Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1000 Views 6 Replies Latest reply: Mar 28, 2013 12:42 PM by grinder RSS
grinder Apprentice 102 posts since
Feb 8, 2013
Currently Being Moderated

Mar 25, 2013 2:12 PM

SMTP Relay?

Can the firewall be used as a SMTP relay from inside on the LAN going outbound to the internet?  Our corporate email server is hosted in the cloud and is not part of our internal network.  But we do have devices like printers and some applications that require a SMTP server.  Currently we just have a server (Windows) with the SMTP feature enabled and point all of the devices to it.  However if the firewall can act as a SMTP relay I would rather use that and only allow it from the internal to the external.  We have no reason for SMTP to be coming in.  If this can be done how do you go about setting it up?

 

Thanks.

  • PhilM Champion 528 posts since
    Jan 7, 2010
    Currently Being Moderated
    1. Mar 26, 2013 3:51 AM (in response to grinder)
    Re: SMTP Relay?

    The firewall is capable of running either as a relatively simple SMTP relay or (using sendmail) as a full-fat MTA.

     

    Since v7-ish the default is to use the simpler SMTP proxies (whereas earlier releases started off in full sendmail mode). You cannot use both on the same zone, so you need to decide which option is best for you.

     

    In v8 the option to change operating mode is somewhat hidden away - Policy --> Application Defenses --> Defenses --> Sendmail --> click on Sendmail Properties button and then, in the resulting window click "Reconfigure Mail"

     

    If you don't need a full MTA, an outbound access rule using the SMTP service will be sufficient - it is one of the services that can be controlled by an Application Defense so there are all manner of SMTP-related settings you can apply

     

    If your corporate server is hosted in the cloud, why not create an outbound SMTP rule and simply point the hosts on your internal network at the external hostname or IP address of your cloud service?

  • PhilM Champion 528 posts since
    Jan 7, 2010
    Currently Being Moderated
    3. Mar 26, 2013 11:54 AM (in response to grinder)
    Re: SMTP Relay?

    Ah - the mention of authentication on the cloud service is likely to scupper you, I think.

     

    Certainly the transparent SMTP option won't offer authentication and I don't think (though I've never had to try it) sendmail does either.

     

    The only way I could see it working is if the client application themselves supported SMTP authentication and then you could use transparent SMTP to let the protocol through. But, as I mentioned in my initial reply you can configure the firewall to sendmail or transparent SMTP. You can't have both running on the same zone.

     

    Your best option for an authoritative response would be to raise a service request directly with McAfee support, just to be certain.

     

    -Phil.

  • packetmonkey Newcomer 22 posts since
    Mar 1, 2013
    Currently Being Moderated
    5. Mar 27, 2013 2:51 PM (in response to grinder)
    Re: SMTP Relay?

    Hi,

     

    Yes you can relay through the firewall (it bascally runs two sendmail daemons when in secure split mode).

     

    Take a look at the admin manual around page 428 where it talks about configuration files for sendmail - think the one you need is the access table which determines which IPs can relay.

     

    Sometimes if you have a different sending machine from the receiving system (a cloud based provider) you need to make sure the reverse DNS is sorted otherwise they are dropped by many email filters.

     

    For example provider MX is mail.biz.com for domain biz.com with IP 100.100.100.100 and your office firewall is 200.200.200.200.

     

    Because your firewall may be sending you need to ensure that the reverse DNS for 200.200.200.200 maps to mail.biz.com to keep some systems happy.

     

    If your setup is just for printer alerts and other things to staff in your domain (joe@biz.com) then you are not really relaying as your host provider will happily accept email for that domain. Becomes trickier when you want to use applications that might email 3rd party domains (place orders, stock management system etc).

     

    To me the easiest solution would be to avoid the split sendmail setup, use the simpler proxy rules and run an internal server (Linux or FreeBSD if cost is an issue) to relay all your internal mail through. Don't forget to make the reverse DNS settings match as above and secure that system and ensure only that single internal system can SMTP through your firewall.

     

    All the best,

     

    on 27/03/13 14:51:32 CDT

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points