6 Replies Latest reply: Mar 28, 2013 12:42 PM by grinder RSS

    SMTP Relay?

    grinder

      Can the firewall be used as a SMTP relay from inside on the LAN going outbound to the internet?  Our corporate email server is hosted in the cloud and is not part of our internal network.  But we do have devices like printers and some applications that require a SMTP server.  Currently we just have a server (Windows) with the SMTP feature enabled and point all of the devices to it.  However if the firewall can act as a SMTP relay I would rather use that and only allow it from the internal to the external.  We have no reason for SMTP to be coming in.  If this can be done how do you go about setting it up?

       

      Thanks.

        • 1. Re: SMTP Relay?
          PhilM

          The firewall is capable of running either as a relatively simple SMTP relay or (using sendmail) as a full-fat MTA.

           

          Since v7-ish the default is to use the simpler SMTP proxies (whereas earlier releases started off in full sendmail mode). You cannot use both on the same zone, so you need to decide which option is best for you.

           

          In v8 the option to change operating mode is somewhat hidden away - Policy --> Application Defenses --> Defenses --> Sendmail --> click on Sendmail Properties button and then, in the resulting window click "Reconfigure Mail"

           

          If you don't need a full MTA, an outbound access rule using the SMTP service will be sufficient - it is one of the services that can be controlled by an Application Defense so there are all manner of SMTP-related settings you can apply

           

          If your corporate server is hosted in the cloud, why not create an outbound SMTP rule and simply point the hosts on your internal network at the external hostname or IP address of your cloud service?

          • 2. Re: SMTP Relay?
            grinder

            We are running v8.3  By default the Split Server (full sendmail mode) is enabled.  The other choice is transparent mode which I believe just allows SMTP passthru as long as there is a rule defined to allow it.  I do not believe our cloud email server will accept anonymous email relay and some of our devices internally do not have settings for an actual user name and password to logon to the email server so that is why we just setup a simple internal SMTP server to send mail out from those devices.  I am wondering can I point those devices at the firewall IP and have it be the SMTP relay to send mail out.  If so what is the configuration needed to do that?  Hope that makes sense.

            • 3. Re: SMTP Relay?
              PhilM

              Ah - the mention of authentication on the cloud service is likely to scupper you, I think.

               

              Certainly the transparent SMTP option won't offer authentication and I don't think (though I've never had to try it) sendmail does either.

               

              The only way I could see it working is if the client application themselves supported SMTP authentication and then you could use transparent SMTP to let the protocol through. But, as I mentioned in my initial reply you can configure the firewall to sendmail or transparent SMTP. You can't have both running on the same zone.

               

              Your best option for an authoritative response would be to raise a service request directly with McAfee support, just to be certain.

               

              -Phil.

              • 4. Re: SMTP Relay?
                grinder

                Will do thanks for the help

                • 5. Re: SMTP Relay?
                  packetmonkey

                  Hi,

                   

                  Yes you can relay through the firewall (it bascally runs two sendmail daemons when in secure split mode).

                   

                  Take a look at the admin manual around page 428 where it talks about configuration files for sendmail - think the one you need is the access table which determines which IPs can relay.

                   

                  Sometimes if you have a different sending machine from the receiving system (a cloud based provider) you need to make sure the reverse DNS is sorted otherwise they are dropped by many email filters.

                   

                  For example provider MX is mail.biz.com for domain biz.com with IP 100.100.100.100 and your office firewall is 200.200.200.200.

                   

                  Because your firewall may be sending you need to ensure that the reverse DNS for 200.200.200.200 maps to mail.biz.com to keep some systems happy.

                   

                  If your setup is just for printer alerts and other things to staff in your domain (joe@biz.com) then you are not really relaying as your host provider will happily accept email for that domain. Becomes trickier when you want to use applications that might email 3rd party domains (place orders, stock management system etc).

                   

                  To me the easiest solution would be to avoid the split sendmail setup, use the simpler proxy rules and run an internal server (Linux or FreeBSD if cost is an issue) to relay all your internal mail through. Don't forget to make the reverse DNS settings match as above and secure that system and ensure only that single internal system can SMTP through your firewall.

                   

                  All the best,

                   

                  on 27/03/13 14:51:32 CDT
                  • 6. Re: SMTP Relay?
                    grinder

                    Thanks for the insight. I agree just keeping my SMTP server going is the easiest way to go.