Firewall Wizards mailing list archives

RE: Allowing relay through Watchguard Firebox 1000

From: "Karl D. Mueller" <karlm () acshelp com>
Date: Sat, 21 Feb 2004 15:40:44 -0500

We're having a very similar problem. We're using Exchange 5.5 as the
back-end email server. The odd thing is, we get the error only
intermittantly, and it's sometimes logged on the Exchange server (if it
were a problem with the Watchguard SMTP proxy, wouldn't it not get this
far and be logged on the WG rather than the Exch server?)

We've noticed that it happens almost exclusively with msn and hotmail
accounts (for what that's worth). And only from outbound SMTP custom
recipients.

My suggestion is to remove the SMTP proxy alltogether from the
watchguard, and just setup a port forward (1-to-1 NAT in
watchguard-speak) directly to your server. See if that makes a
difference. Unfortunately I can't convince my IT manager to do it, since
they want the attachment blocking. (I'm trying to get them to install a
SMTP virus scanner on the email server, rather than using the firewall..
Oh well.)

Hope this helps a little.

-------------------
Karl Mueller  CCNP
Mobile 703 946 6638
Office 703 369 9800 x205

-----Original Message-----
From: Paul Robertson [mailto:proberts () patriot net] 
Sent: Saturday, February 21, 2004 2:42 PM
To: Bob Alberti
Cc: Firewall-Wizards
Subject: Re: [fw-wiz] Allowing relay through Watchguard Firebox 1000


On Sat, 21 Feb 2004, Bob Alberti wrote:

They have recently started deploying e-mail enabled cell phones. Cell 
phone users can reply to messages from other employees, but cannot 
relay mail from their cell phones outside the domain (i.e. to 
customers), responding with the rather odd error

"553 Requested action not taken: mailbox name not allowed or chunk too

large"


Maybe this is just me misunderstanding...


That's actually fine -- normally they don't WANT relaying of course --

but I have been unsuccessful in my attempts to tell the firebox "It's 
okay to relay from this domain or this set of IP addresses."  Part of 
the difficulty is that this is a production system, so my ability to 
experiment is limited -- my last test, carefully executed after hours,

resulted in all inbound mail being cut off for a time.


They're sending mail from their cell phones, with a return-path of thier
work address, with a forward path of their customers?

I don't see how their firewall fits in - unless this is one of those
"Phone is one of those multifunction PDA things sitting in a cradle?"

If so, I'd relay those off a different internal server and let it make
the relay choice based on the IP address.

Paul
------------------------------------------------------------------------
-----
Paul D. Robertson      "My statements in this message are personal
opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure
Corporation _______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Allowing relay through Watchguard Firebox 1000 Bob Alberti (Feb 21)
- Re: Allowing relay through Watchguard Firebox 1000 Frederick M Avolio (Feb 21)
- Re: Allowing relay through Watchguard Firebox 1000 Paul Robertson (Feb 21)
- Re: Allowing relay through Watchguard Firebox 1000 Patrick M. Hausen (Feb 23)
- <Possible follow-ups>
- RE: Allowing relay through Watchguard Firebox 1000 Karl D. Mueller (Feb 21)
  - RE: Allowing relay through Watchguard Firebox 1000 Frederick M Avolio (Feb 21)
  - RE: Allowing relay through Watchguard Firebox 1000 Marcus J. Ranum (Feb 23)
- RE: Allowing relay through Watchguard Firebox 1000 Karl D. Mueller (Feb 21)
- RE: Allowing relay through Watchguard Firebox 1000 Karl D. Mueller (Feb 26)