Hi,

Thanks for your feedback. I've checked with my network team, they said this is not possible. Actually, not only telnet, we can also use nc tool.

nc mail.domain-x.com 25

I found an article below:

https://www.blackhillsinfosec.com/how-to-test-for-open-mail-relays/

The recommendation to mitigate this issue is:

- Require authentication with user accounts and encryption through STARTTLS.

- Configure the email gateway to only allow the IP addresses of the email gateways themselves and authorized IP addresses to send.

However, I doubt implemeting TLS will solve the problem.

Yes, you could limit accepting connections from certain IPs.

With using TLS the advantage would be that you would not be able to type in mail-from and rcpt-to in plain text as it would require that data to be sent in an encrypted format.

- Libin V

Hi,

Thanks for your the explanation.

Another question. On that case, why ESA did allow the mail to be sent? I suppose there must be IP address checking, whether domain-y.com belongs to right DNS

If the IP you are performing the telnet from is part of the HAT Relaylist they are allowed to relay emails outbound.

For all other recipient validation is part of RAT configuration, DNS verification can be enabled under Mail Policies -> HAT Overview/Mail flow policies.

- Libin V

Hi,

I've implemented TLS in my Cisco ESA, by following the following link.

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118844-technote-esa-00.html

I selected "Preferred"when configuring the TLS.

Everything is fine, except when I telnet to port 25, it is not asking me to issue STARTTLS command.

Could you please advise what could be the issue?

Thanks.

TLS preferred would work with and without issuing TLS.

TLS required needs STARTTLS to be offered before proceeding.

- Libin V