The first step is to run ./fwconfig in $FWDIR/bin.  Select the option “SMTP Server”, and you will be presented with
a list of the default parameters:

Following are the current values of the SMTP Server configuration:

timeout: 900
scan_period: 1
resend_period: 600
abandon_time: 432000
maxrecipients: 100
rundir: /var/fwspool
postmaster: postmaster
default_server:
error_server:

Would you like to modify the above configuration (y/n) [y] ?   For now, let’s select “N(o)” and Exit.  I will
take a few moments to explain what each one of the above lines mean:

timeout:  this is the value in seconds after which a connection to the STMP security server will timeout.
(default is 900)
scan_period: The value here determines how frequently the spool directory (usually /var/fwspool) is scanned.
(default 1)
resend_period: The value here determines how long the SMTP server should wait before resending messages
fhat have failed to deliver. (default 600)
abandon_time: The value here determines the number of seconds after which the the STMP server abandons attempts
to resend. (default 432000)
maxrecipients: The value here determines the number of recipients that is permitted for a single message. (default 20)
rundir: The value here determines where the SMTP files are written (essential, your mail queue directory).
(default is /var/fwspool, but you can set this to another partition where you have adequate diskspace).
postmaster:  The value here is the address to whom to send error messages (default is postmaster)
default_server: The value here is the server which actually runs the sendmail application.  (Note: this is usually set
to the server which you will relay the mail to after the firewall receives it. For ex: 192.168.10.30)
error_server: the value here is the server that will receive any error messages generated from processing the mail.
(For example: 192.168.10.30).

Now once you have the values for the following fields, re-run $FWDIR/bin/fwconfig,  choose “SMTP Server” under
the “Configuration Options” and select “Y(es)” to modify the configuration.  Enter the values you desire, and Exit.

Tip:
For those of you are experienced with Firewall-1,  you may manually edit the file  $FWDIR/conf/smtp.conf,  which is an
ASCII file of the above values.   Make sure you make a backup copy of the file first!

Step 1:  Creating A Resource for the SMTP Security Server

The next step is to create a rule in the Firewall policy that will allow SMTP traffic inbound and applies
various security parameters that you decide to enable.   Start the Checkpoint Policy Editor, and from the
Toolbar, select “Manage”, choose “Resources”, select New, SMTP, and you will be presented with
the following dialog box:
 

In the Name: box, enter something to identify this resource,  typically it would be your mail server’s dns name.
In the Mail Server: box, enter the IP address of your mail server, that is, the IP address of the server that is running
sendmail and will deliver the mail the firewall processes.  This should match what you put in the “default_server”
field in the smtp.conf file.
In the Error Handling Server: box, enter the IP address of a server which will receive any errors from processing
the mail. Typically this is the same as your “Mail Server” box, and should match what you put in the “error_server”
field in the smtp.conf box.
For Exception Track: set this to “Log”.  This will enable us to see anything this resource processes in the Firewall’s logs.
Check the box enabled “Notify Sender on Error”.
 

Your final completed dialog box should look like this:

The next step is to click the “Match” tab at the top of this new resource.    You will see a dialog box with “Sender”
and “Receiver” in it.  Make sure there is an asterisk (*) in each box.  The purpose of these 2 fields is to allow you
to limit the From: field and To: field in the messages you will receive.  You have effective Spam control this way
by limiting who can receive messages through your firewall.   The Receiver box can specify your entire DNS
domain, an individual email address, or a collection of domains by using wildcards.   (For help on using wildcards,
click the Help dialog box under the “Match” tab) For now, leave an asterisk (*) in the Sender Field, and in
the Recipient Field, specify *@*.mycompany.com which is your company’s domain name.  We’ll use this to test
the anti-relay feature later.

The next step is to click the “Action1” tab at the top of the resource.   This dialog presents some rules rewriting capability.
This allows you to perform modifications on the Sender, Recipient and any other Field in the email message header after it is
processed by the firewall and before it is sent to your mail server.  For now, leave all fields untouched. (blank).

Click the next tab labelled “Action 2”.   This is the dialog box which we are interested in and gives you the most control of how
you will receive mail and what you will do with it before passing it to your user community.
I will go through a brief explanation of the fields here:

Strip MIME of type:   You can strip certain attachments included in emails received by the firewall.    For a list of
Supported MIME types, click here:  http://www.mime-types.com/data/MIME_LIST_COMPREHENSIVE.txt
For example, you could specify, application/zip in the MIME type field to strip out ZIP files.

Don’t Accept Mail Larger Than:  Specify a value here KiloBytes (KB) as the maximum size of the message you
will allow the firewall to process.   For now, set it to a value of 5000 (KB), which would be approximately 5MB.
(default is 1000 (KB) or 1 Megabyte)

Tip!:
For a good explanation on setting the size of mail messages, see the following link on PhoneBoy’s site:
http://www.phoneboy.com/fw1/faq/0313.html

CVP:   This allows you to specify whether any mail will be sent to an OPSEC-compliant Anti-Virus Scanning Server
(such as E-Safe) which will screen and remove any viruses from your email before the firewall passes them to your user community.
This requires you define a CVP server object.   For now, leave this value set to None.

Allowed Characters:  This defines whether 8 bit ASCII characters or 7-bit (no CTRL) characters.  Again, leave this at the default.

Your completed dialog box should look like this:

Click OK,  Close the Resources Box and you should be back in your Firewall policy.

Step 2: Creating A Rule to permit Inbound SMTP Traffic using the Security Server

Now that we have created our resource,  we’re ready to create a rule to permit inbound SMTP to our firewall using
the STMP Security Server and the parameters we have chosen to enforce.

Open your Firewall Policy through the GUI interface,  and click the very first rule in your policy so it is highlighted.
In general practice,  it is best practice to add resource rules at the top of the policy,  so we will proceed to do that
in this example.   From the Toolbar,  click  Edit,  Add Rule, Top.

In the Source Field,  leave the destination at “Any”.    In practice,  you may want to limit this to certain network
objects and ranges.   For the purposes of this document and for testing, we will leave it at Any.

In the Destination Field,  specify an object containing the external address of your firewall.   Generally, this is the external
routable interface of the firewall that is connected to the Internet.   If you don’t have an object created for this,  you can
easily right-click in the Destination field,  choose Add, New, Workstation, and create an object called “external_interface”.
Put in the IP address of the firewall’s external interface in this object, set Location to Internal,  Type to Host,  and
leave everything else the defaults.   Click OK to return to the policy, Right Click in Destination and specify the object
“external_interface”.

Tip!:
For experienced FW-1 admins,  you can specify multiple IP addresses that you have ARP’d out to the external physical
Interface of the firewall, and create multiple inbound SMTP Resource Rules for each ARP’d address.  The purpose
Behind this can be to allow inbound mail to different DNS domains, with the MX records pointing to the different
ARP’d addresses.

In the Service Field, right click, choose “Add with Resource”  and pick smtp from the list.   In the Resource box at
the bottom of the dialog,  pull down the resource you created earlier.  In our example, we had called this smtp1.

In the Action Field,  set this to  “Accept”

In the Track Field, set this to “Long”.

Your completed rule should look like this:

Once you have completed this,  save the policy and Exit.   Do not Install the Policy. There are a few other steps we need to do before
we install the policy.

There are a couple of other things we need to do first:

In the $FWDIR/conf directory,  look at the following file:  fwauthd.conf

Make sure the following line exists and is uncommented:

25   in.asmtpd   wait   0

If the line is not there or commented out, then add or uncomment it, and recycle the Firewall using fwstop, and then fwstart.

Next,  make sure that directory we defined in the $FWDIR/conf/smtp.conf file for rundir exists and has the proper
permissions.  Generally drwxr-xr-x   2 root     system   /var/fwspool  is adequate.

Now, re-enter your policy editor,  and click on Policy Properties.   Click the tab  “Security Servers”.
In the STMP Welcome Message box, type a message that remote SMTP servers will see when they connect to your firewall.
Typically, this is something like:  Unauthorized Access Prohibited.

Step 3: Finishing Up & Testing

Click OK, and return to your policy.  Verify your ruleset containing the STMP Resource as the first rule we defined.  If everything verifies OK,   Install the Policy, and open your Log Viewer.   Set the width of the “Info” column to 1500.   Go to the bottom
of the log and watch traffic going through your firewall.

From another server,   initiate a telnet connection to port 25 on your firewall.    The Checkpoint Security Server should respond
with the greeting message you defined in the Security Servers tab of the Firewall Properties.

You should see something similar to this:

Connected to firewall.yourcompany.com
Escape character is '^]'.
220 secure smtp rdy

If you look in your log,  you should see a corresponding entry logged as “smtp” to your external interface.
(providing your routing and NAT rules make sense).

Telnet to the firewall itself and run a “ps –ef” or “ps –ax” command and observe the Firewall-1 SMTP Security Server
Process running, (in.asmtpd) and the corresponding mail dequeuer which processes the mail from the spool.  It should
look like this:

 root  10490 10966   0 17:37:12      -  1:53 in.asmtpd 25
 root  12034 10966   1 00:12:22      -  8:33 mdq

If you see this,  that means the STMP Security server is responding and ready to receive emails.   All email destined for your SMTP
Server will be intercepted by FireWall-1's SMTP Security Server. FireWall-1 will answer on behalf of your SMTP Server, scan the message to insure it meets the SMTP resource, and forward it to the mail server you specified in the resource.   If you are familiar with SMTP command syntax, you can try telnetting to port 25 of your firewall and using the HELO, MAIL FROM, RCPT TO,
and DATA commands to send a test message.   You can also try sending a message to another domain-name other than
the one you specified under  “Recipient” under the Match tab in the resource.   You should see the firewall say “Mailbox Unavailable” and the appropriate event will be logged in the Log Viewer.   This is the anti-relay/spam feature provided by Firewall-1.
If you try other tests,  such as sending a larger sized email than the value you specified as acceptable in the resource, or sending
MIME attachments for which you specified to strip, you should see FireWall-1 reject these and log the appropriate event.

This completes the setup.  Please use the Phoneboy site at http://www.phoneboy.com/fw1  for additional information on SMTP
and Security Servers under FW-1.    I would like to thank PhoneBoy for providing an excellent resource on SMTP
and other aspects of Firewall-1.

Brief Theory on the Operation of the SMTP Security Server.

For those of you who are curious as to how the FireWall-1 SMTP Security Server works at a more technical level, I will
try and summarize.

1. Email from the Internet is received on the Firewall and put into the directory specified as rundir in the $FWDIR/conf/smtp.conf file.

2. The firewall names the files beginning with the letter “T…filename” for temp.

3. The firewall waits SMTP_SLEEP seconds (defined in $FWDIR/conf/smtp.conf) file before it renames the file to “R…filename” meaning it is ready to be dequeued.

4. Once the email is in a Ready state, the dequeuer will forward this to a CVP server (if you defined this as discussed earlier in this document), where the CVP server will remove the virus and send it back to the firewall to be sent to the final email server you specified.

5. If there is no CVP server defined, the firewall will send the mail to the final email server your specified in the resource.
 

Copyright (C) 2000  Karim Ismail ([email protected]) NO COPYING OF THIS DOCUMENT WITHOUT PERMISSION PERMITTED.