Personally I believe in defense in depth so I have
anti relaying turned on both at my Exchange server and
also at the anti spam server.
For the e-mail admins there is a good overview of
stopping relaying in Exchange 2000 at
http://www.msexchange.org/tutorials/MF005.html. I
believe, but am not certain, that most of the concepts
should still be the same in 2003. I'm sure there are
good tutorials for 2003 but since I'm still using 2000
I have not found them yet.
If you want to use the firewall to block relaying you
can use a SMTP Resource. Under the Match tab Sender
should be * and Recipient should be *@domain. If you
need multiple domains you can separate them with a
comma but I can not remember whether there should be a
space or just a comma. It's in the documentation. It's
been a while since I did one of these and I don't have
a server with this config in front of me to refer to
but it is definitely in the Checkpoint documentation
so it should not be too hard to get this right if you
want to go that route. Just a warning setting up
resources under Checkpoint can create unique problems.
A third option is if you are using any sort of anti
spam filter it should include anti relaying options as
well.
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM]On
Behalf Of Matt
Arntsen
Sent: Tuesday, May 25, 2004 1:43 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] exchange 2003 best practices
In an attempt to limit email relaying, I was wondering
how others have
set up their email routing with an exchange 2003 email
server in
conjunction with their NG-AI R55 firewall. What is the
best way to set
it up? I currently have a static NAT rule to send all
email inbound. Our
email engineers want to prevent relays and are
convinced it is the
firewall's responsibility. The also want to limit
authorized IP
addresses which can connect to the email server. The
problems I see with
this is that you cannot block the Internet from
sending you an email.
Perhaps I am wrong but I keep telling them it is the
function of the
email server to only allow emails destined to our
domain and refuse all
others rather than forcing the firewall to do this.
Perhaps I am wrong
and so I am hoping I can get some feedback. Thanks!
Matt
__________________________________
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
