Announcement

Collapse
No announcement yet.

Email Proxy Config for Separate Servers

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Email Proxy Config for Separate Servers

    I am trying to configure the Email Proxy on a GB-2100 (v6.2.00). I am working with the free Email Proxy setting with no spam or anti-virus subscriptions.

    I have 2 email servers on different internal interfaces (different physical networks with separate subnets). Both email servers have external (public) IP addresses assigned to External interface Aliases [Configure -> Network -> Interfaces -> Aliases]. These 2 addresses are the primary and secondary MX records for the same domain.

    I would like to configure different Email Proxy Policies for each of these servers and it's assigned external IP address [Configure -> Threat Management -> Mail Proxy -> Policies]. I have tried setting the Destination Address to the IP address and server name (from public DNS). Neither of which had an effect. The rule for server 2 would be applied to inbound emails coming in for the other IP address (server 1). Is there a way for me to configure this as I am wanting to separately for each email server?

  • #2
    Hello Jost

    The email proxy listens on all IP addresses assigned to the firewall. Unless you are attempting to create 2 rules for different domains, what you are attempting to do through the proxy will not work.

    It sounds as if you would be better served by inbound tunnels instead. If you go to [Configure -> Network -> NAT -> Inbound Tunnels] you can setup a rule for SMTP from: "MX record 1" to: "server 1" and another rule for SMTP from: "MX record 2" to: "server 2".

    On a side note, if you haven't done this yet, it would also be a good idea to setup static mappings under [Configure -> Network -> NAT -> Static Mappings] which will correctly NAT each server's outbound traffic to the correct alias.

    I hope this helps.

    Comment


    • #3
      Thanks Rick

      I did have the inbound tunnels for SMTP as you described (the definitions are still there, just disabled). There are also direct inbound tunnels for IMAP, POP3, and HTTP connections (along with the secure counter parts). The outbound static mappings are also in place (as needed for RDNS to work for outbound SMTP connections).

      The problem was that my email servers were being hammered by "EHLO ylmf-pc" brute force authentication attacks. The email servers themselves did not have a defense for this. That is main reason why I changed the configuration to implemented the Email Proxy in the firewall. The firewall handles these attacks and the keeps the email servers from getting all these connections. I have also enabled the MAPS function which has drastically reduced the inbound spam. So overall the Email Proxy provides benefits I can't ignore.

      In the Email Proxy Options [Configure -> Threat Management -> Mail Proxy -> Proxy] I have unchecked the "Automatic Policies" box and then in the inbound rules [Configure -> Security Policies -> Inbound] I manually configured a rule for each of the external email IP addresses. This was to prevent the Email Proxy from accepting SMTP (TCP port 25) connections on all external IP addresses. (In my opinion this is a security flaw in the default Email Proxy configuration.)

      Ideally I would have the secondary email servers at another sites or at least on separate internet connection for resilience and this would not be an issue. However, this is the current scenario and resources I have to work with. I wanted to distinguish each server connection because it appears that the spam distribution systems tend to favor the lower priority servers in an attempt to possibly avoid some of the spam filtering that may be in place on the primary server. Knowing this I could possibly implement stricter policies on connections to the secondary server.
      Last edited by Jost; 2015-12-08, 16:40.

      Comment


      • #4
        If the brute force attacks are coming from the same IP or subnet, you could try adding it to the ALWAYS_BLOCK address object in [Configure -> Objects -> Address Objects].

        Another possibility is if the attack is from a specific country, country blocking may help.

        Comment


        • #5
          Blocking by IP address only temporarily stopped it. Then shortly after blocking one address the connections would start coming from other IP addresses. After adding about 6 IPs I gave up on blocking by IP address. A number of the IPs had the same first 2 octets but not all of them. It appears to be a distributed attack. I did not track the origin of each IP address but they did not all seem to be coming from the same country. Since I do not have a subscription country blocking was not a consideration I looked at. The current configuration in the firewall effectively blocks these attacks and is easier than chasing IP addresses.

          The main issue I have is ability to enter policies based on the local IP address that is accepting the connection. I would like that ability but since it does not seem to be possible it is a limitation I can live with. My reason for the post was hoping that someone else had a similar configuration and I was just missing something.

          Comment

          Working...
          X