Solved

Exchange 2010 SMTP tcp port 25 Security issue

Posted on 2013-01-30
19
701 Views
Last Modified: 2013-02-01
We recently had a penetration test performed, which was excellent but for one issue.

A mail server spoof issue. Essentially the mail server allows an external user to send email as internal senders via SMTP or tcp port 25.

The suggested solution for the issue given to me by the tester was to configure my mail server to disallow or block SMTP sending from internal addresses.

Now, it is my understanding, that if I were in fact to  block users in this fashion, no one will be able to send any mail outside of the domain, which is not an option.

My other thought is, if I were to block external SMTP connections or incoming port 25 connections in my firewall, that this too, would disallow anyone from sending mail to external users.

Is there any way I can plug this security hole and still allow users to send mail to external users?
0
Comment
Question by:tjwo94
  • 8
  • 6
  • 2
  • +2
19 Comments
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38836725
Hope you havent set Open relay ?
Run EXBPA from the Toolbox in EMC

- Rancy
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38836743
Can you please expand on the Internal Users element.  Do you mean the internal domain name email address, or the actual email address of the sender which you / they are deeming as the internal user?

If you block port 25 inbound, your mail will indeed stop and that wouldn't be a good plan.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 38836763
Automated penetration tests are a pain. They come up with these fanciful ideas but no real answers.

What they are talking about is spoofing, where a remote server can use the from field to enter a host in your domain. A decent antispam application can do that for you, so would be the first place I would look.

This applies to Exchange 2010 as well:
http://exchangepedia.com/2008/09/how-to-prevent-annoying-spam-from-your-own-domain.html

Simon.
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 38836789
Hello,

Follow the instructions in this article - http://exchangepedia.com/2008/09/how-to-prevent-annoying-spam-from-your-own-domain.html

The article mentions Exchange 2007 but it should also work with Exchange 2010.

JJ
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38836826
JJ - you need to refresh your page / answer a little quicker.  6 minutes between your post and Sembee2's and you hadn't spotted the link you posted was the same.

Alan
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 38836839
Alan,

Really?

JJ
0
 

Author Comment

by:tjwo94
ID: 38836880
The solution offered in the link appears like it could work. However, I know I have an application for a scanner that is using an internal email address to send reports that requires my receive default connecter to accept "Anonymous users" in order to work.

At the bottom of this page, the writer suggests having other receive connectors for those devices. I am assuming if I want to even attempt the solution he offers, I will have to create a new connector for my scanning software. Any of you familiar with that process?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38837392
The MS Exchange team have blogged the process here:
http://blogs.technet.com/b/exchange/archive/2006/12/28/3397620.aspx

Simon.
0
 

Author Comment

by:tjwo94
ID: 38840657
I think, Sembee2, you have your finger on exactly what I need. Let me ask you this, and see if my thought process is on the right path.

My default send connector as it is now, is allowing anonymous users. If I were to remove that access, would that effectively eliminate my issue with email spoofing? My assumption, is external servers trying to spoof will get a return message saying they could not relay.

If this is true, unchecking anonymous users from my default connector and creating a new connector that is only allowing anonymous from the specific IP of the server needing to send email to internal users, will effectively take of both my problems.

Am I on the right track with this?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38842702
Send Connector has nothing to do with inbound email, so I presume that you mean Receive Connector.

If you take Anonymous off the Default Receive Connector then you will stop receiving email from the internet. There is no quick and easy way to deal with email spoofing - if there was then it wouldn't be an issue.
The only time you can restrict access on the Receive Connector is when you are getting all of your email from a single source - for example your email comes in through Postini or Message Labs. However I would still prefer to have that traffic restriction on the firewall rather than at Exchange.

If you have something internal that needs to send email through Exchange, setup a specific connector for it, but don't touch the default one.

Simon.
0
 

Author Comment

by:tjwo94
ID: 38843376
That is odd, by default my default receive connector did not have anonymous users selected, I had to add it in order to receive the mail from my app server. We were not having any issues receiving mail prior to that and aren't using anything to facilitate the process. I suppose I am a bit confused now as to how my exchange is functioning, I'll let you know today I'd my new receive connector works for my app server or not.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38843700
How do you receive email from the internet?: Are the MX records pointing to your server, or are you using a third party host somewhere? Anonymous must be abled somewhere to receive email from the outside world.

Simon.
0
 

Author Comment

by:tjwo94
ID: 38843730
Looks like I have  a " Windows SBS Internet Receive Servername" receive connector specifically for anonymous users on port 25. I have to assume this is a default connector or one that carried over from a migration, as I wasn't the one who implemented it. Does that sound correct?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38843877
It would have helped if you said it was SBS server.
SBS creates its own connector that has traffic restricted - not allowing internal systems to connect to it.
Therefore creating another connector with the specific IP address would be your best option, leaving the Default connector alone.

Simon.
0
 

Author Comment

by:tjwo94
ID: 38843900
Gotcha. This of course, takes care of my app server, which was able to send it's automated reports this morning with the new connector. Unfortunately, it still leaves me open to spoofing and I'm unsure at this point what I can do to reduce or prevent the chance of it happening.
0
 

Author Comment

by:tjwo94
ID: 38843961
Simon, I want to ask you about this blog/conversation as you were apart of it, and I believe coincides with another link posted somewhere in this conversation as a solution.



If I execute the command mentioned by Alan H. on the "Windows SBS Internet Receive Servername" receive connector, will that also effectively prevent the receipt of external mail?

Or is this actually the best method for resolving some of the potential spoofing?
0
 

Author Comment

by:tjwo94
ID: 38843985
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38843990
There is no easy fix for stopping spoofing.
If there was, everyone would be doing it.
If you modify the connector in anyway then you will stop receiving external email. You could look at doing filtering of email to stop email that claims to come from your domain, but that is about it.

Simon.
0
 

Author Comment

by:tjwo94
ID: 38844001
I understand, do you have a resource available I can check out in regards to the filtering?
0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now