Upgrade to version 3.0 of Firewall 1 and use the SMTP Security Server
This acts as an SMTP Relay, accepting the mail, then queuing it on.
You could set it up in both directions, (in which case you wouldn't need
address translation.) or set one up for inbound and open an SMTP filter
out, with address translation as below.
Big advantage of the security server is that nobody from outside touches
your Exchange box directly.
Yet another way would be to install the SMTP postoffice from the NT4
Server Resource kit onto your v2.1 firewall and configure this as a
>From: Martin Khoo [SMTP:martin @
>Sent: Saturday, May 31, 1997 12:47 PM
>To: Francisco Lopez (Infovia)
>Cc: firewalls @
>Subject: Re: CheckPoint Firewall-1 V. 2.1
>Francisco Lopez (Infovia) wrote:
>> Hello everyone...
>> this is just to ask for help to someone who has made checkpoint
>> ver.2.1 work efficiently with Microsoft Exchange V.5 (which is inside
>> protected network. When I put my Exchange server directly connected to
>> the router it works just fine (using valid IP addresses), but after
>> put it back to the protected network (with invalid IP addresses) the
>> firewall seems not to be handling the procedure (it drops all the mail
>> packets -inbound and outbound-). I have opened the specific ports (25
>> 110) but still it did not solve the problem. So far all the users in
>> protected network are just able to use their browsers but not to
>> send/receive mail from internet. Does any one has had a situation like
>> this? if so... how did you do to make it work?
>> Francisco Lopez
>> IIDS - Infovia
>> Guatemala CA
>> (502) 336-6236 ext. 303
>A few things you need to do to get it to work :
>(1) If you intend to hide the Exchnage server in the protected n/w, then
>you would need to use FW-1
>Network Address mapping to map it into a valid IP so that external mail
>servers can contact it. You need to
>use the FW_SRC_STATIC & FW_DST_STATIC mode of address translation. Read
>the admin guide under
>the chapter on Address Translation.
>Alternatively, put the Exchnage server ona DMZ and use valid IP for it.
>Set up rules in the rulebase to permit
>SMTP traffic (port 25) from external to it and SMTP & POP3 (port 110)
>from internal to it .
>(2) MAke sure that the MX record in your DNS points to the VALID IP of
>the Exchange server.
>Senior IT Architect (Security & Cryptography)
>Information Infrastructure Group
>National Computer Board
>Email: martin @
sg, mkhoo @
sg, markhoo @
>DID: 7703878 FAX: 7747159
>PGP: 1D 5F DA E5 56 CD 6A B6 FA E0 83 55 BD 07 9C C0