Solved

Open Mail Relaying - security issue?

Posted on 2016-08-11
13
61 Views
Last Modified: 2016-08-11
Running security scan in our organization.
When it comes to our e-mail secure gateway (mx record server) an issue is found from Nessus:
https://www.tenable.com/plugins/index.php?view=single&id=10262
The remote SMTP server appears to allow mail relaying. This means that an unauthenticated, remote user could possibly use the mail server to send messages to the world, thus wasting network bandwidth and computer resources. Such servers are targeted by spammers for sending unsolicited bulk email (UBE).

Is this not applicable because this is our e-mail secure gateway that receives e-mail from the internet to filter and pass on to our Exchange servers?

Or is a email secure gateway not support to allow relay?

Just wondering if I need to tighten security at all.
0
Comment
Question by:garryshape
  • 7
  • 5
13 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 41752966
An open relay is an e-mail server that would allow me to send e-mail to anybody else in the world thru it.  It is considered a serious security issue.

Open relay e-mail servers are used by spammers to hid themselves.

https://en.wikipedia.org/wiki/Open_mail_relay
0
 

Author Comment

by:garryshape
ID: 41752970
So does it not need to be open in order to receive e-mail from the internet?

If user@gmail.com sends an e-mail to me at user@ourdomain.com, and relay is off of our appliance, how does the e-mail from gmail get to me at ourdomain.com?

I ran http://mxtoolbox.com/diagnostic.aspx  test against multiple mail servers online and it appears to accept the message.

SMTP (TCP Port 25) - The SMTP service receives email from email clients and other MTAs. Note that restricting the SMTP service will impact the ability of the appliance to filter email.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 41752995
No, you should have it configured to receive e-mail for your domain and your domain only.
0
 

Author Comment

by:garryshape
ID: 41752998
So my company shouldn't receive e-mail from anyone outside of our company?
We're going to lose a lot of business :(
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 500 total points
ID: 41753003
No it should receive e-mail TO your company.  The FROM e-mail address can be anything.

In other words you should NOT receive e-mail going TO somebody@gmail.com.
0
 

Author Comment

by:garryshape
ID: 41753007
Yes that is established and configured accordingly on the e-mail firewall.
My question is whether this is a false positive report of open relay.
basically, should "telnet ourdomain.com 25" connect successfully in order for e-mail to properly function.

Sender Policy Framework (SPF) works in verifying whether the sender domain is from that domain.
MTA log reports the tests as blocked when e-mail sent via telnet from the internet.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 41753018
Yes, that should work.  What you need to test is doing the following


telnet ourdomain.com 25
HELO somedomain.com
MAIL FROM:<youraddress@gmail.com>      
RCPT TO:<youraddress@gmail.com>
DATA                              
From: youraddress@gmail.com      
To:   youraddress@gmail.com    
Subject:  Test Open Relay
                                   
Testing for open relay      
                                 
.  
QUIT
                               
                                 

After you type "Testing for open relay" you need to press enter twice then enter a period.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 41753020
Oh, you need to include the "<" and ">" on the MAIL FROM and RCPT TO commands.
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 500 total points
ID: 41753029
Oh one other thing, I am assuming that "ourdomain.com" resolves to the IP address of your SMTP gateway that we are talking about.
0
 
LVL 3

Expert Comment

by:jessbruffett
ID: 41753054
One things to add to @gerryshape in case you arent already, make sure you're scanning your business resources from OUTSIDE you're business network. even with targeting the WAN ip from inside the LAN can bypass the firewall settings and give false positives.
0
 

Author Closing Comment

by:garryshape
ID: 41753055
Yes, that was setup in DNS by someone else, and I confirmed.

I was just a bit confused about why Nessus scan was showing it as open relay.  And pointing out that a successful telnet session meant it was vulnerable.

Thanks for the advice and info
0
 

Author Comment

by:garryshape
ID: 41753057
Yeah it is being scanned outside. But it shows the same result whether I scan other people's mx record server hosts/IPs as well. Try your own domain mail gateway
0
 
LVL 57

Expert Comment

by:giltjr
ID: 41753100
Being able to connect to a SMTP server on port 25 is normal, that is the port SMTP uses.

Being an open relay it something totally different.  Not sure what tool you are using to scan other SMTP servers, but (again) connecting to port 25 is normal for a SMTP server.  If you could not connect, then you would not be able to receive e-mail.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Junk folder 23 112
Adups vulnerability 5 67
Change SMTP port on Exchange Send Connector 4 26
Exchange2003 Exchange 2010 coexistence 32 17
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now