Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 745
  • Last Modified:

Exchange 2010 SMTP tcp port 25 Security issue

We recently had a penetration test performed, which was excellent but for one issue.

A mail server spoof issue. Essentially the mail server allows an external user to send email as internal senders via SMTP or tcp port 25.

The suggested solution for the issue given to me by the tester was to configure my mail server to disallow or block SMTP sending from internal addresses.

Now, it is my understanding, that if I were in fact to  block users in this fashion, no one will be able to send any mail outside of the domain, which is not an option.

My other thought is, if I were to block external SMTP connections or incoming port 25 connections in my firewall, that this too, would disallow anyone from sending mail to external users.

Is there any way I can plug this security hole and still allow users to send mail to external users?
0
tjwo94
Asked:
tjwo94
  • 8
  • 6
  • 2
  • +2
1 Solution
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Hope you havent set Open relay ?
Run EXBPA from the Toolbox in EMC

- Rancy
0
 
Alan HardistyCo-OwnerCommented:
Can you please expand on the Internal Users element.  Do you mean the internal domain name email address, or the actual email address of the sender which you / they are deeming as the internal user?

If you block port 25 inbound, your mail will indeed stop and that wouldn't be a good plan.
0
 
Simon Butler (Sembee)ConsultantCommented:
Automated penetration tests are a pain. They come up with these fanciful ideas but no real answers.

What they are talking about is spoofing, where a remote server can use the from field to enter a host in your domain. A decent antispam application can do that for you, so would be the first place I would look.

This applies to Exchange 2010 as well:
http://exchangepedia.com/2008/09/how-to-prevent-annoying-spam-from-your-own-domain.html

Simon.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Jamie McKillopIT ManagerCommented:
Hello,

Follow the instructions in this article - http://exchangepedia.com/2008/09/how-to-prevent-annoying-spam-from-your-own-domain.html

The article mentions Exchange 2007 but it should also work with Exchange 2010.

JJ
0
 
Alan HardistyCo-OwnerCommented:
JJ - you need to refresh your page / answer a little quicker.  6 minutes between your post and Sembee2's and you hadn't spotted the link you posted was the same.

Alan
0
 
Jamie McKillopIT ManagerCommented:
Alan,

Really?

JJ
0
 
tjwo94Author Commented:
The solution offered in the link appears like it could work. However, I know I have an application for a scanner that is using an internal email address to send reports that requires my receive default connecter to accept "Anonymous users" in order to work.

At the bottom of this page, the writer suggests having other receive connectors for those devices. I am assuming if I want to even attempt the solution he offers, I will have to create a new connector for my scanning software. Any of you familiar with that process?
0
 
Simon Butler (Sembee)ConsultantCommented:
The MS Exchange team have blogged the process here:
http://blogs.technet.com/b/exchange/archive/2006/12/28/3397620.aspx

Simon.
0
 
tjwo94Author Commented:
I think, Sembee2, you have your finger on exactly what I need. Let me ask you this, and see if my thought process is on the right path.

My default send connector as it is now, is allowing anonymous users. If I were to remove that access, would that effectively eliminate my issue with email spoofing? My assumption, is external servers trying to spoof will get a return message saying they could not relay.

If this is true, unchecking anonymous users from my default connector and creating a new connector that is only allowing anonymous from the specific IP of the server needing to send email to internal users, will effectively take of both my problems.

Am I on the right track with this?
0
 
Simon Butler (Sembee)ConsultantCommented:
Send Connector has nothing to do with inbound email, so I presume that you mean Receive Connector.

If you take Anonymous off the Default Receive Connector then you will stop receiving email from the internet. There is no quick and easy way to deal with email spoofing - if there was then it wouldn't be an issue.
The only time you can restrict access on the Receive Connector is when you are getting all of your email from a single source - for example your email comes in through Postini or Message Labs. However I would still prefer to have that traffic restriction on the firewall rather than at Exchange.

If you have something internal that needs to send email through Exchange, setup a specific connector for it, but don't touch the default one.

Simon.
0
 
tjwo94Author Commented:
That is odd, by default my default receive connector did not have anonymous users selected, I had to add it in order to receive the mail from my app server. We were not having any issues receiving mail prior to that and aren't using anything to facilitate the process. I suppose I am a bit confused now as to how my exchange is functioning, I'll let you know today I'd my new receive connector works for my app server or not.
0
 
Simon Butler (Sembee)ConsultantCommented:
How do you receive email from the internet?: Are the MX records pointing to your server, or are you using a third party host somewhere? Anonymous must be abled somewhere to receive email from the outside world.

Simon.
0
 
tjwo94Author Commented:
Looks like I have  a " Windows SBS Internet Receive Servername" receive connector specifically for anonymous users on port 25. I have to assume this is a default connector or one that carried over from a migration, as I wasn't the one who implemented it. Does that sound correct?
0
 
Simon Butler (Sembee)ConsultantCommented:
It would have helped if you said it was SBS server.
SBS creates its own connector that has traffic restricted - not allowing internal systems to connect to it.
Therefore creating another connector with the specific IP address would be your best option, leaving the Default connector alone.

Simon.
0
 
tjwo94Author Commented:
Gotcha. This of course, takes care of my app server, which was able to send it's automated reports this morning with the new connector. Unfortunately, it still leaves me open to spoofing and I'm unsure at this point what I can do to reduce or prevent the chance of it happening.
0
 
tjwo94Author Commented:
Simon, I want to ask you about this blog/conversation as you were apart of it, and I believe coincides with another link posted somewhere in this conversation as a solution.



If I execute the command mentioned by Alan H. on the "Windows SBS Internet Receive Servername" receive connector, will that also effectively prevent the receipt of external mail?

Or is this actually the best method for resolving some of the potential spoofing?
0
 
Simon Butler (Sembee)ConsultantCommented:
There is no easy fix for stopping spoofing.
If there was, everyone would be doing it.
If you modify the connector in anyway then you will stop receiving external email. You could look at doing filtering of email to stop email that claims to come from your domain, but that is about it.

Simon.
0
 
tjwo94Author Commented:
I understand, do you have a resource available I can check out in regards to the filtering?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 8
  • 6
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now