cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
254
Views
0
Helpful
4
Replies
Highlighted
Beginner

How to prevent open relay on my domain ? (ironport C170)

Hi,

I have a C170 cluster who receive emails on port 25 for mydomain.com :

  • mail1.mydomain.com (MX)
  • mail2.mydomain.com (MX)

I have only one Incoming listener, connected to my DMZ network.

 

When I use SMTP Diag Tool to test if relay is open from internet :

Email is accepted and relayed :

  • sender: hello@demo.com
  • recipient: john@mydomain.com (email exists)

That is my issue :(

 

Email is refused (Error: SMTP protocol error. 550 #5.1.0 Address rejected..):

  • sender: hello@demo.com
  • recipient: kkkkk@mydomain.com (email does not exists)

Email is refused (Error: SMTP protocol error. 550 #5.1.0 Address rejected..):

  • sender: hello@demo.com
  • recipient: test@example.com

mydomain.com is mine, others are not.

 

Thank you for your help

Regards

 

Everyone's tags (1)
4 REPLIES 4
Collaborator

Re: How to prevent open relay on my domain ? (ironport C170)

This is working as expected...



If the bottom example you gave sent the mail on to example.com, then it would be an "Open Relay"

Open relays send mail from anyone, to anyone, which is bad.



Yours isn't doing that...




Beginner

Re: How to prevent open relay on my domain ? (ironport C170)

Thank you for your help.

 

Sorry, but somemone can send a fake legit email. Because no authentication is required.

user1@mydomain.com can send to user2@mydomain.com

and user2 can't see if the sender is really user1.

do you understand ?

 

Collaborator

Re: How to prevent open relay on my domain ? (ironport C170)

You're talking about spoofing:

Here's a whitepaper on ways to address this.

https://www.cisco.com/c/en/us/products/collateral/security/email-security-appliance/whitepaper_C11-737596.html


Beginner

Re: How to prevent open relay on my domain ? (ironport C170)

thank you, I'll check this paper.

In fact, only my Exchange Servers (on LAN) have to be relayed by IronPort. That's why I don't understand why IronPort allows relaying from/to mydomain.com from internet.