retransmissions are usually indicative of lower-level networking issues.
If you experience the issue in R80.10 but not in R75.47 with the same hardware, it could easily be network driver related.
Please engage with the TAC on this issue.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events