- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2022 05:19 AM - edited 02-22-2022 05:55 AM
Hi community,
I am wondering is it normal that when a RELAY mfp and Relaylist Sender group is used I can choose whatever sender/mail from domain I choose (when testing with telnet for example from the internal mail server)? I guess the presumption is that the internal servers added to the relay sender group are trusted and also sending mail from an ip address that is not allowed in SPF for some domain will end up in junk folder.. but still seems as a security concern.
Is this expected behavior for relay action? How can this be filtered/set only for specific internal domains that the exchange server is expected to send outbound mail?
EDIT: Maybe with filter can be done but seems not very intuitive and easy..
ONLYalloweddomains:
if(sendergroup == 'RELAYLIST' AND mail-from != '@domain\\.com$')
{
drop();
}
Regards,
K.
Solved! Go to Solution.
- Labels:
-
Email Security
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2022 06:59 AM
The RELAY action/RELAY sender group is exactly as you understand. There's a default pre-assumption that the internal servers are trusted and emails from it will always be based on your email domain. If someone telnets from the trusted server over port 25 and send out emails with a different mail-from ID/domain, this is security issue on the server (but I get what you mean)
You can surely lock it down to your domain with the message filter, but a better idea would be to quarantine them so that you can run forensics (fancy word) later should the situation arise.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2022 06:59 AM
The RELAY action/RELAY sender group is exactly as you understand. There's a default pre-assumption that the internal servers are trusted and emails from it will always be based on your email domain. If someone telnets from the trusted server over port 25 and send out emails with a different mail-from ID/domain, this is security issue on the server (but I get what you mean)
You can surely lock it down to your domain with the message filter, but a better idea would be to quarantine them so that you can run forensics (fancy word) later should the situation arise.