HomeRichweb Firewall Administration ServicesRichweb sgw (Secure GateWay) firewalls

Using the Switch Functionality of the ASA to host an sgw box outside interface, postfix SmartHosting

Customer had an ASA firewall in place, and an Exchange server that was failing to deliver mail to certain locations. Getting good SMTP logs from the Exchange server can be challenging, and mail delivery was failing even after we removed the infamous inspect esmtp command from the ASA the previous admin had left enabled.

We decided to insert an OpenBSD SGW box to smart host outbound SMTP from the exchange server and provide web content filtering.

The problem was that while the ISP had provided a /29 the ISP edge router only had a single ethernet downlink and the ASA 5505 port 0 was connected to that port. The 5505 has a VLAN-capable switch built into it. So we simply plugged the SGW box uplink into a free port on the ASA and set that port for the outside VLAN (VLAN2 by default):

ASA 5505 config cchanges for port 5:

! Uplink to isp adran router:

interface Ethernet0/0

switchport access vlan 2

! Handoff to inside network:

interface Ethernet0/1
 switchport access vlan 1

Handoff to public iface on bsd appliance:

interface Ethernet0/5
 switchport access vlan 2

 

The SGW box can now be hooked up in parallel with the ASA so that it has 1 inside (LAN) interface and 1 outside (public ip) interface. This will allow the SMTP messages to be transmitted from Exchange to postfix w/o going thru the ASA firewall.

 

The postfix process can be tuned to help with delivery of messages to more difficult destinations:

 

Tweaks to improve delivery to yahoo.com and other mail providers that rate limit or block aggressive senders, this can happen if you mail a distribution list with lots of yahoo members for example:

default_process_limit = 6
local_destination_concurrency_limit = 2
default_destination_concurrency_limit = 2
initial_destination_concurrency = 2

This will imrpove logging - add this to main.cf

header_checks = regexp:/etc/postfix/header_checks

In this file: /etc/postfix/header_checks

Place these 2 lines:

/^subject:/  WARN
/^from:/     WARN

 

These 2 commands in main.cf will help with delivery to sites that have buggy cisco firewalls that try to inspect esmtp conversations:

smtp_pix_workaround_delay_time = 10s
smtp_pix_workaround_threshold_time = 500s