10-18-2017 10:39 AM - edited 03-08-2019 07:26 PM
Hello,
My mail gateway has been found as partially open relay.
The proof of concept below
--begin
telnet mail.domain-x.com 25
220 mail.domain-x.com ESMTP
MAIL FROM: test1@domain-y.com
250 sender <test1@domain-y.com> ok
RCPT TO: test2@domain-x.com
250 recipient <test2@domain-x.com> ok
data
354 go ahead
This is test email...
.
250 ok: Message 3725870 accepted
--end
The email will be sent to test2@domain-x.com
Note: mail.domain-x.com is my mail gateway (Cisco ESA) and domain-y.com is my another domain (Web server).
Please advise how to resolve this issue.
Thanks.
10-18-2017 06:10 PM
Hi,
If you are referring to the ability to telnet to the appliance on port 25 to send emails that would be allowed by default since the ESA would work only if it accepts traffic over port 25.
You could check with your network team to see if they can restrict the ability to telnet without actually blocking email traffic.
Regards,
Libin Varghese
10-18-2017 07:29 PM
Hi,
Thanks for your feedback. I've checked with my network team, they said this is not possible. Actually, not only telnet, we can also use nc tool.
nc mail.domain-x.com 25
I found an article below:
https://www.blackhillsinfosec.com/how-to-test-for-open-mail-relays/
The recommendation to mitigate this issue is:
- Require authentication with user accounts and encryption through STARTTLS.
- Configure the email gateway to only allow the IP addresses of the email gateways themselves and authorized IP addresses to send.
However, I doubt implemeting TLS will solve the problem.
10-18-2017 07:54 PM
Yes, you could limit accepting connections from certain IPs.
With using TLS the advantage would be that you would not be able to type in mail-from and rcpt-to in plain text as it would require that data to be sent in an encrypted format.
- Libin V
10-18-2017 08:41 PM
Hi,
Thanks for your the explanation.
Another question. On that case, why ESA did allow the mail to be sent? I suppose there must be IP address checking, whether domain-y.com belongs to right DNS
10-18-2017 08:49 PM
If the IP you are performing the telnet from is part of the HAT Relaylist they are allowed to relay emails outbound.
For all other recipient validation is part of RAT configuration, DNS verification can be enabled under Mail Policies -> HAT Overview/Mail flow policies.
- Libin V
10-19-2017 07:08 AM
Hi,
I've implemented TLS in my Cisco ESA, by following the following link.
I selected "Preferred"when configuring the TLS.
Everything is fine, except when I telnet to port 25, it is not asking me to issue STARTTLS command.
Could you please advise what could be the issue?
Thanks.
10-19-2017 05:04 PM
TLS preferred would work with and without issuing TLS.
TLS required needs STARTTLS to be offered before proceeding.
- Libin V
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide