Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2902
Views
0
Helpful
5
Replies

ESA | disable telnet

John
Level 1
Level 1

‎02-23-2017 05:38 AM

We did the another test , telnet these 2 IP address on port 25 and I found I can send email to any of your domains user anonymously.

Labels:
Preview file
31 KB
0 Helpful
5 Replies 5

Libin Varghese
Cisco Employee
Cisco Employee

‎02-23-2017 05:53 AM

John,

Complete these steps in order to disable Telnet:

 

  1. Log into the web GUI.

  2. Navigate to Network > IP Interfaces.

  3. Click the name of the interface that you want to edit.

  4. Uncheck the Telnet check box in the Services field.

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118462-technote-esa-00.html

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117914-configure-ccs-00.html

Thanks!

Libin Varghese

0 Helpful

John
Level 1
Level 1
In response to Libin Varghese

‎02-23-2017 05:59 AM

Hello Libin,

Thank you for your quick response. As per checking on our ESA there's no Telnet services field on our ESA. (please see attached)

Preview file
55 KB
0 Helpful

martin.eppler
Level 1
Level 1
In response to John

‎02-23-2017 06:17 AM

Hello John,

SMTP (as per RFC5321) is a session-oriented protocol using port 25. So it is true that you can use a telnet client to connect on port 25 on the appliance and inject emails - this is how the SMTP protocol is supposed to work. It is also true that you can use any envelope sender address within the telnet session, but all other mail servers that connect to your appliance could do this as well. This is based on the fact that the SMTP protocol was born without any security features when it was drafted at first. If the envelope sender address spoofing is your concern here, then you could use the envelope sender verification setting in the Mail Flow Policies to tackle this.

For me the main question is if you can inject email with recipients for your domains only or for any domain (e.g. gmail) as well. If mails get accepted for any recipients (even outside of your domain) you may innocently run an open relay server. I'd then recommend to verify if the source IP address you have initiated your telnet session from is listed in a RELAYLIST sender group in the Host Access Table of your appliance. If not, please verify if the Recipient Access Table (RAT) entry "all other recipients" is set to "accept" instead of "reject".

Best regards,

Martin

0 Helpful

compnet.mtc
Level 1
Level 1
In response to martin.eppler

‎03-09-2020 02:09 AM

hi martin, i didnt see telnet checkbox too in ESA 390 series, is that a bug?

 

0 Helpful

dmccabej
Cisco Employee
Cisco Employee
In response to compnet.mtc

‎03-09-2020 06:27 AM - edited ‎03-23-2020 05:22 AM

Hello,

 

Telnet server is no longer offered in newer AsyncOS releases due to security restrictions.

 

Thanks!

-Dennis M.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents