Operational Defect Database
BugZero found this defect 2130 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA10H000000g3OrSAI
SMTP Proxy policy template does not support Message Submission port TCP 587
Last update date:
7/20/2018
Affected products:
Firebox M200
Firebox M300
Firebox M270
Firebox M370
Firebox M470
Firebox M570
Firebox M670
Firebox M290
Firebox M390
Firebox M400
Firebox M500
Firebox M440
Affected releases:
All
Fireware
11.x
11.1.x
11.10.x
11.10
11.10.1
11.10.2
11.10.3
11.10.4
11.10.5
11.10.6
Fixed releases:
All
Description:
Issue
If you use the default policy template for the SMTP proxy, the policy includes only TCP port 25. It does not include TCP port 587, which is the common Message Submission port for the SMTP protocol. TCP port 587 is a common alternate SMTP port intended for user email client applications to send email through their email server. This alternate port is useful because ISPs frequently deny user connections on TCP port 25 to prevent outbound spam. We recommend that you use the SMTP proxy for all SMTP connections. To apply the SMTP proxy to TCP port 587 for both inbound and outbound connections, follow the directions in the workaround below:
Workaround/Solution
Follow these steps to allow the Message Submission port, either for inbound or outbound connections: 1. Create a custom policy for TCP port 587. Select the type Proxy, then SMTP. For full instructions, see Create or Edit a Custom Policy Template. 2. Add a new policy to your configuration with this new template. For instructions, see Add Policies to Your Configuration. 3. If you already have a custom SMTP proxy action you want to use, select that in the policy. Otherwise, use the SMTP-Incoming.Standard or SMTP-Outgoing.Standard action template. 4. In the From and To field of the new SMTP policy, use the same values as your usual SMTP policy. Note In most cases, for an SMTP proxy policy for connections to a server on the local network, you will use a Static NAT in the policy To field. 5. In the SMTP proxy configuration, you must make sure that each of these is true: In ESMTP > ESMTP Settings, you must select the Enable ESMTP check box. This is the default configuration.In ESMTP > STARTTLS Encryption, you must select the Enable STARTTLS with Content Inspection check box.In ESMTP > STARTTLS Encryption > Encryption Rules, Sender Encryption must be set to Optional or Required, and Recipient Encryption must be set to Allowed for all recipient domains. This is the default configuration.
