This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
PRICE_ETIENNE
Explorer
‎2019-09-30 07:38 AM

Enabling SMTP port for mail security appliance in the DMZ

Is there a reason why a mail security appliance that's located at the DMZ cannot send mail to outside of my organization? Port 25 is enabled on the firewall. SmartView tracker does not show dropped smtp traffic from the host. Even a simple telnet from the appliance on port 25 is dropped.

Any suggestion would greatly be appreciated.

Thanks

0 Kudos
9 Replies
PhoneBoy
Admin
Admin
‎2019-10-01 04:02 PM

Does a tcpdump show the traffic even entering the Security Gateway?
0 Kudos
PRICE_ETIENNE
Explorer
‎2019-10-02 06:03 AM
In response to PhoneBoy

It does not look like the traffic is leaving the firewall. All I see on the tcpdump is TCP Retransmission error to the destination SMTP server. 

Ex.

6 30.999253 21.168.1.101 173.194.204.26 TCP 74 [TCP Retransmission] 34749 → 25 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1483731605 TSecr=0 WS=4

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2019-10-02 06:23 AM
In response to PRICE_ETIENNE

What about the access policy rule for DMZ with service SMTP ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2019-10-02 10:30 AM
In response to PRICE_ETIENNE

This probably needs some fw ctl debug to see where it's getting dropped in the process.
Something like fw ctl debug -m fw + drop with all the other necessary commands.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos
Dale_Lobb
Advisor
‎2019-10-02 01:48 PM

Check SmartLog for Anti-Bot blade entries calling out possibly malicious e-mail or SPAM from your DMZ appliance. 

The situation sounds somewhat similar to another community discussion we are having:  "Having issues with firewall dropping mail as spam"  https://community.checkpoint.com/t5/IPS-Anti-Virus-Anti-Bot-Anti/Having-issues-with-firewall-droppin...

 

0 Kudos
weimin
Employee Alumnus
Employee Alumnus
‎2020-01-20 06:06 AM
In response to Dale_Lobb

How about this issue ? I met the SMTP issue after upgrade R80.10 from R75.47.  

This issue cased a lot of email have been delayed, even some emails can’t be received. It affects customer’s business seriously.

  I tried to capture packet form new appliance, no found abnormal SMTP traffic. After rollback to old checkpoint appliance, the SMTP traffic is normal. 

New appliance only enable firewall blade. 

I have uploaded capture traffic, the traffic is not normal in red. 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-01-20 02:30 PM
In response to weimin

No attachments to your post.
Also, if it's firewall only (no other blades), this should be a relatively simple issue to troubleshoot.
What precise rules (provide screenshot) are being used to permit access via SMTP?
0 Kudos
weimin
Employee Alumnus
Employee Alumnus
‎2020-01-20 04:36 PM
In response to PhoneBoy

I have the policy that any to mail serve ip address service any policy.  See attached screenshot. 

Mail server ip: 202.38.134.236 , Tcpdump found lot of retransmission, attached screenshot.  

And I tried to fw ctl zdebug + drop | grep 202.38.134.236 ,but no found. 

Do we have any specific setting relevant SMTP  on R80.X verion and above ? 

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-01-20 05:52 PM
In response to weimin

Still no attachments.
Retransmissions are usually indicative of lower-level networking issues.
If you experience the issue in R80.10 but not in R75.47 with the same hardware, it could easily be network driver related.
Please engage with the TAC on this issue.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events