RE: Allowing relay through Watchguard Firebox 1000

["Marcus J. Ranum" <mjr () ranum com>]

Karl D. Mueller wrote:
> My suggestion is to remove the SMTP proxy alltogether from the
> watchguard, and just setup a port forward (1-to-1 NAT in
> watchguard-speak) directly to your server.

It's possible - just possible - given the message, that the
firewall is detecting some kind of out-of-bounds condition
in the mail message. Back when I was writing proxy firewalls
(in 1066, we used flint to write our proxies...) I had all kinds
of checks for things like a user-name that was longer than
512 bytes, for example. It turned out to be a useful filter for
X.400 addresses, and I like to fantasize that I helped
contribute to the timely demise of that particular bad idea.
BUT - it is possible that your firewall is detecting an
attack of some sort - perhaps something tunnelling data
or who knows what on a header line - and by suggesting
you "turn the proxy off" you're making the classic decision
in favor of:
"Functionality at any cost - EVEN when I don't understand it."
I wouldn't recommend to anyone to turn a proxy off without
finding out why it's erroring. That's what they're there for,
after all. Security attacks are just a special case of error.

Put differently, if you want all those pesky errors to go away,
take the firewall out and replace it with one of those newfangled
$14.95 "secure hubs"

mjr.  

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards