FireWall-1 FAQ: SMTP Security Server as a Spam Guard
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
Spam is a notoriously difficult thing to filter properly. Many individuals and companies have written various programs to attempt to filter spam. While not specifically designed to handle this task, FireWall-1 does have some features that can be used to help, namely the SMTP Security Server.
In my opinion, I feel that your inbound SMTP server is a better tool to stop spam. Most SMTP servers (with the notable exception of Microsoft Exchange 5.0 and earlier) have the capability to turn off unauthorized relaying and/or implement some checks to prevent unauthorized use. You can even subscribe to Spamhous Blackhole List or a similiar system that maintains a blacklist of known bad sites.
To use the SMTP Security Server:
- Make sure that the SMTP Security Server is enabled in $FWDIR/conf/fwauthd.conf Create your SMTP Resource
- Add the SMTP Resource rule to your rulebase
- Make sure your firewall has adequate disk space to store incoming mail as it will “store and forward” the email.
Enable SMTP Security Server in $FWDIR/conf/fwauthd.conf
Make sure the following line exists and is uncommented in $FWDIR/conf/fwauthd.conf on your firewall:
25 fwssd in.asmtpd wait 0
If not, add or uncomment this line and restart FireWall-1 (fwstop; fwstart)
Create SMTP Resources
Your Resource should have the following fields defined:
- Mail Server (under General tab). This is optional. Put the IP address of your inbound server here. If you have more than one SMTP Server, enter them in the format {ip-address-1,ip-address-2,…}
- Notify Sender on Error (under General tab). Check this if you want to notify the sender their message has been rejected or in case of some other problem.
- Recipient (under the Match tab). This should read *@yourdomain.com. If you have multiple domains, it should read *@{yourdomain.com,yourotherdomain.com,…}
- Sender (under the Match tab). This should be configured with a * to match all incoming mail.
- Don’t Accept Mail Larger Than (under the Action 2 tab). This should be set appropriately. The default is 1000k (or roughly a megabyte).
Add SMTP Resource to Rulebase
Add a rule similiar to the following and re-install the security policy:
| Source | Destination | Service | Action |
| Any | SMTP-Server | SMTP->Inbound_Filter | Accept |
What Does This Accomplish?
All email destined for your SMTP Server will be intercepted by FireWall-1’s SMTP Security Server. FireWall-1 will answer on behalf of your SMTP Server, scan the message to insure it meets the Inbound_Filter resource, and forward it to the SMTP server’s specified in the Inbound_Filter resource.
A Possible Bug with this Configuration
Several people mentioned it may be possible to use the SMTP Security Server as a spam relay in the following situation:
- User specified an allowed domain in the “To” field
- In the same message, the “Bcc” field contains non-allowed domains
In this case, both the “allowed” and the “unallowed” recipients are sent the message. I can not verify that this problem exists in 4.1 SP2, so you can either upgrade to that version or also add a rule after the above rule that explictly denies SMTP using a “wildcard” SMTP resource (sender and recipient are both *).
