Hi All,

I used to be able to configure SMTP Proxy for my LAN to scan Outgoing mails and then the SMTP Proxy -> ISP SMTP Server.
This is perfect in the 6.x version as no SMTP Ports is opened to external.

Since the 7.x, I have never been able to do that.
The SMTP ports are always open as long as SMTP Proxy is enabled but cannot be used as a relay as I did not configure any domains, I only set my LAN to allow relay. But I do not like the fact port scan shows the port open.

I tried to block manually by setting firewall rules on top to block incoming but it remains open, i think it is some auto rules thus my block rules does not apply.

PORT 25, 465, 587.


I reinstalled 7.402 from Scratch as I could not figure our what I missed and at a stage, I noticed something.

On the Basic Setup Wizard, there is stage for e-mail security that says
" Email traffic can be scanned for spam, viruses and spyware. If you want to use the ASG as an SMTP relay for your internal email clients, enable the outbound SMTP Relay. If you want to scan incoming SMTP Traffic for malware and spam, enable the inbound SMTP relay.

[] Enable POP3 Poxy
[] Enable Inbound SMTP Relay

BUT There is NO Enable Outbound SMTP Relay on the screen which is what I need.

Please advice, thank you.

__________________
Astaro Latest Version, HP ML110 G3 Server, P4HT 3.0GHz , (02 x 512MB, 02 x 1GB = 3GB RAM), 01 x Broadcom Corporation NetXtreme BCM5721 Gigabit Ethernet PCI Express Build in, 02 x Broadcom Corporation NetXtreme BCM5705_2 Gigabit Ethernet Add On Card.

Scanning outbound mail has never been available in V7.

Post-install:
'Mail Security >> SMTP' 'Relaying' tab - 'Scan relayed (outgoing) messages' checkbox

Cheers - Bob

__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!

Hi,
If you do a search in this forum for my user id, sometime in the last 3 months I posted a detailed description on how to setup scanning on out going smtp mail using the proxy for a home user.

Ian M

__________________
Home User licence - v8.0xx - AMD X2 5050e (45w CPU) with 4gb (idles at 37w),1 intel NIC, the onboard NIC and netgear gs108t with vlans
Home user licence - v7.507 -Intel N330 to run Astaro AP 30. Connected to internet via V8.001 ASG
Work essentials licence - v8.0xx - intel D with 1.5gb.

Hi All,

Thanks for all the reply.

- Yes I am able to Scan my out going mails.
- Yes it goes to my ISP SMTP

The issue I have now is, I want to close the External Ports as I do not have a SMTP Server at home.

The 3 ports are open as long as I enable SMTP Proxy.
I created Rules to block and place at top but remains Open.


The second issue I want to show is, as part of the Basic Setup wizard, which I The option of Only scan Outgoing but do Not allow Incoming is not available.

Attached screenshot

Attached Images

SMTP.JPG (67.3 KB, 22 views)

__________________
Astaro Latest Version, HP ML110 G3 Server, P4HT 3.0GHz , (02 x 512MB, 02 x 1GB = 3GB RAM), 01 x Broadcom Corporation NetXtreme BCM5721 Gigabit Ethernet PCI Express Build in, 02 x Broadcom Corporation NetXtreme BCM5705_2 Gigabit Ethernet Add On Card.

Of course, the Basic Setup wizard is aimed at business users.

1. See my post above for scanning outbound.
2. On the 'Routing' tab of 'Mail Security >> SMTP', do not enter anything in 'Domains and routing target'.

Have you configured POP3 pre-fetch?

Cheers - Bob

__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!

Hi,
proxies are higher up the processing queue than packet filters. If you are that paranoid about having ports open when there isn't a path beyond the ASG you could try routing the offending packets to a null device.

If setup correctly the ASG will close itself up if it suspects a port scan.

Ian M

__________________
Home User licence - v8.0xx - AMD X2 5050e (45w CPU) with 4gb (idles at 37w),1 intel NIC, the onboard NIC and netgear gs108t with vlans
Home user licence - v7.507 -Intel N330 to run Astaro AP 30. Connected to internet via V8.001 ASG
Work essentials licence - v8.0xx - intel D with 1.5gb.

Hi

Bob: Thanks for your reply. Yes I know the Basic Setup Wizard is targetted at Business Users who generally have a SMTP Server.

But the wording on the screen does give the impression, if you Only want to scan Outgoing SMTP, enable that Only. Thus when I read it, I am looking for the option for Outgoing Only.

" Email traffic can be scanned for spam, viruses and spyware. If you want to use the ASG as an SMTP relay for your internal email clients, enable the outbound SMTP Relay. If you want to scan incoming SMTP Traffic for malware and spam, enable the inbound SMTP relay.

[] Enable POP3 Poxy
[] Enable Inbound SMTP Relay"

That line that says Enable the outbound SMTP Relay which is what I want but not on the list, I thought I found a bug


Ian M: Thank you for your explanation that the Proxy is above the Packet Filter thus my explicit block rules does not work, I learn something new.
I always thought Explict Block will "win" everything else.

The reason this Open Port is disturbing to me is because I use SecuritySpace to Audit my configuration (which does help me a lot to identify mistakes such as webadmin set to any etc)

In the past during the 6.x, my ports is 100% Closed thus now when it is on the 7.x and shows open, it is disturbing and securityspace audit would get shows some "keys" and headers etc which is beyond my level but I felt I just want to close it.


Bob: On the 'Routing' tab of 'Mail Security >> SMTP', do not enter anything in 'Domains and routing target'.

Yes I left mine blank, I specifically set Allow relay to LAN and on top of that under the Block, I set ANY just to be safe.

I believe my SMTP is secure as in I do not see it as a spam relay etc.

Yes I do enable the port scan detection to defend port scan.

But the thing is when we do audits from security space, I would turn off the port scan so that those ports that is really open such as VPN etc, it can see it and also check if there is any vulnerabilities.

With the port scan enabled, the results may not be as good even if it gives the all clear as I think the port scan simply block that IP for a certain amount of time but if the attacker is not doing port scan, then it won't protect me.

Sorry if what I am writing does not make sense, I am learning too

__________________
Astaro Latest Version, HP ML110 G3 Server, P4HT 3.0GHz , (02 x 512MB, 02 x 1GB = 3GB RAM), 01 x Broadcom Corporation NetXtreme BCM5721 Gigabit Ethernet PCI Express Build in, 02 x Broadcom Corporation NetXtreme BCM5705_2 Gigabit Ethernet Add On Card.

As Ian suggested, create a dnat rule and forward the ports you don't like open to an IP that is not used on your network. So lets say your local network is 192.168.1.***. Create a DNAT rule:

Traffic source ANY, traffic service smtp traffic destination external address DNAT TO some IP you don't use in the 192.168.1.*** range and make sure you don't check the create automatic filter rule.

This will make your port 25 stealth again even if the scan was only done against port 25. It will not show up as open even if the port scan protection was turned off. Pretty similar to v6 where nat/masq rules were always used before packet filter rules.

You might have to tweak the DNAT a little to make sure your outbound is not affected since I haven't tested it.

Billybob, doesn't the SMTP Proxy capture port-25 packets before they're ever considered by SNAT, packet filter rules, DNAT or explicit routes?

Cheers - Bob

__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!

Seems like DNAT has carried over from v6, I didn't try snat or other masq rules but if you put a dnat rule, atleast in my testing it is applied before the proxy is. I only tested it on smtp proxy because of the nature of the question but I am sure it will work on all if it is working on one.