Solved

Exchange 2010 SMTP tcp port 25 Security issue

Posted on 2013-01-30
19
725 Views
Last Modified: 2013-02-01
We recently had a penetration test performed, which was excellent but for one issue.

A mail server spoof issue. Essentially the mail server allows an external user to send email as internal senders via SMTP or tcp port 25.

The suggested solution for the issue given to me by the tester was to configure my mail server to disallow or block SMTP sending from internal addresses.

Now, it is my understanding, that if I were in fact to  block users in this fashion, no one will be able to send any mail outside of the domain, which is not an option.

My other thought is, if I were to block external SMTP connections or incoming port 25 connections in my firewall, that this too, would disallow anyone from sending mail to external users.

Is there any way I can plug this security hole and still allow users to send mail to external users?
0
Comment
Question by:tjwo94
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
  • 2
  • +2
19 Comments
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38836725
Hope you havent set Open relay ?
Run EXBPA from the Toolbox in EMC

- Rancy
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38836743
Can you please expand on the Internal Users element.  Do you mean the internal domain name email address, or the actual email address of the sender which you / they are deeming as the internal user?

If you block port 25 inbound, your mail will indeed stop and that wouldn't be a good plan.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 38836763
Automated penetration tests are a pain. They come up with these fanciful ideas but no real answers.

What they are talking about is spoofing, where a remote server can use the from field to enter a host in your domain. A decent antispam application can do that for you, so would be the first place I would look.

This applies to Exchange 2010 as well:
http://exchangepedia.com/2008/09/how-to-prevent-annoying-spam-from-your-own-domain.html

Simon.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 38836789
Hello,

Follow the instructions in this article - http://exchangepedia.com/2008/09/how-to-prevent-annoying-spam-from-your-own-domain.html

The article mentions Exchange 2007 but it should also work with Exchange 2010.

JJ
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38836826
JJ - you need to refresh your page / answer a little quicker.  6 minutes between your post and Sembee2's and you hadn't spotted the link you posted was the same.

Alan
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 38836839
Alan,

Really?

JJ
0
 

Author Comment

by:tjwo94
ID: 38836880
The solution offered in the link appears like it could work. However, I know I have an application for a scanner that is using an internal email address to send reports that requires my receive default connecter to accept "Anonymous users" in order to work.

At the bottom of this page, the writer suggests having other receive connectors for those devices. I am assuming if I want to even attempt the solution he offers, I will have to create a new connector for my scanning software. Any of you familiar with that process?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38837392
The MS Exchange team have blogged the process here:
http://blogs.technet.com/b/exchange/archive/2006/12/28/3397620.aspx

Simon.
0
 

Author Comment

by:tjwo94
ID: 38840657
I think, Sembee2, you have your finger on exactly what I need. Let me ask you this, and see if my thought process is on the right path.

My default send connector as it is now, is allowing anonymous users. If I were to remove that access, would that effectively eliminate my issue with email spoofing? My assumption, is external servers trying to spoof will get a return message saying they could not relay.

If this is true, unchecking anonymous users from my default connector and creating a new connector that is only allowing anonymous from the specific IP of the server needing to send email to internal users, will effectively take of both my problems.

Am I on the right track with this?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38842702
Send Connector has nothing to do with inbound email, so I presume that you mean Receive Connector.

If you take Anonymous off the Default Receive Connector then you will stop receiving email from the internet. There is no quick and easy way to deal with email spoofing - if there was then it wouldn't be an issue.
The only time you can restrict access on the Receive Connector is when you are getting all of your email from a single source - for example your email comes in through Postini or Message Labs. However I would still prefer to have that traffic restriction on the firewall rather than at Exchange.

If you have something internal that needs to send email through Exchange, setup a specific connector for it, but don't touch the default one.

Simon.
0
 

Author Comment

by:tjwo94
ID: 38843376
That is odd, by default my default receive connector did not have anonymous users selected, I had to add it in order to receive the mail from my app server. We were not having any issues receiving mail prior to that and aren't using anything to facilitate the process. I suppose I am a bit confused now as to how my exchange is functioning, I'll let you know today I'd my new receive connector works for my app server or not.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38843700
How do you receive email from the internet?: Are the MX records pointing to your server, or are you using a third party host somewhere? Anonymous must be abled somewhere to receive email from the outside world.

Simon.
0
 

Author Comment

by:tjwo94
ID: 38843730
Looks like I have  a " Windows SBS Internet Receive Servername" receive connector specifically for anonymous users on port 25. I have to assume this is a default connector or one that carried over from a migration, as I wasn't the one who implemented it. Does that sound correct?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38843877
It would have helped if you said it was SBS server.
SBS creates its own connector that has traffic restricted - not allowing internal systems to connect to it.
Therefore creating another connector with the specific IP address would be your best option, leaving the Default connector alone.

Simon.
0
 

Author Comment

by:tjwo94
ID: 38843900
Gotcha. This of course, takes care of my app server, which was able to send it's automated reports this morning with the new connector. Unfortunately, it still leaves me open to spoofing and I'm unsure at this point what I can do to reduce or prevent the chance of it happening.
0
 

Author Comment

by:tjwo94
ID: 38843961
Simon, I want to ask you about this blog/conversation as you were apart of it, and I believe coincides with another link posted somewhere in this conversation as a solution.



If I execute the command mentioned by Alan H. on the "Windows SBS Internet Receive Servername" receive connector, will that also effectively prevent the receipt of external mail?

Or is this actually the best method for resolving some of the potential spoofing?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38843990
There is no easy fix for stopping spoofing.
If there was, everyone would be doing it.
If you modify the connector in anyway then you will stop receiving external email. You could look at doing filtering of email to stop email that claims to come from your domain, but that is about it.

Simon.
0
 

Author Comment

by:tjwo94
ID: 38844001
I understand, do you have a resource available I can check out in regards to the filtering?
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question