Re: Checkpoint MTA no reciving emails

jonathan_levi · ‎2021-07-18

Hello Everyone,

I have a lab environment as attached.

I have 4 security gateways IP addresses:

10.0.0.8

10.0.0.9

10.0.0.10 (LAN is 192.168.30.x) - Main

They all in a start VPN site to site community, and 10.0.0.10 is the main gateway.

I have another open server only for Threat emulation just for scanning e-mails with IP address 192.168.30.4 connected to the main gateway LAN network.

I have enabled MTA on the main security gateway that is sending the emails to Threat Emulation VM.

I also have created an MX record on my DNS server points to the main gateway and an A record for mail.x.x points to the mail server.

I imported an exchange certificate to the mail gateway and enter key is needed to enable SMTP/TLS without implied rule (I saw it needs to be disabled and disable by CLI) and yet no emails have arrived at the main gateway uses as MTA.

please help.

my whole network is in a lab environment

the_rock · ‎2021-07-18

Any logs if you filter for threat emulation blade? Your config seems fine to me, but not MTA expert, so maybe better wait for someone else more familiar with it to give their insight.

Best,
Andy

jonathan_levi · ‎2021-07-20

Hi the_rock,

Thanks for replying to me back but there aren't any logs,

Is there a connection between my Site 2 Site? I saw in some posts a suggestion to disable SMTP in the implied rules and I did but still not working.

Wolfgang · ‎2021-07-20

@jonathan_levi

some more informations are needed.

How about the message flow between your systems ?

Is the postfix running on your gateway ?

Telnet to port 25 on your gateway to the MTA IP address should be answered if MTA is running.

You wrote something regarding implied SMTP rules, which rules ?

jonathan_levi · ‎2021-07-21

Hello @Wolfgang and thank you for replying to me back,

Regarding your questions:

How about the message flow between your systems ? can you explain specifically what do you mean?

Is the postfix running on your gateway ? Yes I confirm it by see that my gateways listening at port 25 from all addresses

Telnet to port 25 on your gateway to the MTA IP address should be answered if MTA is running. - my gateways answered to telnet in port 25

You wrote something regarding implied SMTP rules, which rules ?

/*#define ENABLE_SMTP_TO_GW*/ - this implied rule I've disabled

/*#define ENABLE_SMTP_TO_GW*/ - this implied rules I had to disable so the LDAP will go through the site 2 site tunnel

Wolfgang · ‎2021-07-21

You wrote you disabled the implied SMTP rules, but next you wrote something about LDAP. It‘s a little bit confusing.

You can test your MTA using telnet. As an example how to do follow Use Telnet to test SMTP communication on Exchange servers

If the sending of messages is working via telnet you have to check your other environment which is responsible for the mail flow. And to it‘s not clear to me which role is playing the VPN and why did you disabled the implied SMTP rule?

jonathan_levi · ‎2021-07-21

Sorry if it wasn't clear,

I had to disable the LDAP in the implied rules because I have DC located in 192.168.20.x subnet behind a checkpoint firewall, in the beginning the LDAP wasn't work and I read a lot about it and it was because the it didn't go through the VPN tunnel between the site cause it was accepted in the implied rules first without encryption, hope this will finds you well now 🙂

regarding the MTA, I did some troubleshooting and I have attached the error that I get, I will appreciate it if you can take a look.

Are you a member of CheckMates?

Checkpoint MTA no reciving emails