In my experience dealing with email and mail server configurations, I have seen many cases where administrators inadvertently commit some basic mistakes that are causing hours and on occasion, days of delays. Nobody is perfect but some mistakes cost more than others because the proper functioning of many other critical elements are often dependent on proper configurations of separate elements. End users are typically the first ones to complain before you even realize that a problem exists in some cases it is the CEO who complains, then the pressure is on to fix it as soon as possible.
The two major mistakes I often encounter when reviewing the configuration of a firewall are:
1) Creating an “any to any” Access Rule – with an “any to any” rule you are basically pretending to have a physical firewall without a purpose. I’ve seen cases where this rule is placed at the start of the list followed by other rules.
I’ve also had discussions with customers suggesting that they have the most secure environment only to discover that they have an “any to any” rule at the bottom of the firewall rules list. In other cases, I troubleshoot issues and cannot not find why the rule that was just created was not doing what it was supposed to and in almost all cases, the “any to any” rule preceded the rule that was not working.
Before I create a new rule I always test it based on what I want to achieve by using the actual firewall configuration. I then create my rule and test it again to see if that would have the expected effect. It is imperative that you check the order of your rules as the firewall stops searching as soon as a certain condition is met and it and won’t bother going further.
2) Configuring email servers along with the firewall is also something that some administrators tend to have problems with – especially if they filter their mail through an email service provider (ESP). I’ve seen some customers get a lot of complaints that the new ESP is not doing much and users end up getting a tremendous amount of spam in their mailboxes because email is not being filtered. Obviously this is not about the anti-spam product itself – it is about the firewalls configuration.
Most of the time just doing an nslookup on the domain name reveals an extra MX record that still points directly to the mail server. The spammers are almost always hitting it directly without going through the ESP. Other times I see that the firewall is accepting mail on port 25 from anyone on the Internet where in a perfect configuration only mail coming from the ESP is allowed inside the network. I have seen many other issues related to problems with firewall configurations but the abovementioned ones are by far the most common. Remember having a firewall that is not configured properly is akin to having no firewall at all!
Leave a Comment