Gatekeeper for Linux is an Open relay

Ronin
Ronin W/ Alumni Posts: 2 Security Scout
in WithSecure Business Suite

Hello,


As far as I see this topic was already discussed here:

https://community.f-secure.com/t5/Business/F-Secure-Protection-Server-Open/td-p/24162

I will appreciete an additional info om this matter.

The SMTP proxy of my Getekeeper for Linux is functioning as an open relay and I have no clue ho to disable it.

Besides check with mxtoolbox.com I verified it manually as well:

###

[root@mytestmachine ~]# telnet mail.mydomain.si 25
Trying 146.212.255.6...
Connected to mail.mydomain.si.
Escape character is '^]'.
220 fsecure.inles.si F-Secure/fsigk_smtp/530/fsecure.mydomain.si
helo mail.mydomain.si
250 mail.mydomain.si
mail from: my.test1@gmail.com
250 2.1.0 Ok
rcpt to: my.test2@gmail.com
250 2.1.5 Ok
data
354 Enter mail (F-Secure/fsigk_smtp/530/fsecure.mydomain.si)
testing mail 03
.
250 2.0.0 Ok: queued as 98F28762F5

###

 

I attampted to block it with a custom filter rules, but with no luck.

Also I read on a forum that there suppose to be an option called "Restrict LAN access" in the smtp proxy settings. I'm unable to locate this option in my Gatekeeper web panel.

 

I'm using CentOS 6.6 and F-secure 5.

 

Thanks in advance for the responce.

Comments

  • etomcat
    etomcat W/ Alumni Posts: 1,172 Firewall Master

    Hello,

     

    Some weeks ago I got this explanation from F-Secure support for a similar question:

     

    Q: How to restore open relay protection strenght, after IGK installation on a server running Postfix?

     

    A: "The implementation will be different based on what the customer's system administrator is considering to do. For example, if they would like to filter by IP addresses, they can actually use firewall function to filter incoming traffic. By doing this, unwanted traffic would not reach service and no configuration is needed at IGK side.

    Another option is to use IGK in "transparent mode" which would require:
    1. configuring proxy by using 'transparent=yes' and
    2., adding iptables NAT rule to redirect the incoming SMTP traffic to IGK.
    (Note: there might be an issue with this approach if Postfix is listening on '127.0.0.1' where the kernel probably does not allow traffic from Internet to "localhost", depending on the kernel version and configuration. To solve this, IGK and Postfix could run on different hosts or Postfix could listen on some other IP addresses.)"

     

    Yours Sincerely: Tamas Feher, Hungary.

  • Ronin
    Ronin W/ Alumni Posts: 2 Security Scout

    Hello,

    Thanks for a reply, but looks like transparent mode didn't help.

     

    I've set it in an [smtp] section of /opt/f-secure/fsigk/conf/fsigk.ini, since I didn't find how to set in using Webui. I also restarted fsigk_smtp afterwards.

     

    IGK still functions as an open relay.

This discussion has been closed.

Categories