Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1134
Views
10
Helpful
1
Replies

RELAY mail flow policy action

Go to solution
kaizen
Level 1
Level 1

‎02-22-2022 05:19 AM - edited ‎02-22-2022 05:55 AM

Hi community,

I am wondering is it normal that when a RELAY mfp and Relaylist Sender group is used I can choose whatever sender/mail from domain I choose (when testing with telnet for example from the internal mail server)? I guess the presumption is that the internal servers added to the relay sender group are trusted and also sending mail from an ip address that is not allowed in SPF for some domain will end up in junk folder.. but still seems as a security concern.

Is this expected behavior for relay action? How can this be filtered/set only for specific internal domains that the exchange server is expected to send outbound mail?

EDIT: Maybe with filter can be done but seems not very intuitive and easy..

 

ONLYalloweddomains:
if(sendergroup == 'RELAYLIST' AND mail-from != '@domain\\.com$')
{
drop();
}

Regards,

K.

 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee

‎02-22-2022 06:59 AM

The RELAY action/RELAY sender group is exactly as you understand. There's a default pre-assumption that the internal servers are trusted and emails from it will always be based on your email domain. If someone telnets from the trusted server over port 25 and send out emails with a different mail-from ID/domain, this is security issue on the server (but I get what you mean)  

 

You can surely lock it down to your domain with the message filter, but a better idea would be to quarantine them so that you can run forensics (fancy word) later should the situation arise.

View solution in original post

1 Reply 1

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee

‎02-22-2022 06:59 AM

The RELAY action/RELAY sender group is exactly as you understand. There's a default pre-assumption that the internal servers are trusted and emails from it will always be based on your email domain. If someone telnets from the trusted server over port 25 and send out emails with a different mail-from ID/domain, this is security issue on the server (but I get what you mean)  

 

You can surely lock it down to your domain with the message filter, but a better idea would be to quarantine them so that you can run forensics (fancy word) later should the situation arise.

Customers Also Viewed These Support Documents