• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 847
  • Last Modified:

Open Relay

Hello Experts. I have recently started scanning my external network and all seems to be well except one potentially big problem. I have tried to remedy this on my own, but I am obviously missing something. Here is what I see:

================================================================

An open SMTP relay is running on this port. Risk:
TCP Port: 25  
The remote SMTP server is insufficiently protected against relaying.
This means that it allows spammers to use your mail server to send
their mails to the world, thus wasting your network bandwidth.

Nessus was able to relay mails by sending those sequences :

MAIL FROM: <nessus@xxxxx.com>
RCPT TO: <nobody%example.com@xxxxx.com>

Solution:
Reconfigure your SMTP server so that it cannot be used as a relay any more.  

================================================================

I see this with a third-party scan, as well as, my own scans with Nessus. I have looked at the relays in Exchange 2007 and they are all internally assigned to internal IPs. The only IP that could possibly be allowing this traffic is our spam filter which sits between the Exchange server and the firewall. Of course, we then have the firewall sitting between that spam filter and the outside world.

Port 25 is used as the standard. What should I be looking for in relation to Nessus being able to relay with my server? I am not sure how this is happening being that all relays (10 or so) are setup for individual apps within the corporation.

Any help would be greatly appreciated.
0
swcrook
Asked:
swcrook
  • 11
  • 9
1 Solution
 
leakim971PluritechnicianCommented:
Hello swcrook,

What's spam filter do you have ?

Regards.
0
 
swcrookAuthor Commented:
XWall
0
 
swcrookAuthor Commented:
Also, we have had external scanning for several years and this has only started showing up on the last 4 scans. That is what prompted me to scan on my own and I found the same thing. I am thinking that the plug-ins for Nessus got updated and started looking for this, but it definitely has not been an issue in the past on the scans.
Internally, we haven't changed anything to our Exchange server in that timeframe.
Thanks
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
leakim971PluritechnicianCommented:
Do you have any checked option in XWall relay tab ?
Please, do a test with this tools to confirm you mail server is an open relay : http://www.abuse.net/relay.html
0
 
swcrookAuthor Commented:
Thank you for the link. After doing the above test, I get this at the end:
Relay test result
All tests performed, no relays accepted.
0
 
swcrookAuthor Commented:
I do ont have any options checked in the relay tab of XWall.
0
 
leakim971PluritechnicianCommented:
What about a new test for your domain you the Network Abuse tools ?
0
 
swcrookAuthor Commented:
What new test are you referring to? I ran the above relay test twice and both times it says that no relays are allowed.
0
 
swcrookAuthor Commented:
If you are referring to the standard test that we run, it is through a company called ControlScan. It scans all porta and the entire process takes 1 1/2 hours. I have run the scan through my own external Nessus scanning and I stil get the original message through my Nessus scans.
As I mentioned, I am wondering if this is something new in one of the Nessus plugins because I have never had this before, but it is definitely seeing something that it didn't before. The link that you provided states that the relay with a specific address through our Exchange server is blocked, but the Nessus scan says it can relay with Nesus@example.com which I don't think is accurate.
0
 
leakim971PluritechnicianCommented:
OK.
Create a SPF record for your domain : http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
If you don't use internally your SMTP server ( you can disable relay on the exchange 2007 receive connector or with XWall by denying you own domain :
On XWall go to Email address Tab and add, in section INBOUND MAIL FROM : @xxxxx.com

Assuming ALL your users use Outlook with MAPI connexion (Outlook <-> Exchange) you just deny using your SMTP service with mail coming from external with your own domain.

0
 
leakim971PluritechnicianCommented:
Your comments :
ID:26132148
ID:26132202

Don't worry, I only want to be sure you server is really an Open Relay.
0
 
swcrookAuthor Commented:
Unfortunately, we have several in-house apps that our programmers developed that do use SMTP, so this isn't something that we can disable. I acutally did what you mentioned already, but we had several things break that we simlpy cannot have down.

We may be able to do that in the future, but for now we need SMTP to be available internally.
0
 
swcrookAuthor Commented:
Could it be that the Nessus scans are seeing port 25 open on the firewall and thinking that SMTP could possibly be relaying? That portis open on our firewall, but it has never beenand issue in the past.
0
 
leakim971PluritechnicianCommented:
No.

A true test is done.

MAIL FROM: <nessus@xxxxx.com>
RCPT TO: <nobody%example.com@xxxxx.com>

But
MAIL FROM: <nessus@xxxxx.com>
Should failed because no one should be able to send externally a mail to your server with your own domain.
AND I suppose nessus@xxxxx.com is not a valid email in your organization. So someone can force your server to send NDR and increase your mail server message queue.
 
0
 
leakim971PluritechnicianCommented:
0
 
swcrookAuthor Commented:
Okay, and thanks for the info. I have used the Wizard and created the SPF file. I am looking up documentation to add this to our internal DNS, but I assume this needs to be added to our external DNS provided by our ISP?
I will let you know how the scans turn out once I figure out how/where to post this. Thanks!
0
 
swcrookAuthor Commented:
Okay. I added it to our internal DNS as a txt file. Does this need to go to our external DNS like a MX record or no? Thanks
0
 
leakim971PluritechnicianCommented:
Yes SPF is for other DNS not your or internal purpose to block relay :
When you will send an email the server will be able to check your(s) valid(s) MX(s) from the SPF record.

You should create a new dedicated connector with a dedicated IP for internal use your SMTP connector (third application).
And block your own domain on the connector facing the internet.
0
 
swcrookAuthor Commented:
This was close enough to the answer that you get all the points. Thanks for your help.
0
 
leakim971PluritechnicianCommented:
Thanks a lot! Happy new year!
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 11
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now