01-14-2014 10:48 AM
Hi,
I told by a tester that if they Telnet to the ESA (c170 recent code) on port 25 and use an existing inside email address as the sender and the recipient, it is accepted. Where do I disable this in the configuration?
Thanks.
Solved! Go to Solution.
01-14-2014 11:09 AM
If you are asking how to disable telnet - that is set at the IP Interface level, web GUI -> Network -> IP Interfaces
Choose the interface you are after, and then you'll see Telnet listed in the services section.
If you are asking about turning down port 25 --- port 25 would be how mail is sent/received on the appliance - so, if you are expecting mail flow - I would not suggest turning that off --- unless you have private ports set.
You can configure the listening/sending port from the web GUI -> Network -> Listeners
This will list any/all listeners configured, and the ports in use.
Submit/Commit any changes needed.
Hope this helps!
-Robert
(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)
01-14-2014 11:09 AM
If you are asking how to disable telnet - that is set at the IP Interface level, web GUI -> Network -> IP Interfaces
Choose the interface you are after, and then you'll see Telnet listed in the services section.
If you are asking about turning down port 25 --- port 25 would be how mail is sent/received on the appliance - so, if you are expecting mail flow - I would not suggest turning that off --- unless you have private ports set.
You can configure the listening/sending port from the web GUI -> Network -> Listeners
This will list any/all listeners configured, and the ports in use.
Submit/Commit any changes needed.
Hope this helps!
-Robert
(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)
01-14-2014 11:21 AM
Hi Robert,
To clarify, a penetration test was carried out against a client's infrastucture. The ESA allowed them to spoof the sender's email address (via telnet) as coming from an inside address.
Since this is happening during the SMTP conversation, I wasn't sure it get through, but it's being held up as a knock against the ESA security. I have a screen capture of the converstation.
Since anything done via telnet could be automated, I'm looking for the way to disable the following....
mail from:legit-user@inside-domain.com
250 sender <legit-user@inside-domain.com> ok
rcpt to:legit-user@inside-domain.com
250 recipient <legit-user@inside-domain.com> ok
data
354 go ahead
This is proof of concept that your mail server could be used for phishing inside the company.
Regards,
Pen Tester
.
250 ok: Message 560945 accepted
01-16-2014 12:47 PM
If that is the case - then you would need to limit the telnet access on the network down to the sending Exchange/mail server - or other deemed OK hosts on the network, and disallow all other traffic --- that way you would not be allowing everyone on the internal network to be able to send direct telnet over port 25 to the waiting listener.
You would need to take care to not block out IPs of internal servers/hosts that are expected to properly send direct to the ESA in order to process mail.
If you have the RAT set for the domains expecting to move mail - this should only be sending to those (internal) domains.
One thing to keep in mind - if you are in a paranoid/security driven configuration - think about implementing Rate Limiting for Envelope Servers on the mail flow policy --- that way, you would be limiting the amount of traffic a from address may be generating...
in telnet session - you'd see:
452 Too many recipients received this hour
Then that user would be locked for the clock hour...
As long as you have notifications enabled to send to your ESA admin or mail-distro - you'd then be notified in case you have malicious user, and be able to thwart this in a timely fashion.
-Robert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide