Firewall Wizards mailing list archives
RE: Allowing relay through Watchguard Firebox 1000
From: "Karl D. Mueller" <karlm () acshelp com>
Date: Sat, 21 Feb 2004 15:40:44 -0500
We're having a very similar problem. We're using Exchange 5.5 as the back-end email server. The odd thing is, we get the error only intermittantly, and it's sometimes logged on the Exchange server (if it were a problem with the Watchguard SMTP proxy, wouldn't it not get this far and be logged on the WG rather than the Exch server?) We've noticed that it happens almost exclusively with msn and hotmail accounts (for what that's worth). And only from outbound SMTP custom recipients. My suggestion is to remove the SMTP proxy alltogether from the watchguard, and just setup a port forward (1-to-1 NAT in watchguard-speak) directly to your server. See if that makes a difference. Unfortunately I can't convince my IT manager to do it, since they want the attachment blocking. (I'm trying to get them to install a SMTP virus scanner on the email server, rather than using the firewall.. Oh well.) Hope this helps a little. ------------------- Karl Mueller CCNP Mobile 703 946 6638 Office 703 369 9800 x205 -----Original Message----- From: Paul Robertson [mailto:proberts () patriot net] Sent: Saturday, February 21, 2004 2:42 PM To: Bob Alberti Cc: Firewall-Wizards Subject: Re: [fw-wiz] Allowing relay through Watchguard Firebox 1000 On Sat, 21 Feb 2004, Bob Alberti wrote:
They have recently started deploying e-mail enabled cell phones. Cell phone users can reply to messages from other employees, but cannot relay mail from their cell phones outside the domain (i.e. to customers), responding with the rather odd error "553 Requested action not taken: mailbox name not allowed or chunk too
large"
Maybe this is just me misunderstanding...
That's actually fine -- normally they don't WANT relaying of course --
but I have been unsuccessful in my attempts to tell the firebox "It's okay to relay from this domain or this set of IP addresses." Part of the difficulty is that this is a production system, so my ability to experiment is limited -- my last test, carefully executed after hours,
resulted in all inbound mail being cut off for a time.
They're sending mail from their cell phones, with a return-path of thier work address, with a forward path of their customers? I don't see how their firewall fits in - unless this is one of those "Phone is one of those multifunction PDA things sitting in a cradle?" If so, I'd relay those off a different internal server and let it make the relay choice based on the IP address. Paul ------------------------------------------------------------------------ ----- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Allowing relay through Watchguard Firebox 1000 Bob Alberti (Feb 21)
- Re: Allowing relay through Watchguard Firebox 1000 Frederick M Avolio (Feb 21)
- Re: Allowing relay through Watchguard Firebox 1000 Paul Robertson (Feb 21)
- Re: Allowing relay through Watchguard Firebox 1000 Patrick M. Hausen (Feb 23)
- <Possible follow-ups>
- RE: Allowing relay through Watchguard Firebox 1000 Karl D. Mueller (Feb 21)
- RE: Allowing relay through Watchguard Firebox 1000 Frederick M Avolio (Feb 21)
- RE: Allowing relay through Watchguard Firebox 1000 Marcus J. Ranum (Feb 23)
- RE: Allowing relay through Watchguard Firebox 1000 Karl D. Mueller (Feb 21)
- RE: Allowing relay through Watchguard Firebox 1000 Karl D. Mueller (Feb 26)