The PhoneBoy Blog

Simplifying Telecom, Mobile Phones, Gadgets, Health, and More!

FireWall-1 FAQ: SMTP Security Server as a Spam Guard

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.

I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.

If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)

Spam is a notoriously difficult thing to filter properly. Many individuals and companies have written various programs to attempt to filter spam. While not specifically designed to handle this task, FireWall-1 does have some features that can be used to help, namely the SMTP Security Server.

In my opinion, I feel that your inbound SMTP server is a better tool to stop spam. Most SMTP servers (with the notable exception of Microsoft Exchange 5.0 and earlier) have the capability to turn off unauthorized relaying and/or implement some checks to prevent unauthorized use. You can even subscribe to Spamhous Blackhole List or a similiar system that maintains a blacklist of known bad sites.

To use the SMTP Security Server:

  • Make sure that the SMTP Security Server is enabled in $FWDIR/conf/fwauthd.conf Create your SMTP Resource
  • Add the SMTP Resource rule to your rulebase
  • Make sure your firewall has adequate disk space to store incoming mail as it will “store and forward” the email.

Enable SMTP Security Server in $FWDIR/conf/fwauthd.conf

Make sure the following line exists and is uncommented in $FWDIR/conf/fwauthd.conf on your firewall:

    25 fwssd in.asmtpd wait 0

If not, add or uncomment this line and restart FireWall-1 (fwstop; fwstart)

Create SMTP Resources

Your Resource should have the following fields defined:

  • Mail Server (under General tab). This is optional. Put the IP address of your inbound server here. If you have more than one SMTP Server, enter them in the format {ip-address-1,ip-address-2,…}
  • Notify Sender on Error (under General tab). Check this if you want to notify the sender their message has been rejected or in case of some other problem.
  • Recipient (under the Match tab). This should read * If you have multiple domains, it should read *@{,,…}
  • Sender (under the Match tab). This should be configured with a * to match all incoming mail.
  • Don’t Accept Mail Larger Than (under the Action 2 tab). This should be set appropriately. The default is 1000k (or roughly a megabyte).

Add SMTP Resource to Rulebase

Add a rule similiar to the following and re-install the security policy:

Source Destination Service Action
Any SMTP-Server SMTP->Inbound_Filter Accept

What Does This Accomplish?

All email destined for your SMTP Server will be intercepted by FireWall-1’s SMTP Security Server. FireWall-1 will answer on behalf of your SMTP Server, scan the message to insure it meets the Inbound_Filter resource, and forward it to the SMTP server’s specified in the Inbound_Filter resource.

A Possible Bug with this Configuration

Several people mentioned it may be possible to use the SMTP Security Server as a spam relay in the following situation:

  • User specified an allowed domain in the “To” field
  • In the same message, the “Bcc” field contains non-allowed domains

In this case, both the “allowed” and the “unallowed” recipients are sent the message. I can not verify that this problem exists in 4.1 SP2, so you can either upgrade to that version or also add a rule after the above rule that explictly denies SMTP using a “wildcard” SMTP resource (sender and recipient are both *).

#Cybersecurity Evangelist, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.