Common Practices
Fireware Pro
Firebox SSL VPN
Firebox X Core/Edge
Setup -
Branch Office VPN (IPSec) - Firebox/Soho
Remote User configuration using MUVPN & PPTP
Troubleshooting -
Backing Up/Restoring your Firebox Image.
SMTP Proxy Configuration.
Configuration of mail services are one of the most important services on your Firewall, so a misconfiguration can cause random problems with SMTP mail services which you want to avoid.
It is strongly recommended you configure the packet filter "filtered-SMTP" to ensure functionality and once verified, switch to the SMTP proxy. Also remember that if you do not host your own email server behind the Firebox using the SMTP proxy is not recommended as it will have no effect since someone else is hosting your email services.
This example assumes you are in a proper routed mode with the Firebox holding the public IP 66.44.15.2 and the private network is 192.168.50.x
Note: Always use the external IP of the Firebox to NAT in your SMTP traffic, if you use an alias IP on the external interface, the mail server will receive SMTP on the alias, but send SMTP traffic on the external IP of the Firebox unless you have configured a 1-1 NAT. This will cause problems sending mail, as the remote mail server may have anti spam measures and since your email will be coming from an IP which has no MX record, it may be denied. If you must use an alias and do not use 1-1 NAT, make sure to have your DNS provider add a secondary MX record pointing to the external IP of the Firebox.
The following explains how to configure filtered-SMTP incoming on a Firebox with an external IP of 66.44.15.2. The mail server in this example has a private IP of 192.168.50.2. The use of a single network card on the mail server with a default gateway of the Firebox trusted IP is always recommended.
Open policy manager and click the + symbol to add a service and add the "filtered-SMTP" service located under the packet filters folder.
Click the "add" button, then click OK to accept the default service name, and the service properties will be displayed. Change incoming to "Enabled and allowed".
In the "To:" field, click the Add button, then click the NAT button and the dialog box below will be displayed.
The external IP is automatically put into the external IP address field so you will just need to enter the internal IP address. In this example it is 192.168.50.2.
Click OK, then OK again on the "add address" dialog and the incoming is completed as below.
Note: All incoming services on a routed mode Firebox are allowed incoming using the Add>NAT function described here.
Click on the outgoing tab and it will already be configured to allow outgoing traffic from ANY to ANY. This can be left unchanged unless you wish to restrict the outgoing "from" IP to the mail server IP of 192.168.50.2. It is recommended you leave this as is though.
Below is the outgoing tab view.
Click OK and the configuration is complete. Save the changes to the Firebox.
Verify your mail server can connect out by using a command prompt and type
telnet mail.watchguard.com 25
If you receive the message
"220 SMTP ready" then the mail server is functioning outbound. If you make sure your MX record for your domain is pointing to the external IP of the Firebox (in this case it is 66.44.15.2) someone external to the Firebox can also test with the same command to you and should always be tested before you assume it is not working.
In this case
telnet 66.44.15.2 25
If the external user receives a SMTP ready message, it is functioning. Send yourself a test mail from another domain or a free webmail account to test it. If it does not function and you don't receive the email, but the telnet command from external functioned, this rules out the Firebox as a possible problem, so verify the MX record with the provider for your DNS services that it is pointed to the external IP of the Firebox.
Switching to the SMTP proxy.
If you have already tested the function by using a filtered-SMTP service, then you are ready to add the SMTP proxy.
Note: ESMTP will not pass outgoing on the Firebox unless you follow the instructions below and utilize the filtered-SMTP for outgoing mail and proxy only incoming mail. If you use the proxy for outgoing mail connections you will also be limited to 20 open outgoing SMTP connections at one time so it is best to do it in this manner.
First, edit the filtered-SMTP and rename it to "SMTP-Outgoing". Standard Windows name editing used in policy manager. Click the name of the service, wait 3 seconds so it won't double click, and click again to edit the name and click outside the highlighted box to make the name change.
After changing the name, double click the service and set its "Incoming" tab to "Disabled". We are using this service for outgoing mail only so we do not want the incoming properties to affect the configuration at all. Leave the other settings as is, so the outgoing properties remain at "any to any" enabled and allowed. Click OK and only a single green dot will show next to your edited "Outgoing-SMTP" policy.
Now it's time to add the SMTP proxy. Click the + symbol to add a service and add the "SMTP" service located under the Proxy folder.
Click "add" and change the default name given to "Incoming-SMTP".
Click OK and the incoming properties will be displayed as below.
In the "To:" field, click the Add button, then click the NAT button and the dialog box below will be displayed.
The external IP is automatically put into the external IP address field so you will just need to enter the internal IP address. In this example it is 192.168.50.2.
Click OK, then OK again on the "add address" dialog and the incoming is completed.
Now click on the "Outgoing" tab and set it to "Disabled".
Remember we want to have this setup configured so it proxies incoming mail, but uses a packet filter to send mail.
The last configuration for the proxy is on the "Properties" tab. All proxy services have such a tab and gives you the additional settings of a proxy service. Click on the Properties tab and you will see the options below.
Now click on the "Incoming" button. (We are not going to proxy outgoing mail so all we need to configure is Incoming).
We will start with the "General" tab. The only value you should change is the "Maximum size" which is the largest email you can receive. The limit is 30000 (30MB) including any attachments. You can set this to your own size limit you wish to enforce. Next is the "Line Length" which is simply how many lines can be sent between a <CR> in a SMTP transmission. 2000 seems to be better than the default of 1000 in my experiences.
Next click on the "ESMTP" tab and check ONLY the "Allow AUTH" checkbox. This is the optimal setting for most mailservers.
Next click on the "Content Types" tab.
Note: If you are familiar and confident with content type blocking, then you need to add all MIME types you wish to allow through the Firebox via SMTP. You cannot select things to block as this would be ineffective since someone could just make a new type and it would pass. But be aware that many mail servers will improperly encode email. If this happens, you will lose email attachments if the type sent is not included in this list.
The recommended method below removes this potential problem by allowing all MIME types, but retains the protection of removing file attachments which are not desired based on their file extension. Executables, Scripts, and other common attachment file extensions which carry virus payloads are on the "deny attachment based on these file name patterns" block list by default. Review the list under "deny attachment based on these file name patterns" block list if you need to allow any of them.
Next remove all entries under "Content Types" leaving the "Content Types" box checked and click "Add".
Next select "New Type"
Enter */* for the MIME type and for the description type "All" and click OK.
Now the MIME type with wildcards will be in your "Select MIME type" list so all MIME types will be allowed if you add this new MIME type.
Add the new MIME type of */* to your list by double clicking it and the dialog box will disappear and your screen will look as it does below.
If you wish you can click on the "Logging" tab and ensure that "Log accounting/auditing information" is checked. If you have enabled a WSEP loghost, this will log additional data about SMTP transactions such as who it came in from, time, and its size. The only way to view this data is by running a report using historical reports. Review the manual for how to create a historical report if you desire to do this.
Click OK and then OK again on the service itself and you will be back on your policy manager screen similar to the below configuration depending on what other services are in your configuration.
In this example the configuration is complete. Save the changes to the Firebox and verify mail is passing incoming and outgoing
Verify your mail server can connect out by using a command prompt and type
telnet mail.watchguard.com 25
If you receive the message
"220 SMTP ready" then the mail server is functioning outbound. If you make sure your MX record for your domain is pointing to the external IP of the Firebox (in this case it is 66.44.15.2) someone external to the Firebox should test with the same command to you.
In this case
telnet 66.44.15.2 25
If the external user receives a
"220 SMTP ready" message, it is functioning. Note that the unlike the filter, the SMTP proxy hides the type and version of mail server you are running and gives you extra protection from would be mail hijackers.
Send yourself a test mail from another domain or a free webmail account to test it. You can even test the attachment stripping by naming a file to be .exe or another denied type and attaching it to your test email. If you configured it properly you will receive the email minus the attachment. If it does not function, verify with telnet as above from an external internet connection that the incoming SMTP functions. If this responds, it rules out the Firebox as a possible problem, so verify the MX record with the provider for your DNS services that it is pointed to the external IP of the Firebox.
