This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
NorthernNetGuy
Advisor
‎2020-01-09 05:46 AM

MTA first tier or not

We currently have our MTA as first tier, and in sk114034 it is stated that this is not recommended.

 

We see the problems indicated, like invalid recipients not being detected. 

Instead of just following the non-recommended solution, I wanted to know how other have their MTA and mail servers configured, and set up topology wise.

We use the checkpoint gateway as the first tier, and a secondary spam server as second tier, and then our mail server.

Do you have an additional spam filtering server in front of the firewall? how do you handle this?

0 Kudos
7 Replies
Chris_Atkinson
Employee Employee
Employee
‎2020-01-09 07:21 AM

We see both, can depend if this is a perimeter gateway or dedicated TE appliance performing the MTA role. 
(That said cloud hosted anti-spam services are common place, naturally these are outside... )

Historically the recommended topology helped to mitigate the risk of RBL / Back scatter challenges and help manage potential sizing constraints.

To your point avoiding system resources being consumed by unnecessary scanning / emulations due to processing of mail with spoofed sender addresses or lack of recipient verification is the way to go.

 

CCSM R77/R80/ELITE
0 Kudos
NorthernNetGuy
Advisor
‎2020-01-09 10:41 AM
In response to Chris_Atkinson

We're running our checkpoint device with all blades enabled. our second anti spam is hosted internally.

 

I'm just wondering if I should put our second anti spam outside of the firewall, in which case I'd want to assign it it's own public IP and ensure it is hardened. I'm not sure if alternatively I could pass the mail directly to the internal anti spam, on the DMZ, for it to then pass back to the firewall to process with the MTA, to hand off to the exchange.

 

I'm mostly cautious of enabling VRFY on our internal exchange server for the MTA to query for recipient verification.

0 Kudos
Benedikt_Weissl
Advisor
‎2020-01-10 03:18 AM
In response to Chris_Atkinson

Are there any plans to implement recipient verification soon?
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2020-01-10 03:36 AM
In response to Benedikt_Weissl

A quick search returns sk142433 but will enquire further and revert here.
CCSM R77/R80/ELITE
0 Kudos
Benedikt_Weissl
Advisor
‎2020-01-10 03:49 AM
In response to Chris_Atkinson

That was quick, thank you! It would be great if one could use the data provided by identity awareness (i.e. ad-attributes) to verify incoming mails, maybe even apply different mail security settings depending on the recipients ad-group.
0 Kudos
NorthernNetGuy
Advisor
‎2020-01-10 04:39 AM
In response to Chris_Atkinson

That is one of the most poorly written SK's I've seen. I've submitted some feedback on it.

I'm not sure why the gateway can't just do ldap lookups or use it's relationship with active directory to do address verification, it seems almost every other product can do it.

We're going to look into a third party spam appliance to put at our perimeter, as suggested by checkpoint best practices. Hopefully checkpoint can become self sufficient in this area eventually.

0 Kudos
Institut_fuer_R
Participant
‎2020-06-08 07:00 AM
In response to NorthernNetGuy

I also wish CheckPoint would improve on that subject.. Are there any news?

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top