This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Andrew-OCD
Contributor
‎2024-04-30 02:40 AM
Jump to solution

Configuring Check Point Gateway to act as SMTP proxy/relay

Dear CheckMates,

I am in the process of trying to replace a SOPHOS UTM with a Check Point 6400 appliance cluster.

Currently the SOPHOS is acting as an SMTP proxy/relay and the customer would like to have the Check Point take over this functionality.

I have so far not been able to clearly identify how to achieve this.

There is no mail server on the internal side that we can use. For the outgoing SMTP traffic the idea is to NAT the traffic to a dedicated IP address for the purposes of DMARC and other authorisation based on the SMTP IP address.

I was looking into the MTA option in the config but this is clearly more oriented towards acting as a man-in-the-middle between the external MTA and the Internal Mail Server.

Any suggestions would be greatly appreciated.

Best regards,

Andrew

 

Labels
0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
‎2024-05-01 08:41 AM
In response to Andrew-OCD
Jump to solution

Our MTA is provided in the context of our Threat Prevention/DLP Features and uses Postfix.
You can edit the configuration as appropriate to support such a configuration: https://support.checkpoint.com/results/sk/sk101870 
Whether this configuration would be formally supported is a separate question.

View solution in original post

0 Kudos
JP_Rex
Collaborator
Collaborator
‎2024-05-02 02:20 AM
In response to PhoneBoy
Jump to solution

you don't have to change much, there is not one internal exchange server but many server using SMTP with an "open" MTA (use custom interfaces, not all external) and the forwarding Mail server is external.

It should work.

 

View solution in original post

0 Kudos
7 Replies
JP_Rex
Collaborator
Collaborator
‎2024-04-30 04:08 AM
Jump to solution

ATRG: Mail Transfer Agent (MTA) (checkpoint.com)

 

The MTA is part of the Content Awareness 

Regards

Peter

0 Kudos
JP_Rex
Collaborator
Collaborator
‎2024-04-30 04:17 AM
In response to JP_Rex
Jump to solution

And in the Current Documentation:
Configuring the Security Gateway as a Mail Transfer Agent (checkpoint.com)

0 Kudos
JP_Rex
Collaborator
Collaborator
‎2024-04-30 04:29 AM
Jump to solution

Hello Andrew,

the question is how do the Clients communicate with there Mailbox servers? And how do they send E-Mails. O365 uses https not smtp. Were are the Mailbox Servers?

Can you post a topology overview?

 

Regards

 

Peter

0 Kudos
Andrew-OCD
Contributor
‎2024-05-01 08:13 AM
In response to JP_Rex
Jump to solution

The devices in the internal VLANs do not use a mail server because they use outgoing SMTP only (e.g. Scan to email device), in the past they had the SOPHOS as their mail server and it acted as a Proxy/Relay and handled the smtp traffic directly off the devices. When the message was being transferred to the outside world it would have a dedicated NAT IP address associated with all outgoing SMTP traffic so that the upstream mail servers would recognise it in their DMARC verification and if they used any IP based filtering for inbound smtp.

Preview file
41 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2024-05-01 08:41 AM
In response to Andrew-OCD
Jump to solution

Our MTA is provided in the context of our Threat Prevention/DLP Features and uses Postfix.
You can edit the configuration as appropriate to support such a configuration: https://support.checkpoint.com/results/sk/sk101870 
Whether this configuration would be formally supported is a separate question.

0 Kudos
JP_Rex
Collaborator
Collaborator
‎2024-05-02 02:20 AM
In response to PhoneBoy
Jump to solution

you don't have to change much, there is not one internal exchange server but many server using SMTP with an "open" MTA (use custom interfaces, not all external) and the forwarding Mail server is external.

It should work.

 

0 Kudos
Andrew-OCD
Contributor
‎2024-08-02 02:17 AM
In response to JP_Rex
Jump to solution

Thanks guys for your suggestions and help/support.

In the end the customer did not want to take any chances with the solution being not supported so I persuaded them to re-architect their solution and use an internal mail relay server which conformed to their internal security guidelines.

Again much appreciated.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events