10-18-2017 10:39 AM - edited 03-08-2019 07:26 PM
My mail gateway has been found as partially open relay.
The proof of concept below
telnet mail.domain-x.com 25
220 mail.domain-x.com ESMTP
MAIL FROM: email@example.com
250 sender <firstname.lastname@example.org> ok
RCPT TO: email@example.com
250 recipient <firstname.lastname@example.org> ok
354 go ahead
This is test email...
250 ok: Message 3725870 accepted
The email will be sent to email@example.com
Note: mail.domain-x.com is my mail gateway (Cisco ESA) and domain-y.com is my another domain (Web server).
Please advise how to resolve this issue.
10-18-2017 06:10 PM
If you are referring to the ability to telnet to the appliance on port 25 to send emails that would be allowed by default since the ESA would work only if it accepts traffic over port 25.
You could check with your network team to see if they can restrict the ability to telnet without actually blocking email traffic.
10-18-2017 07:29 PM
Thanks for your feedback. I've checked with my network team, they said this is not possible. Actually, not only telnet, we can also use nc tool.
nc mail.domain-x.com 25
I found an article below:
The recommendation to mitigate this issue is:
- Require authentication with user accounts and encryption through STARTTLS.
- Configure the email gateway to only allow the IP addresses of the email gateways themselves and authorized IP addresses to send.
However, I doubt implemeting TLS will solve the problem.
10-18-2017 07:54 PM
Yes, you could limit accepting connections from certain IPs.
With using TLS the advantage would be that you would not be able to type in mail-from and rcpt-to in plain text as it would require that data to be sent in an encrypted format.
- Libin V
10-18-2017 08:41 PM
Thanks for your the explanation.
Another question. On that case, why ESA did allow the mail to be sent? I suppose there must be IP address checking, whether domain-y.com belongs to right DNS
10-18-2017 08:49 PM
If the IP you are performing the telnet from is part of the HAT Relaylist they are allowed to relay emails outbound.
For all other recipient validation is part of RAT configuration, DNS verification can be enabled under Mail Policies -> HAT Overview/Mail flow policies.
- Libin V
10-19-2017 07:08 AM
I've implemented TLS in my Cisco ESA, by following the following link.
I selected "Preferred"when configuring the TLS.
Everything is fine, except when I telnet to port 25, it is not asking me to issue STARTTLS command.
Could you please advise what could be the issue?
10-19-2017 05:04 PM
TLS preferred would work with and without issuing TLS.
TLS required needs STARTTLS to be offered before proceeding.
- Libin V
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: