Email Proxy

The Email Proxy facility  is used to configure an SMTP (Simple Mail Transfer Protocol) proxy for inbound email on TCP port 25. The administrator can use the Email Proxy to shield an internal email server from unauthorized access and reduce or eliminate spam (unsolicited email). It includes the ability to log SMTP ìToî and ìFromî addresses when rejecting email. As email is received, X-From and X-To entries will be added to the email header.

Unsolicited Email

The Email Proxy compares the source IP address of incoming messages to the IP addresses of known spammers listed in the enabled Mail Abuse Prevention RBLs (Realtime Blackhole Lists). If a source matches one of these, the IP address is logged, and the message is permanently rejected (the firewall returns a ìdo not send againî packet to the source IP address) and dropped.

Email Headers

Email Proxy on the GTA Firewall appends the Received, To and From addresses contained in the initial SMTP (Simple Mail Transfer Protocol) conversation as X-GB-Received, X-GB-To and X-GB-From. The prefix shows that this header was appended by a receiving GNAT Box system firewall, as in the following example:

X-GB-Received: from domain.example.com (192.168.71.9)

by gtafirewall.yourcompany.com (3.5.0)

X-GB-From: sendername@sendexample.com

X-GB-To: recipient@yourcompany.com

The ìX-GB-Receivedî line contains the domain name/host where the email originated, followed by the host name and IP address of the receiving firewall. The ìX-GB-Fromî line contains the email address of the sender. (The originating domain and the domain in the senderís email are not necessarily the same.) The ìX-GB-Toî line contains the email address of the intended recipient at your companyís domain.

GTA recommends that the host name be a fully qualified domain name (FQDN), as in the example above. The firewall host name is entered in the HOST NAME field of the Basic Configuration/Network Information section.

RDNS

Selecting the option ìReject if RDNS failsî performs a Reverse DNS lookup on the IP address of the remote host trying to make an SMTP connection, and then compares it to a DNS lookup of the returned host name. If the lookup fails or doesnít match, the connection is refused. RDNS requires a defined DNS Server to function correctly.

Enable Select to enable the Email Proxy. Disabled by default.
 

Primary email server/Alternate email server Host name (if using an internal DNS server) or IP address of your email server. The primary email server must reside either on the PSN or Protected Network for the Email Proxy to operate.
Alternate Host name (if using an internal DNS server) or IP address of any alternative email server.

Timeout Time to wait between each SMTP command exchange. Default is 120 seconds.

Maximum Number of simultaneous SMTP connections to run. Others are deferred until a connection is available. Each connection invokes a copy of the SMTP proxy facility.

Domains to Accept

Domain List Enter domains from which you wish to accept email. Separate domains with a white space (blank or tab) or a comma. May be used in conjunction with the MX option. When using the option, connections are only accepted for domains specified in this list and/or that rely on DNS MX records assigned to IP addresses on the External interface.

Match against MX Makes a DNS MX (Mail Exchanger) record query that tries to match the domain in the To: portion of an email header to a domain assigned to the proxy's IP address. The email is rejected if there is no match, preventing the site from being used to relay email to other sites.
 

Email to Block RDNS will not function correctly without a defined DNS Server. Some legitimate hosts may have mis-configured DNS entries; these hosts will not be able to deliver to your domain.
 

Reject if RDNS fails Performs a Reverse DNS lookup on the IP address of  the remote host trying to make an SMTP (Simple Mail Transfer Protocol) connection, and then compares it to a DNS lookup of the returned host name. If the lookups fail or don't match, the connection is refused.

Maximum size Enter the maximum size (in kilobytes) of email message that will be accepted by the proxy. A value of zero (0) means the email proxy will have no size restrictions. This facility is designed to prevent email bombs (extremely large attachments that consume disk space and cause problems for email clients).
 

Mail Abuse Prevention

Providers listed in Mail Abuse Prevention maintain lists of hosts and domains known to transmit or generate spam. These are only a sample of the many lists available; you may enter other providers in lieu of the default providers listed. Some lists require a subscription; for more information, go to the providerís website.

MAP1  relays.orbd.org. Open Relay DataBase www.orbd.org

MAP2 list.dsbl.org. Distributed Server Boycott List www.dsbl.org

MAP3 blackholes.mail-abuse.org* www.mailabuse.org

MAP4 relays.mail-abuse.org* www.mailabuse.org

 * Mail Abuse Prevention System LLC lists require a subscription.

Default Email Proxy Settings

To configure an email proxy with default settings, enter the mail server's internal IP  address in the Primary email server field. (Typically, a mail server will be on the PSN or Protected Network.) Enable and save the email proxy.

Default Remote Access Filter

Email Proxy requires a Remote Access Filter to allow access to the network for protocol TCP on port 25. To create a filter (once Email Proxy has been enabled), auto-configure filters using the Default button. The filter is similar to the following:  

Description Allow connections to email proxy.  

Type Accept

Interface Name of External Physical Interface

Authentication required (Deselect)  

Protocol TCP

Source Obect ANY_IP

Destination Object ANY_IP  

Destination Port 25

Limit Inbound Email using Custom Filter

Port TCP/25 accepts SMTP proxy connections on all IP addresses, therefore the Email Proxy will respond on any IP address that has port 25 open. The auto-configure filter limits that access to IP addresses on the logical External interface by using the EXTERNAL object in the Interface field.

To further limit the IP addresses accessed by SMTP, create a custom remote access filter that allows access only to a specific IP address, address object or IP alias on the physical External interface.

The logical name of the selected External interface can also be selected as an Interface Object, limiting the access only to the assigned External IP address on the physical interface.

Description Allow connections to email proxy only through specified IP alias/IP address.

Type Accept

Interface (Name of selected external physical interface)

Authentication required (Deselect)

Protocol TCP

Source Object ANY_IP

Destination Object (IP address, Interface Object or IP alias)Type your expanding text here.   

Destination Port 25

¨ Caution

IP address that receives mail for the Email Proxy should not be used in an inbound tunnel on TCP port 25. A tunnel on port 25 using this IP address will bypass the Email Proxy.

¨ Note

When creating a custom filter, remember that it must be placed before the final block filter that denies all other access to all interfaces.

¨ Note

If ìReject if RDNS failedî is selected, legitimate hosts with mis-configured DNS entries will not be able to deliver to your domain.

Return to Services