cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
857
Views
10
Helpful
1
Replies

RELAY mail flow policy action

kaizen
Beginner
Beginner

Hi community,

I am wondering is it normal that when a RELAY mfp and Relaylist Sender group is used I can choose whatever sender/mail from domain I choose (when testing with telnet for example from the internal mail server)? I guess the presumption is that the internal servers added to the relay sender group are trusted and also sending mail from an ip address that is not allowed in SPF for some domain will end up in junk folder.. but still seems as a security concern.

Is this expected behavior for relay action? How can this be filtered/set only for specific internal domains that the exchange server is expected to send outbound mail?

EDIT: Maybe with filter can be done but seems not very intuitive and easy..

 

ONLYalloweddomains:
if(sendergroup == 'RELAYLIST' AND mail-from != '@domain\\.com$')
{
drop();
}

Regards,

K.

 

1 Accepted Solution

Accepted Solutions

UdupiKrishna
Cisco Employee
Cisco Employee

The RELAY action/RELAY sender group is exactly as you understand. There's a default pre-assumption that the internal servers are trusted and emails from it will always be based on your email domain. If someone telnets from the trusted server over port 25 and send out emails with a different mail-from ID/domain, this is security issue on the server (but I get what you mean)  

 

You can surely lock it down to your domain with the message filter, but a better idea would be to quarantine them so that you can run forensics (fancy word) later should the situation arise.

View solution in original post

1 Reply 1

UdupiKrishna
Cisco Employee
Cisco Employee

The RELAY action/RELAY sender group is exactly as you understand. There's a default pre-assumption that the internal servers are trusted and emails from it will always be based on your email domain. If someone telnets from the trusted server over port 25 and send out emails with a different mail-from ID/domain, this is security issue on the server (but I get what you mean)  

 

You can surely lock it down to your domain with the message filter, but a better idea would be to quarantine them so that you can run forensics (fancy word) later should the situation arise.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers