Gatekeeper 5 issues, smtp silently dropped

nemo
nemo W/ Alumni Posts: 7 Security Scout

I'm using Gatekeeper 5.22.14 with HF 1 (well, I hope so; it's exceedingly hard to find out the version number of Gatekeeper in the 5.x versions).

I used a new host for distribution of mail, but that didn't work. Quite a long time later I had reduced all options to the possibility that Gatekeeper maintains a list of allowed hosts for smtp. I tried the configuration frontend, but there is nothing. I tried

https://community.f-secure.com/t5/Business/SMTP-transfer-denied-with-error/ta-p/21042

, but a lot of that info is misleading or wrong.

- Mail doesn't get denied with an error message, instead the connection is silently dropped.

- The "Hosts and networks within LAN" settings don't determine who can use smtp, they seem to determine who mail can be delivered to.

- instead I had to manually edit /opt/f-secure/fsigk/conf/fsigk.ini at the smtp_from= section, hope the syntax was alright and force a regeneration of the /opt/f-secure/fsigk/conf/hosts.allow via editing sth in the frontend and hoping nothing gets lost.

 

It would be nice if the "improved" web frontend (which in my opinion is quite a bit less usable than the 4.x one) would tell me the Gatekeeper version and allow for editing of the access list.

Reading the admin guide I'm under the impression everything below the "Quarantine" checkbox on the smtp LAN access settings page is missing completely...

 

Also, since the hosts.allow tells me it gets generated, it would be nice to find info on how  to trigger that generation.

Comments

  • adammo
    adammo W/ Alumni Posts: 4 Security Scout

    Thank you for posting to our Community page.

     

    Regarding your inquiry about missing settings, unfortunately there are some limitations on the new WEBUI of Internet Gatekeeper 5.xx that settings such as 'Access control' are no longer available on WEBUI. However, you are still able to use those settings by editing the 'fsigk.ini' manually.

     

    For example, here is the correct procedure of changing the 'Access control' setting of SMTP proxy function to only accept connections from the designated list of hosts.

     

    [Procedure]

    1. Open the setting file.

        /opt/f-secure/fsigk/conf/fsigk.ini

     

    2. Change the following parameters.

        [smtp]

        acl_from= yes/no       → to enable/disable the setting    
      smtp_from=                 → set the list of hosts to allow

     

    3. Run the following command to apply the changes.

        # /opt/f-secure/fsigk/libexec/fsigk-reload.sh

     

    For more information, please refer to the admin guide (Page 42-43, 'Access control') below.

    https://download.f-secure.com/corpro/igk/current/fsigk-5.30-adminguide-eng.pdf

     

    As for the version number of Internet Gatekeeper 5.xx, basically you can check it from the WEBUI by going to 'System information', click on the 'Status' tab and check the information which is displayed at 'Product version'. Alternatively, you may also check the product version by checking the information of 'version=' parameter inside the setting file (/opt/f-secure/fsigk/conf/fsigk.ini).

  • etomcat
    etomcat W/ Alumni Posts: 1,172 Firewall Master

    Hello,

     

    > I'm using Gatekeeper 5.22.14 with HF 1

     

    It may be worth checking FSAV IGK LNX 5.30.75, which is now available in both installable doftware and appliance format. It is a major version upgrade.

     

    BR, Tamas Feher, Hungary.

  • nemo
    nemo W/ Alumni Posts: 7 Security Scout

    5.30 and the admin guide weren't available when I started to work on the problem, and yeah, like I wrote, editing the fsigk.ini proved to be the solution (there are some inconsistencies regarding the list format in these files, but that seems to be silently corrected).

     

    Thanks for the hint on the generation.

     

    Regarding the product version: That's what I tried. With my v. 5.22(?), the product version there is just called "build" (see screenshot). v5.30 might show a version number there. I'll check.

    (The version in the fsigk.ini is btw recorded as "version=407" which should be bogus.)

     

    version_522.jpg

  • nemo
    nemo W/ Alumni Posts: 7 Security Scout

    Thanks for the hint about 5.30. I'll try and accept that as solution if it solves some issues.

     

    Update: I tried to install 5.30, but that didn't work. I installed 4.07 from the .deb file, then upgraded through the years; last upgrade was to 5.22 via .tar.gz and Makefile I believe. For 5.30 I only found an rpm, and that gives me

     

     

    error: Failed dependencies:
            glibc is needed by fsigk-5.30.75-0.i386
            perl is needed by fsigk-5.30.75-0.i386
            bash is needed by fsigk-5.30.75-0.i386
            /bin/sh is needed by fsigk-5.30.75-0.i386

     Of course, everything is there. I guess it's sth with a 32bit system on a 64bit server (which wasn't an issue ever before). I'll try with a 32bit server.

     

    Update II: Ok, got it running. However, the frontend doesn't seem to have improved regarding the ip configuration. (However the version number is visible now.)

This discussion has been closed.