Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2799
Views
0
Helpful
3
Replies

ESA disable closed relay

Go to solution
lcaruso
Level 6
Level 6

‎01-14-2014 10:48 AM

Hi,

I told by a tester that if they Telnet to the ESA (c170 recent code) on port 25 and use an existing inside email address as the sender and the recipient, it is accepted. Where do I disable this in the configuration?

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee

‎01-14-2014 11:09 AM

If you are asking how to disable telnet - that is set at the IP Interface level, web GUI -> Network -> IP Interfaces

Choose the interface you are after, and then you'll see Telnet listed in the services section.

If you are asking about turning down port 25 --- port 25 would be how mail is sent/received on the appliance - so, if you are expecting mail flow - I would not suggest turning that off --- unless you have private ports set.

You can configure the listening/sending port from the web GUI -> Network -> Listeners

This will list any/all listeners configured, and the ports in use.

Submit/Commit any changes needed.

Hope this helps!

-Robert

(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

Cheers,
Robert Sherwin

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee

‎01-14-2014 11:09 AM

If you are asking how to disable telnet - that is set at the IP Interface level, web GUI -> Network -> IP Interfaces

Choose the interface you are after, and then you'll see Telnet listed in the services section.

If you are asking about turning down port 25 --- port 25 would be how mail is sent/received on the appliance - so, if you are expecting mail flow - I would not suggest turning that off --- unless you have private ports set.

You can configure the listening/sending port from the web GUI -> Network -> Listeners

This will list any/all listeners configured, and the ports in use.

Submit/Commit any changes needed.

Hope this helps!

-Robert

(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

Cheers,
Robert Sherwin
0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to Robert Sherwin

‎01-14-2014 11:21 AM

Hi Robert,

To clarify, a penetration test was carried out against a client's infrastucture. The ESA allowed them to spoof the sender's email address (via telnet) as coming from an inside address.

Since this is happening during the SMTP conversation, I wasn't sure it get through, but it's being held up as a knock against the ESA security. I have a screen capture of the converstation.

Since anything done via telnet could be automated, I'm looking for the way to disable the following....

mail from:legit-user@inside-domain.com

250 sender <legit-user@inside-domain.com> ok

rcpt to:legit-user@inside-domain.com

250 recipient <legit-user@inside-domain.com> ok

data

354 go ahead

This is proof of concept that your mail server could be used for phishing inside the company.

Regards,

Pen Tester

.

250 ok: Message 560945 accepted

0 Helpful

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee
In response to lcaruso

‎01-16-2014 12:47 PM

If that is the case - then you would need to limit the telnet access on the network down to the sending Exchange/mail server - or other deemed OK hosts on the network, and disallow all other traffic --- that way you would not be allowing everyone on the internal network to be able to send direct telnet over port 25 to the waiting listener.

You would need to take care to not block out IPs of internal servers/hosts that are expected to properly send direct to the ESA in order to process mail. 

If you have the RAT set for the domains expecting to move mail - this should only be sending to those (internal) domains. 

One thing to keep in mind - if you are in a paranoid/security driven configuration - think about implementing Rate Limiting for Envelope Servers on the mail flow policy --- that way, you would be limiting the amount of traffic a from address may be generating...

in telnet session - you'd see:

452 Too many recipients received this hour

Then that user would be locked for the clock hour...

As long as you have notifications enabled to send to your ESA admin or mail-distro - you'd then be notified in case you have malicious user, and be able to thwart this in a timely fashion.

-Robert

Cheers,
Robert Sherwin
0 Helpful
Customers Also Viewed These Support Documents