RE: [fw-wiz] Allowing relay through Watchguard Firebox 1000

From: Karl D. Mueller (karlm_at_acshelp.com)
Date: 02/21/04

  • Next message: R. DuFresne: "Re: [fw-wiz] Botnets, IRC servers and firewalls?" 
    To: "Frederick M Avolio" <fred@avolio.com>, "Bob Alberti" <alberti@sanction.net>
Date: Sat, 21 Feb 2004 16:55:24 -0500

    I wasn't suggesting removing it permanently. My method of
    troubleshooting generally involves isolating systems that might cause
    more variables. If he removes the SMTP proxy, and his troubles magically
    cease, then focus on troubleshooting the firebox, if not it's probably
    the exchange server. However with the volume of newsgroup postings
    regarding watchguard's smtp proxy (and even a MS KB article specifically
    about it), I'd at least be a little suspicious of it.

    Sorry if I was a little hasty in shooting off my reply without
    mentioning the "if that doesn't help, by all means put it back".

    -----Original Message-----
    From: Frederick M Avolio [mailto:fred@avolio.com]
    Sent: Saturday, February 21, 2004 3:51 PM
    To: Karl D. Mueller; Bob Alberti
    Cc: Firewall-Wizards
    Subject: RE: [fw-wiz] Allowing relay through Watchguard Firebox 1000

    At 03:40 PM 2/21/2004 -0500, Karl D. Mueller wrote:
    >My suggestion is to remove the SMTP proxy alltogether from the
    >watchguard, and just setup a port forward (1-to-1 NAT in
    >watchguard-speak) directly to your server.

    Ahhhrrrggggg.

    <sarcasm>
    You *will* find things are much faster without all those nasty firewall
    rules getting in the way.
    </sarcasm>

    I was impressed that some people were actually using the SMTP proxy
    rather
    than just dynamic packet filtering on the Firebox. Take it out of the
    way?
    No, debug it, dammit. It is possible (as the poor gent with the Exchange

    server asked) that it is the inside server that's complaining. Look at
    the
    Firebox logs and the e-mail server logs. SMTP relays are funny things...

    they reject mail themselves and the reject mail if the server to which
    they
    tried to connect rejects the transaction.

    I was so enamored with the Firebox SMTP Proxy, I wrote a column for them
    (a
    few years ago when I was on their advisory board). It is dated, but I do

    make a case for it. (http://www.avolio.com/columns/smtp_proxy.html.)

    I suspect sometimes that I am the oldest person on this list...

    f

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: R. DuFresne: "Re: [fw-wiz] Botnets, IRC servers and firewalls?"