Re: How to prevent open relay on my domain ? (ironport C170)

jceesco · ‎02-27-2019

Hi,

I have a C170 cluster who receive emails on port 25 for mydomain.com :

mail1.mydomain.com (MX)
mail2.mydomain.com (MX)

I have only one Incoming listener, connected to my DMZ network.

When I use SMTP Diag Tool to test if relay is open from internet :

Email is accepted and relayed :

sender: hello@demo.com
recipient: john@mydomain.com (email exists)

That is my issue :(

Email is refused (Error: SMTP protocol error. 550 #5.1.0 Address rejected..):

sender: hello@demo.com
recipient: kkkkk@mydomain.com (email does not exists)

Email is refused (Error: SMTP protocol error. 550 #5.1.0 Address rejected..):

sender: hello@demo.com
recipient: test@example.com

mydomain.com is mine, others are not.

Thank you for your help

Regards

Ken Stieers · ‎02-27-2019

This is working as expected...

If the bottom example you gave sent the mail on to example.com, then it would be an "Open Relay"

Open relays send mail from anyone, to anyone, which is bad.

Yours isn't doing that...

jceesco · ‎02-27-2019

Thank you for your help.

Sorry, but somemone can send a fake legit email. Because no authentication is required.

user1@mydomain.com can send to user2@mydomain.com

and user2 can't see if the sender is really user1.

do you understand ?

Ken Stieers · ‎02-27-2019

You're talking about spoofing:

Here's a whitepaper on ways to address this.

https://www.cisco.com/c/en/us/products/collateral/security/email-security-appliance/whitepaper_C11-737596.html

jceesco · ‎02-27-2019

thank you, I'll check this paper.

In fact, only my Exchange Servers (on LAN) have to be relayed by IronPort. That's why I don't understand why IronPort allows relaying from/to mydomain.com from internet.