[fw-wiz] Allowing relay through Watchguard Firebox 1000

From: Bob Alberti (alberti_at_sanction.net)
Date: 02/21/04

  • Next message: Paul Robertson: "[fw-wiz] Ugh - fumbled again" 
    To: "Firewall-Wizards" <firewall-wizards@honor.icsalabs.com>
Date: Sat, 21 Feb 2004 12:49:16 -0600

    I have a client running a Watchguard Firebox 1000 (Linux Boot 6.0.B1140,
    Policy Manager B2200).

    They have recently started deploying e-mail enabled cell phones. Cell phone
    users can reply to messages from other employees, but cannot relay mail from
    their cell phones outside the domain (i.e. to customers), responding with
    the rather odd error

    "553 Requested action not taken: mailbox name not allowed or chunk too
    large"

    That's actually fine -- normally they don't WANT relaying of course -- but I
    have been unsuccessful in my attempts to tell the firebox "It's okay to
    relay from this domain or this set of IP addresses." Part of the difficulty
    is that this is a production system, so my ability to experiment is
    limited -- my last test, carefully executed after hours, resulted in all
    inbound mail being cut off for a time.

    I have already researched Google and Google Groups, checked the FW archives,
    and also called several times and attempted to get technical support from
    Watchguard (the last time they gave my cell number to a fellow in New Delhi
    who was supposed to call me back a week ago).

    So at this point if anyone can help me with fairly precise instructions on
    where-to-set-what in the policy manager, I'd really appreciate it.

    (I am also willing to replace the Watchguard SMTP proxy with non-stateful
    port-redirect to the mail server and let the mail server manage the whole
    relaying question. One problem that they are seeing is that attempted mail
    relays are being accepted by the mail server because they see the sender as
    being the firewall [i.e. "internal"]. The spam doesn't go out because the
    mail server rejects the outbound domain based on policy, but I'd rather the
    relaying not even get queued up in the first place... but one problem at a
    time here.)

    Thanks in advance for any assistance.

    Bob Alberti, CISSP
    alberti@sanction.net
    http://www.sanction.net
    Phone: (612) 486-5000 ext 211

    P.S. Another worry I have -- as more companies modify their systems to allow
    employee cell phones to relay e-mail, how long til the spammers start
    spoofing cell phone IP addresses in order to relay their spam?

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Paul Robertson: "[fw-wiz] Ugh - fumbled again"