Open relay test results

Unanswered Question
May 1st, 2009
User Badges:

Hi all. I'm a new Ironport user, having just started working for a company that had a Spam and Virus Blocker already up and running.

We've been put on some blacklists for acting as an open relay. Apparently my predecessor had already done much of the work involved in fixing this problem, but we're still on blacklists. I'm not sure when the last time we really were an open relay was; it could have been before the Ironport was ever installed. I want to clear our name, but before I start requesting removals, I want to be 100% sure that the problem is addressed.

I've run some online open relay tests, and most report that we are not an open relay, but when I tried http://www.rbl.jp/svcheck.php , 5 of their 19 tests came back as "accepted".

I searched the Ironport knowledge base and found that our settings already match the recommendation -- our RAT is set to reject "all other recipients".

Here are the recipients from the tests that came back as "accepted":

>>> RCPT TO: <[email protected]>
>>> RCPT TO: <"[email protected]"@server01.mycompany.com>
>>> RCPT TO: <[email protected]>
>>> RCPT TO: <"rlytest%h.rbl.jp"@mycompany.com>
>>> RCPT TO: <"[email protected]"@mycompany.com>


"server01" is the name of our Exchange server. Our firewall is set to forward port 25 to the Ironport.

Some of the tests suggested that even an "accepted" message was not a sure sign of being an open relay, and that the mail server might accept it and then silently discard it anyway. Is this something I need to fix, or is it already handled by the Ironport? How can I tell for sure? I've considered telnet'ing in from my home PC and reproducing the commands shown on that site using a real email address of my own, but I'm not really confident in this procedure, or in the procedure of "properly" malforming email addresses. Any advice?

Can anyone recommend further steps for me to take to be sure we are not operating an open relay?
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
steven_geerts Sat, 05/02/2009 - 07:45
User Badges:

Hello Tilden,

You can use the CLI (Command LIne) command "findevent" to collect all loglines that belong to a certain message and use that information to see what has happened with the message.
If you search your log (using the grep command on the CLI) for "rlytest" you should find the loglines that are recorded for your relay tests. if you use the MID value found in those lines as input for the "findevent" command you get it clear.

good luck!

Steven

Tilden_ironport Mon, 05/04/2009 - 14:24
User Badges:

Thank you for the quick reply, Steven.

It seems as though my Ironport does not have the "findevent" command. When I tried it I got an "unknown command: findevent" message, and the "help" message does not list findevent. Are you sure that command exists in the Spam and Virus Blocker, and not just other Ironport models?

I notice that there are two upgrades available to download for my Ironport, so maybe it's just that my current version is too old. I'm not sure I'm daring enough to install the upgrades during business hours, so I'll probably do that on the weekend.

Thanks again.

rvdwesten_ironport Tue, 05/05/2009 - 09:07
User Badges:

What version of AsyncOS are you running, looks like you have an old version since the findevent command is available since around 6.0 if im right..

Tilden_ironport Tue, 05/05/2009 - 14:54
User Badges:

The System Overview section says 4.7.0-148. I see 4.7.2 in my list of available upgrades.

rvdwesten_ironport Wed, 05/06/2009 - 10:05
User Badges:

I would recommend to upgrade your system, the findevent command is not available in your system, neither are lots of other improvements, features and bugfixes.

You cannot upgrade straight to 6.5.1 from your version, you probably have to upgrade multiple times to get to 6.5.1, starting with 4.7.2, then upgrade to the following available upgrade..

Tilden_ironport Wed, 05/06/2009 - 14:17
User Badges:

Thanks, I'll definitely upgrade as far as I can at some point. It's a question of timing.

What kind of downtime can I expect when performing upgrades? I'm wondering if I can afford to do it during business hours or if I should wait until the weekend.

rvdwesten_ironport Wed, 05/06/2009 - 14:27
User Badges:

If you have a cluster, you will have almost 'no' downtime.
First upgrade the first appliance, it will continue to deliver mail during the upgrade, you only have some downtime while the system is rebooting. Then upgrade the second.

If you do have a cluster, during the reboot, your second appliance will take over the mailflow. If you don't have a cluster, I recommend to do the upgrades during non-business hours..

Tilden_ironport Mon, 05/11/2009 - 20:11
User Badges:

Wellll....turns out it's a moot point, because now my Ironport is bricked.

One of the updates failed, and our support contract has expired, so Ironport support can't help us fix it. Bummer. I'll have to weigh my options here and decide if it's worth renewing.

The good news is our email server, which no longer sits behind the Ironport, passes every single one of those relay tests.

Thanks a lot for your input, everyone. If I decide to stick with the Ironport, I'm sure I'll be back. :)

Actions

This Discussion