Astaro 7.5 - SMTP changes outgoing mail?

Rumak18 · #1 (**permalink**) 01-21-2010, 01:28 PM

Hallo,
we're using Astaro 7.5 as firewall and smtp proxy is active to route domains. Just before an email leaves our system it is signed or/and encrypted. But not with Astaro. We have another product in using for this. Now, every time i fetch those singed e-mails with a pop3 client, the client (Outlook and Thunderbird) say that the mail was changed and the signature is not trustworthy. Now an other administrator of our customers claims, that our Astaro changes the mail. But how can i confirm this?
The options, that might trigger this behavior and whose i consider as possible for changing mails are:

- Antivirus scanning on Astaro is on, but anti virus checkfooter is off.
- Content scan for relayed (outgoing) messages is on
- Reject invalid HELO / missing RDNS is on
- Use Greylisting is on
- Use BATV is on
- Perform SPF check is on
- Footers mode IS "Inline, unicode conversion"
- "Confidentiality footer" is OFF
Can anyone help me?

Rumak18 · #2 (**permalink**) 01-21-2010, 08:53 PM

Here is the answer i got from astaro support, but i do not know how to realize the proposal:

Quote:

We do add SMTP headers to the message that can not be disabled (this is very
common for MTAs). The better topology would be to put the mail proxy behind the
email encryption device. That way when the mail encryption device receives the
message it will have final headers intact. Then when the signing happens, the
headers will be part of the hash and the integrity will be kept.

I only have one firewall, so i don't know how to put the smtp proxy behind the signing gateway by keeping the ASG as firewall.

bkortleven · #3 (**permalink**) 01-22-2010, 07:56 AM

I guess the easiest is, when you use the 'transparent' proxy for email scanning, to set the signing device in the 'to skip the transparant scanning' list, so the mails go out directly... Or when not using the proxy in transparent mode, to just allow smtp traffic from the signing box to any in the packet filter... That way it will not be processed by the ASG when being sent...

Rumak18 · #4 (**permalink**) 01-22-2010, 11:26 AM

So i just have to check the box for "transparent proxy" and add the server to the "skip list" ... that's all? But by using the "skip list" even incoming mail isn't checked by the ASG. But i assume, that if i create an SMTP outgoing packet filter for the signing server and remove it from the "telaying" list , all incominng mails are still checked, but not the outgoing ones. Am i mistaken?

BAlfson · #5 (**permalink**) 01-22-2010, 11:49 AM

I'm a little confused by the description, but it sounds like, for outgoing mail, you now have:

[Mail Servers] --> [signing/encrypting device] --> [Astaro SMTP Proxy] --> [Internet]

Astaro support suggests that you change this to:

[Mail Servers] --> [Astaro SMTP Proxy] --> [signing/encrypting device] --> [Internet]

If you can't make that change, then bkortleven's suggestion applies. If you already have the box checked for transparent mode, then, "Yes," adding the server to the skiplist would work. If you don't already have that box ticked, then you must have the signing/encryption device pointed at the Astaro as a smarthost. In this case, you must delete that setting from your signing device or replace it with the public IP of your ISP's smarthost. You may need to add a packet filter rule: '[Signing device] -> SMTP -> Internet : Allow'.

Cheers - Bob

Rumak18 · #6 (**permalink**) 01-22-2010, 01:11 PM

Quote:

I'm a little confused by the description, but it sounds like, for outgoing mail, you now have:

[Mail Servers] --> [signing/encrypting device] --> [Astaro SMTP Proxy] --> [Internet]

Correct!

Quote:

If you can't make that change, then bkortleven's suggestion applies.

It's not that i can't make it, but in my opinion,this is just too risky. This means, that i have to allow outgoing and incoming smtp traffic for the signing server and give it an external ip address right? Isn't this just too risky?

So there's not chance to use at least the smtp security settings for outgoing mails?

Rumak18 · #7 (**permalink**) 01-22-2010, 01:49 PM

Now i got the answer from my ISP, that they do not offer such service as "smart host" for mails.

BAlfson · #8 (**permalink**) 01-22-2010, 02:13 PM

No, you don't need to give the signing server any such thing; since you are not running in transparent mode, just delete the smarthost information in the signing server and create the PF rule I mentioned in my post above. Incoming mail will continue to arrive via the proxy, but outgoing mail will avoid the proxy (no anti-virus scanning on outgoing emails).

Cheers - Bob

Rumak18 · #9 (**permalink**) 01-22-2010, 08:06 PM

OK...so let`s resume.

First i delete my signing gateway from ASG under "Mail Security", "SMTP", "Relaying" ,"Host based relay" and "
Allowed hosts/networks".
Second, i remove asg as the "gateway" from my signing gateway (cent os linux with james as smtp service) and create a packet filter rule for my signing gateway with "smtp" service as outgoing.... right?

Third, but what i don't understand then is, how my signing gateway will know, where to ship the mails...

Rumak18 · #10 (**permalink**) 02-11-2010, 01:59 PM

OK....i know it's been a while, but i don't want to let you unknown and i'm quite sure, that you've been waiting for my answer (-;

So, in fact, the ASG may change something in the SMTP Header, BUT, this is no reason and no function for changing a signature. We've figured out, that our signing/encryption gateway had to be set up and changed. I don't know WHAT was changed, but i got an update for my s/e gateway and it all works now. By
the way, the behaviour of different mail clients like Outlook (Express, 2003, 2007), Lotus Notes, Thunderbird, The Bat might differ in judging a faulty or correct signature. So this was another issue, that had to be fixed.
Thanks for help