Outgoing SMTP Proxy ONLY | NO Incoming - Page 2

Alvin · #11 (**permalink**) 05-14-2009, 01:56 PM

Ian, Bob and Billybob.

- Yes I did read about the suggestion on the DNAT but yet to implement as I was thinking there might be a easier way to do it such as maybe I configure something wrongly etc.

I proceeded to do the DNAT but somehow SMTP 25 remains open on ShieldUp.

465 and 587 is now closed with the same DNAT.

- I created a Host Blackhole with a non exist IP.

- I Created

For Port 25

1) From ANY Service SMTP Destination WAN Address
To Blackhole Service SMTP
Auto Packet Filter Rule UNchecked.

For Port 465

2) From ANY Service SMTP SSL Destination WAN Address
To Blackhole Service SMTP SSL
Auto Packet Filter Rule UNchecked.

For Port 587
I created a TCP PORT 587 in the services as I do not see it.

1) From ANY Service TCP Port 587 Destination WAN Address
To Blackhole Service TCP Port 587
Auto Packet Filter Rule UNchecked.

The result from ShieldUp is Port 25 remains OPEN.

Port 587 and Port 465 is now closed.

But I do not understand why 25 remains open.

Under SMTP Proxy, below is the settings, those not stated is not touched.

Global = Simple Mode
Domains and Routing Target = Empty.
Route by MX Records. ( It used to be Static Host List but after I tried to play around, I can no longer set it back to Static Host List which is empty thus I choose MX Records)
Host Based Relay = LAN Only.
Host / Network Blacklist = ANY
Scan Relayed (outgoing) messages = Checked
Use Transparent Mode = Checked
Use Smarthost = Checked with my ISP SMTP.

Alvin · #12 (**permalink**) 05-16-2009, 10:16 AM

Port 25 remains Open with DNAT.

Added Block Rule on Top in Packet Filter still remains open.

Just to confirm my DNAT is right, I disable DNAT and other ports open, so I am doing correctly just that somehow the other 2 ports will close but somehow 25 remains Open.

Question just to make sure I do correctly.

Routing should I set to

1) MX Records
2) STATIC -> Empty Domain List -> Blackhole Hostname which is Non exist IP.

Which is better?

The disturbing part is it started as 100% Empty, now I cannot make it 100% empty as it simply won't accept.

One last port 25 to go.

Billybob · #13 (**permalink**) 05-16-2009, 04:28 PM

Quote:

It used to be Static Host List but after I tried to play around, I can no longer set it back to Static Host List which is empty thus I choose MX Records

Something is not right and the webadmin is not behaving as it should. Just for FYI, I always use static host in there since it saves the firewall from making one extra query and saves on another point of failure. But that point is moot in your case since you are not allowing any from outside.

You have stated that the port is stealth if you turn off smtp all together on grc.com? In my limited testing, DNAT made port 25 stealth on 7.401 (haven't taken the plunge to 7.402) on grc. Are you sure your router doesn't have smtp port.

Just out of curiosity, how were you blocking incoming smtp on v6 without DNAT if you had smtp proxy running?

Quote:

Added Block Rule on Top in Packet Filter still remains open.

Builtin rules are always and have always been applied before manually added packet filter rules even in v6.

Alvin · #14 (**permalink**) 05-16-2009, 04:50 PM

Hi Billybob.

1) As I went thru the 7.402 setup from scratch several times. I am very sure this is the behavior.
1.1) During the Basic Setup Wizard, I did Not check Allow Incoming SMTp.
1.2) When log into Web Admin, the Routing is STATIC with Domain Empty and the Host List Empty.
1.3) As part of my attempt to find the right configuration, I changed to MX Record and saved sucessfully, saw that it did not meet my requirements and wanted to change back.
1.4) Now when I try to change back to Static, I can leave the list of domains empty But the Host List is a must to set something before it will save. So I set it to the "Blackhole" Hostlist I created to do the DNAT.

2) I do not have a seperate Router, Astaro is my router. It is connected to Cable Modem directly.
2.1) Yes all ports are simply closed when I disabled SMTP Proxy, absolutely sure of this.

3) During the V6, It was simple, I remember I just state I use a SMART Host and that is it.

BAlfson · #15 (**permalink**) 05-16-2009, 09:07 PM

Have you tried to set a smarthost in the current version?

RFCat_vk · #16 (**permalink**) 05-17-2009, 04:17 AM

Hi Alvin,
I have just finished a basic security scan of my ASG with the same website you refer to in your message and not found any open ports. I will try again with the IPS disabled and see what happens.

Ian M

I ran the "No Risk Audit". It returned one intermediate threat ??, 3 minors and 6 others. The 3 minors were all about my non existent e-mail server which happens to be my hp7150 printer. The "others" were informational only "no risk".

I did forget to add in my configuration post that I block all packet filter traffic below 1024 to ensure everything goes through the proxy. Some applications are very dumb and can't work with a proxy even when they have the ability to. I then put specific packet filter rules to allow them to talk to specific sites eg microsoft update, adobe update, Australian Tax Office (e-tax) etc.

Alvin · #17 (**permalink**) 05-17-2009, 03:03 PM

Hi

Balfson - Yes I added my ISP SMTP to the smarthost and looking at headers, yes it is working fine.

RFCat_vk - Ensure your port scan detection under IPS is disabled.

RFCat_vk · #18 (**permalink**) 05-17-2009, 03:26 PM

Hi Alvin,
yes, I had detect portscan disabled, I also disabled the DOS rules as well.

Put them all back after I finished the tests.

Ian M

Alvin · #19 (**permalink**) 05-17-2009, 04:38 PM

RFCAT_VK

So did your SMTP Ports shows Open?

Billybob · #20 (**permalink**) 05-17-2009, 07:28 PM

Ok I have repeated the same test multiple times on grc.com. All tests with antiportscan turned off

SMTP Proxy on, all ports are stealth, port 25 open
SMTP proxy off, all ports are stealth
SMTP proxy on, DNAT to no existing IP, ALL Ports Stealth Again.

Again this is all with astaro 7.401.