cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
786
Views
0
Helpful
5
Replies
Highlighted
Beginner

ESA | disable telnet

We did the another test , telnet these 2 IP address on port 25 and I found I can send email to any of your domains user anonymously.

5 REPLIES 5
Highlighted
Cisco Employee

John,

John,

Complete these steps in order to disable Telnet:

 

  1. Log into the web GUI.

  2. Navigate to Network > IP Interfaces.

  3. Click the name of the interface that you want to edit.

  4. Uncheck the Telnet check box in the Services field.

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118462-technote-esa-00.html

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117914-configure-ccs-00.html

Thanks!

Libin Varghese

Highlighted
Beginner

Hello Libin,

Hello Libin,

Thank you for your quick response. As per checking on our ESA there's no Telnet services field on our ESA. (please see attached)

Highlighted
Beginner

Hello John,

Hello John,

SMTP (as per RFC5321) is a session-oriented protocol using port 25. So it is true that you can use a telnet client to connect on port 25 on the appliance and inject emails - this is how the SMTP protocol is supposed to work. It is also true that you can use any envelope sender address within the telnet session, but all other mail servers that connect to your appliance could do this as well. This is based on the fact that the SMTP protocol was born without any security features when it was drafted at first. If the envelope sender address spoofing is your concern here, then you could use the envelope sender verification setting in the Mail Flow Policies to tackle this.

For me the main question is if you can inject email with recipients for your domains only or for any domain (e.g. gmail) as well. If mails get accepted for any recipients (even outside of your domain) you may innocently run an open relay server. I'd then recommend to verify if the source IP address you have initiated your telnet session from is listed in a RELAYLIST sender group in the Host Access Table of your appliance. If not, please verify if the Recipient Access Table (RAT) entry "all other recipients" is set to "accept" instead of "reject".

Best regards,

Martin

Highlighted
Beginner

Re: Hello John,

hi martin, i didnt see telnet checkbox too in ESA 390 series, is that a bug?

 

Highlighted
Cisco Employee

Re: Hello John,

Hello,

 

Telnet server is no longer offered in newer AsyncOS releases due to security restrictions.

 

Thanks!

-Dennis M.