Knowledgebase: Watchguard Support
About POP3 through the Firebox
Posted by Samuel Turi on 03 May 2011 01:12 PM

About POP3 through the Firebox


Basic description

POP3 is a plaintext protocol designed to allow mail clients to retrieve mail from a mail server. Most mail servers and clients are able to use POP3. This protocol is designed to allow clients to retrieve mail, while SMTP is designed to send mail. POP3 generally uses TCP port 110. Keep in mind that some POP3 servers will attempt to use AUTH clients (which connect on TCP port 113) to verify them. This must be allowed inbound/outbound as needed for your configuration.

Caution:  WatchGuard strongly recommends that customers stay away from allowing users access to external POP3 mail accounts. There is no way on the Firebox to do any content type filtering or attachment type filtering without the SMTP service. We recommend that users access an SMTP server that is behind the Firebox for incoming mail.

Allowing this service inbound

If you intend to operate a POP3 server behind your Firebox, simply add a POP3 service to your services arena in the Policy Manager. This packet-filtered service is built into the Firebox.

  1. Open Policy Manager with your current configuration.
  2. On the toolbar, click the Add Service (Image) button.
    You can also select Edit => Add Service. The Services dialog box appears.
  3. Expand Packet Filters.
  4. Select POP3 from the list.
  5. Click Add.
  6. Name the service appropriately, the default name of POP3 is fine for most situations.
  7. Click OK.
  8. Configure the Incoming properties as needed. Static-NAT is available with the NAT button.
  9. Click OK.
  10. Save this configuration to the Firebox.

Allowing this service outbound

If you want your clients behind the Firebox to be able to connect to a POP3 server, simply add a POP3 service using the instructions provided above. Configure the outgoing properties of this service as needed for your configuration. Be sure to read the caution above before allowing this service outbound. If your configuration has a Filtered-HTTP, Proxy, Proxied-HTTP, or an Outgoing service, this protocol will be allowed outbound by default.

Denying this service inbound

By default, this service will not be allowed inbound, no configuration changes should be necessary.

Denying this service outbound

Denying this service outbound can be accomplished in a few different ways. If your configuration has a Filtered-HTTP, Proxy, Proxied-HTTP, or an Outgoing service, this protocol will be allowed outbound by default. So, the easiest way to block it is to remove these services and substitute the necessary services in their place. 

If these services are necessary on your network, then you must add a POP3 service and configure the properties of these service to Incoming: Disabled - Outgoing: Enabled and Denied. This will prevent users on your local network from accessing POP3 servers on the Internet.

Using this service with NAT

Because this service only uses one TCP port, it should work fine with an incoming Static-NAT or an outgoing Static-NAT in most cases. The one thing to remember is that some POP3 servers will attempt to use the AUTH protocol with connecting users. This can create noticeable lags in response time, or may cause the POP3 connection to fail completely. 

(0 vote(s))
Helpful
Not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).