Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Adrian_Bawn
Participant

MTA configuration examples

Hi all, I have been looking around and I don't seem to be able to find a direct answer to my issue so I figure I will need to post the question.

Is there a suggested configuration for how to setup mail-flow through checkpoint gateways including TLS etc.

I am trying to find examples of full bi-directional mail-flow however most examples seem to only show configuration for inbound mail.  With the assumption that outbound mail is just delivered directly out from the internal mail server.  

My problem is this:  

The standard configuration i can find is that inbound mail flow is delivered via the MX for the domain to the MTA on the gateway, and then forwarded to the relevant internal mail server via the mail forwarding rules.  That part makes sense.  

   Internet > CP Gateway > Internal Mail server

However for outbound mail, if I configure my internal mail server to forward via the gateway, how does the gateway deal with mail not on a domain listed in the forwarding rules?    

I know you can configure a wildcard domain of "*" and specify a next hop, however what if you don't have a next hop?  Our mail server currently delivers directly via MX lookup.  There seems to be no explanation anywhere on how to configure that on CP.  Or is this just "default behavior"?

10 Replies
PhoneBoy
Admin
Admin

Moving this into the https://community.checkpoint.com/community/threat-prevention?sr=search&searchId=0b5cdcff-2572-4bba-a...‌ space because the MTA primarily exists for this purpose at the moment.

I believe the MTA is primarily concerned with inbound email, which is why all the configuration examples speak to that.

I will ask around about outbound support.

I know we are looking at enhancing our MTA in general in later releases. 

G_W_Albrecht
Legend Legend
Legend

if you read sk109699 ATRG: Mail Transfer Agent (MTA)  you see the option to use Check Point MTA as an internal MTA. This MTA receives e-mails from a preliminary MTA and sends them to the next hop, usually the internal mail server.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Adrian_Bawn
Participant

Sorry Günther, but that just confirms my point.  I know how to configure the MTA for inbound email.  That point is not in question, and the "next hop" is known as that will be our internal mail server.

My point is that previously our mail filter was our "last hop" before the internet on our outbound mail route, so it did MX resolution itself.  From all the documentation I can find, including SK109699, I cannot see any method of configuring checkpoint MTA to do this.  Only to setup a wildcard domain, with a next hop.

Dynamically resolved next hop for the MTA

By default, in versions R80 and lower, there is no option to dynamically resolve the next hop for redundancy/load sharing.
The next hop should be a host with a static IP address.

This quote from SK109699 seems to imply that while the gateway cannot do this in standard configuration, there might be some way to alter it to achieve the desired result.  If this means having a non-standard configuration (that then has issues with software updates etc) then thats less than ideal so we will have to find another way around the problem.  Likely a 3rd party external mail relay to act as our "next hop".  But this seems entirely unnecessary.

G_W_Albrecht
Legend Legend
Legend

My idea was to use CP MTA as an internal MTA, where a preliminary MTA forwards SMTP to CP MTA, but outgoing emails otherwise. I do know a lot of CP GW installs where an internal mail server is used and incoming as well as outgoing emails work as expected.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Amir_Kamer
Employee Alumnus
Employee Alumnus

Hi Adrian,

What is the purpose of scanning outgoing emails, do you want DLP scan or you want TE will scan outgoing emails too?

Adrian_Bawn
Participant

Both.  DLP scan to ensure none of our sensitive data leaks out of the network.  TE to maintain our reputation. Should a virus or malware make it into our system through alternative routes (like USB drive) we don't want to be seen to be spreading it to our customers.

Gomboragchaa
Advisor

Can the DLP blade inspect email without MTA? Some customer using G-Suite or other business email services.

How can we detect email?

PhoneBoy
Admin
Admin

DLP on a local Security Gateway can only potentially see the web traffic, but won't be able to scan email sent through G-Suite or Office 365.

However, using some of our CASB partners like Avanan and Managed Methods, this can be done.

Calvin_Townsend
Explorer

We had a similar question and were told that outbound isn't supposed to be configured just because and an obscure sk was pointed to as the authority.  I will say that our design was to have all our mail come in from a cloud-based SMTP service which would perform the first round of filtering for us.  Since our inbound was known, we wanted to limit with firewall rules which IP addresses can deliver on SMTP. But it looks like there are no rules applied when MTA is on and the gateway picks up smtp.  This is important, becaue you wanted to make an outbound next hop of the Internet for "*" all domains.  I think if you were successful with that setting you would have an effective open relay that the whole world could use to send spam from.

With the MTA settings, you could listen on specific interfaces e.g. internal, external.  But you can't set different rules for different interfaces.

I look forward to the stated goal of improvements to the MTA product.

Pablo_Barriga
Advisor

Do you have any information for sizing MTA on the Gateway?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events