[Fwd: RE: UPDATE: [wcolburn () nmt edu: SMTP relay through checkpoint fire wall]]

["Corey J. Steele" <csteele () good-sam com>]

this was off-list discussion, but I suspect it may be useful for others
on the list.

-C
-- 
Information Security Analyst
Good Samaritan Society
e-mail: csteele () good-sam com
voice: (605) 362-3899
PGP Key fingerprint = 564F 2A97 2ADA F492 F34C  8E4A 12AF 9DC3 400E 2DD6

--- Begin Message --- From: "Corey J. Steele" <csteele () good-sam com>
Date: 25 Feb 2002 15:26:16 -0600

Well... 

[csteele@ws47619 csteele]$ telnet viruswall 8080
Trying XXX.XXX.XXX.XXX...
Connected to viruswall.
Escape character is '^]'.
CONNECT mailserver:25 / HTTP/1.0

HTTP/1.0 403 Forbidden
Server: Squid/2.3.STABLE4
Mime-Version: 1.0
Date: Mon, 25 Feb 2002 21:55:38 GMT
Content-Type: text/html
Content-Length: 729
Expires: Mon, 25 Feb 2002 21:55:38 GMT
X-Squid-Error: ERR_ACCESS_DENIED 0
X-Cache: MISS from viruswall
Proxy-Connection: close

<HTML><HEAD>
<TITLE>ERROR: The requested URL could not be retrieved</TITLE>
</HEAD><BODY>
<H1>ERROR</H1>
<H2>The requested URL could not be retrieved</H2>
<HR>
<P>
While trying to retrieve the URL:
<A HREF="mailserver:25">mailserver:25</A>
<P>
The following error was encountered:
<UL>
<LI>
<STRONG>
Access Denied.
</STRONG>
<P>
Access control configuration prevents your request from
being allowed at this time.  Please contact your service provider if
you feel this is incorrect.
</UL>
<P>Your cache administrator is <A HREF="mailto:webmaster";>webmaster</A>.


<br clear="all">
<hr noshade size=1>
Generated Mon, 25 Feb 2002 21:55:38 GMT by viruswall (Squid/2.3.STABLE4)
</BODY></HTML>
Connection closed by foreign host.


We have VirusWall listening on port 8080, and then sending
non-viruslaced requests to a SmartFilter-enabled SQUID proxy.  All
systems are Linux based -- most are Red Hat 6.2, with latest applicable
patches.  We built squid ourselves to include SmartFilter.

Hopefully this helps... 

Best Regarads
-C

On Mon, 2002-02-25 at 14:49, Peter Bieringer wrote:

Hi

--On Friday, February 22, 2002 07:57:33 AM -0600 "Corey J. Steele"
<csteele () good-sam com> wrote:

Trend's Interscan 3.6 running on Linux is not vulnerable to this
(we are using Interscan in conjunction with squid.)

Are you sure? I've tested 3.6 Build 1182 and I found it's proceeding
CONNECT without any problems, also to a remote mailserver:

# telnet viruswall 80
Trying 1.2.3.4...
Connected to viwa.
Escape character is '^]'.
CONNECT mail.server.com:25 / HTTP/1.0

HTTP/1.0 200 Connection established
Proxy-agent: InterScan 2.0

220 mail.server.com ESMTP
mail from: <user () domain com>
250 ok
rcpt to: <user () domain com>
250 ok
data
354 go ahead
test
.
250 ok 1014669994 qp 21827
quit
221 mail.server.com
Connection closed by foreign host.


The only thing is that you have to type the CONNECT line quickly so
use "nc" or copy and paste for that.

You can solve this if you using squid as dispatcher and bypass
Interscan for CONNECT (which we do on a customer installation).


        Peter

-- 
Information Security Analyst
Good Samaritan Society
e-mail: csteele () good-sam com
voice: (605) 362-3899
PGP Key fingerprint = 564F 2A97 2ADA F492 F34C  8E4A 12AF 9DC3 400E 2DD6

Attachment: signature.asc
Description: This is a digitally signed message part

--- End Message ---

Attachment: signature.asc
Description: This is a digitally signed message part