02-23-2017 05:38 AM
We did the another test , telnet these 2 IP address on port 25 and I found I can send email to any of your domains user anonymously.
02-23-2017 05:53 AM
John,
Complete these steps in order to disable Telnet:
http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118462-technote-esa-00.html
http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117914-configure-ccs-00.html
Thanks!
Libin Varghese
02-23-2017 05:59 AM
02-23-2017 06:17 AM
Hello John,
SMTP (as per RFC5321) is a session-oriented protocol using port 25. So it is true that you can use a telnet client to connect on port 25 on the appliance and inject emails - this is how the SMTP protocol is supposed to work. It is also true that you can use any envelope sender address within the telnet session, but all other mail servers that connect to your appliance could do this as well. This is based on the fact that the SMTP protocol was born without any security features when it was drafted at first. If the envelope sender address spoofing is your concern here, then you could use the envelope sender verification setting in the Mail Flow Policies to tackle this.
For me the main question is if you can inject email with recipients for your domains only or for any domain (e.g. gmail) as well. If mails get accepted for any recipients (even outside of your domain) you may innocently run an open relay server. I'd then recommend to verify if the source IP address you have initiated your telnet session from is listed in a RELAYLIST sender group in the Host Access Table of your appliance. If not, please verify if the Recipient Access Table (RAT) entry "all other recipients" is set to "accept" instead of "reject".
Best regards,
Martin
03-09-2020 02:09 AM
hi martin, i didnt see telnet checkbox too in ESA 390 series, is that a bug?
03-09-2020 06:27 AM - edited 03-23-2020 05:22 AM
Hello,
Telnet server is no longer offered in newer AsyncOS releases due to security restrictions.
Thanks!
-Dennis M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide