Solved

Open Mail Relaying - security issue?

Posted on 2016-08-11
13
113 Views
Last Modified: 2016-08-11
Running security scan in our organization.
When it comes to our e-mail secure gateway (mx record server) an issue is found from Nessus:
https://www.tenable.com/plugins/index.php?view=single&id=10262
The remote SMTP server appears to allow mail relaying. This means that an unauthenticated, remote user could possibly use the mail server to send messages to the world, thus wasting network bandwidth and computer resources. Such servers are targeted by spammers for sending unsolicited bulk email (UBE).

Is this not applicable because this is our e-mail secure gateway that receives e-mail from the internet to filter and pass on to our Exchange servers?

Or is a email secure gateway not support to allow relay?

Just wondering if I need to tighten security at all.
0
Comment
Question by:garryshape
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
13 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 41752966
An open relay is an e-mail server that would allow me to send e-mail to anybody else in the world thru it.  It is considered a serious security issue.

Open relay e-mail servers are used by spammers to hid themselves.

https://en.wikipedia.org/wiki/Open_mail_relay
0
 

Author Comment

by:garryshape
ID: 41752970
So does it not need to be open in order to receive e-mail from the internet?

If user@gmail.com sends an e-mail to me at user@ourdomain.com, and relay is off of our appliance, how does the e-mail from gmail get to me at ourdomain.com?

I ran http://mxtoolbox.com/diagnostic.aspx  test against multiple mail servers online and it appears to accept the message.

SMTP (TCP Port 25) - The SMTP service receives email from email clients and other MTAs. Note that restricting the SMTP service will impact the ability of the appliance to filter email.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 41752995
No, you should have it configured to receive e-mail for your domain and your domain only.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:garryshape
ID: 41752998
So my company shouldn't receive e-mail from anyone outside of our company?
We're going to lose a lot of business :(
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 500 total points
ID: 41753003
No it should receive e-mail TO your company.  The FROM e-mail address can be anything.

In other words you should NOT receive e-mail going TO somebody@gmail.com.
0
 

Author Comment

by:garryshape
ID: 41753007
Yes that is established and configured accordingly on the e-mail firewall.
My question is whether this is a false positive report of open relay.
basically, should "telnet ourdomain.com 25" connect successfully in order for e-mail to properly function.

Sender Policy Framework (SPF) works in verifying whether the sender domain is from that domain.
MTA log reports the tests as blocked when e-mail sent via telnet from the internet.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 41753018
Yes, that should work.  What you need to test is doing the following


telnet ourdomain.com 25
HELO somedomain.com
MAIL FROM:<youraddress@gmail.com>      
RCPT TO:<youraddress@gmail.com>
DATA                              
From: youraddress@gmail.com      
To:   youraddress@gmail.com    
Subject:  Test Open Relay
                                   
Testing for open relay      
                                 
.  
QUIT
                               
                                 

After you type "Testing for open relay" you need to press enter twice then enter a period.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 41753020
Oh, you need to include the "<" and ">" on the MAIL FROM and RCPT TO commands.
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 500 total points
ID: 41753029
Oh one other thing, I am assuming that "ourdomain.com" resolves to the IP address of your SMTP gateway that we are talking about.
0
 
LVL 4

Expert Comment

by:jessbruffett
ID: 41753054
One things to add to @gerryshape in case you arent already, make sure you're scanning your business resources from OUTSIDE you're business network. even with targeting the WAN ip from inside the LAN can bypass the firewall settings and give false positives.
0
 

Author Closing Comment

by:garryshape
ID: 41753055
Yes, that was setup in DNS by someone else, and I confirmed.

I was just a bit confused about why Nessus scan was showing it as open relay.  And pointing out that a successful telnet session meant it was vulnerable.

Thanks for the advice and info
0
 

Author Comment

by:garryshape
ID: 41753057
Yeah it is being scanned outside. But it shows the same result whether I scan other people's mx record server hosts/IPs as well. Try your own domain mail gateway
0
 
LVL 57

Expert Comment

by:giltjr
ID: 41753100
Being able to connect to a SMTP server on port 25 is normal, that is the port SMTP uses.

Being an open relay it something totally different.  Not sure what tool you are using to scan other SMTP servers, but (again) connecting to port 25 is normal for a SMTP server.  If you could not connect, then you would not be able to receive e-mail.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question