Re: SMTP A/V Design

["Matt McClung" <mmcclung () ndwcorp com>]

I have been looking/working this problem and I think I have found a
solution.  At least one that I am going to be testing fairly soon -(as soon
as I get the testing equipment).  I am going to have a mail relay host
running sendmail that will also perform the A?V checking at the same time.
The sever will then relay the mail back to my internal mail server for
internal delivery.  No CVP, one box - we'll see!

When I have results, I'll post them here.


Matt McClung, CCSA/CCSE
Net.Works Security Engineer
mmcclung () ndwcorp com

-----Original Message-----
From: Rodney van den Oever <roever () nse simac nl>
To: Matt McClung <mmcclung () ndwcorp com>
Cc: firewall-wizards () nfr net <firewall-wizards () nfr net>
Date: Tuesday, February 23, 1999 2:54 AM
Subject: Re: SMTP A/V Design


> At 12:51 16-02-1999 -0700, Matt McClung wrote:
> > 1.  Internet email for x company is first identified at the firewall.
> > 2.  The firewall knows to pass SMTP traffic to a A/V scanning server,
which
> > it does
> > 3.  The A/V Servers finds nothing and sends back the message information
to
> > the firewall
> > 4.  The firewall then allows the email to the mail relay server on it
> > service network (MX)
> > 5.  The Mail relay server (running sendmail) scans the envelope and other
> > information to
> >    determine if the email is for a domain it is accepting mail for...
> > 6.  The mail relay host delivers mail to an internal SMTP server for final
> > deliver to the
> >    email system.
> >
> > Questions:  This almost seems like its too complicated with the seperate
A/V
> > Server and mail relay host.  The delivery time is not the main concern,
but
> > rather the complexity and the steps the messages takes to finally get
> > delivered.
> >
> > Anyone created such a beast?  Because of the software (A/V) you have only
a
> > small choice of platforms, as well as the relay host.  Therefore, you
almost
> > have to have something like this.
> >
> > Of course, this assumes that your company policy is to scan the email
before
> > it is allowed into the internal network (good idea).  Otherwise you could
do
> > desktop scanning, or mail server scanning.
> >
> > INFO:
> > The FW is FW-1 using CVP.  The A/V server is NT running an A/V application
> > to check SMTP and the mail relay host is a Sun Ultra running sendmail
8.9.x
> Why not:
> 1. Accept incoming mail (by MX) to the A/V-server on the service network.
> Because you're already proxying SMTP twice (A/V + Sendmail), I don't see
> any use for CVP. Also: I'd rather force all mail through the A/V-server
> rather than thrust CVP to decide on the content.
>
> 2. Place the mail relay on the service network as well and let the
> A/V-server forward all mail to the mail relay directly, without
> intervention of the firewall. Depending on the capabilities (mail routing,
> anti-spam, rewriting) of the A/V-server (I only have experience with
> MIMEsweeper) you might be able to skip the mail relay and let the
> A/V-server handle everything.
>
> 3. Then allow the mail relay (or A/V-server, if my above suggestion is
> acceptable) to exchange SMTP with the internal mailserver or gateway.
>
> ?
>
> > Matt McClung
> > Net.Works Security Engineer
> > mmcclung () ndwcorp com
> --
> Rodney van den Oever / 0x06 3547CA1 / PGP Key ID 0x0A6CCE53
> 'Software is like sex; it's better when it's free' - Linus Torvalds