Solved

Open Mail Relaying - security issue?

Posted on 2016-08-11
13
104 Views
Last Modified: 2016-08-11
Running security scan in our organization.
When it comes to our e-mail secure gateway (mx record server) an issue is found from Nessus:
https://www.tenable.com/plugins/index.php?view=single&id=10262
The remote SMTP server appears to allow mail relaying. This means that an unauthenticated, remote user could possibly use the mail server to send messages to the world, thus wasting network bandwidth and computer resources. Such servers are targeted by spammers for sending unsolicited bulk email (UBE).

Is this not applicable because this is our e-mail secure gateway that receives e-mail from the internet to filter and pass on to our Exchange servers?

Or is a email secure gateway not support to allow relay?

Just wondering if I need to tighten security at all.
0
Comment
Question by:garryshape
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
13 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 41752966
An open relay is an e-mail server that would allow me to send e-mail to anybody else in the world thru it.  It is considered a serious security issue.

Open relay e-mail servers are used by spammers to hid themselves.

https://en.wikipedia.org/wiki/Open_mail_relay
0
 

Author Comment

by:garryshape
ID: 41752970
So does it not need to be open in order to receive e-mail from the internet?

If user@gmail.com sends an e-mail to me at user@ourdomain.com, and relay is off of our appliance, how does the e-mail from gmail get to me at ourdomain.com?

I ran http://mxtoolbox.com/diagnostic.aspx  test against multiple mail servers online and it appears to accept the message.

SMTP (TCP Port 25) - The SMTP service receives email from email clients and other MTAs. Note that restricting the SMTP service will impact the ability of the appliance to filter email.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 41752995
No, you should have it configured to receive e-mail for your domain and your domain only.
0
Webinar June 1st - Attacking Ransomware  

The global cyberattack that corrupted hundreds of thousands of computer systems on May 12th had a face, name, & price tag that we’ve seen all too often in recent years: Ransomware. With the stakes – and costs – of a ransomware attack higher than ever, is your business prepared ?

 

Author Comment

by:garryshape
ID: 41752998
So my company shouldn't receive e-mail from anyone outside of our company?
We're going to lose a lot of business :(
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 500 total points
ID: 41753003
No it should receive e-mail TO your company.  The FROM e-mail address can be anything.

In other words you should NOT receive e-mail going TO somebody@gmail.com.
0
 

Author Comment

by:garryshape
ID: 41753007
Yes that is established and configured accordingly on the e-mail firewall.
My question is whether this is a false positive report of open relay.
basically, should "telnet ourdomain.com 25" connect successfully in order for e-mail to properly function.

Sender Policy Framework (SPF) works in verifying whether the sender domain is from that domain.
MTA log reports the tests as blocked when e-mail sent via telnet from the internet.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 41753018
Yes, that should work.  What you need to test is doing the following


telnet ourdomain.com 25
HELO somedomain.com
MAIL FROM:<youraddress@gmail.com>      
RCPT TO:<youraddress@gmail.com>
DATA                              
From: youraddress@gmail.com      
To:   youraddress@gmail.com    
Subject:  Test Open Relay
                                   
Testing for open relay      
                                 
.  
QUIT
                               
                                 

After you type "Testing for open relay" you need to press enter twice then enter a period.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 41753020
Oh, you need to include the "<" and ">" on the MAIL FROM and RCPT TO commands.
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 500 total points
ID: 41753029
Oh one other thing, I am assuming that "ourdomain.com" resolves to the IP address of your SMTP gateway that we are talking about.
0
 
LVL 4

Expert Comment

by:jessbruffett
ID: 41753054
One things to add to @gerryshape in case you arent already, make sure you're scanning your business resources from OUTSIDE you're business network. even with targeting the WAN ip from inside the LAN can bypass the firewall settings and give false positives.
0
 

Author Closing Comment

by:garryshape
ID: 41753055
Yes, that was setup in DNS by someone else, and I confirmed.

I was just a bit confused about why Nessus scan was showing it as open relay.  And pointing out that a successful telnet session meant it was vulnerable.

Thanks for the advice and info
0
 

Author Comment

by:garryshape
ID: 41753057
Yeah it is being scanned outside. But it shows the same result whether I scan other people's mx record server hosts/IPs as well. Try your own domain mail gateway
0
 
LVL 57

Expert Comment

by:giltjr
ID: 41753100
Being able to connect to a SMTP server on port 25 is normal, that is the port SMTP uses.

Being an open relay it something totally different.  Not sure what tool you are using to scan other SMTP servers, but (again) connecting to port 25 is normal for a SMTP server.  If you could not connect, then you would not be able to receive e-mail.
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question