Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

ESA disable closed relay

Hi,

I told by a tester that if they Telnet to the ESA (c170 recent code) on port 25 and use an existing inside email address as the sender and the recipient, it is accepted. Where do I disable this in the configuration?

Thanks.

  • Email Security
Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

ESA disable closed relay

If you are asking how to disable telnet - that is set at the IP Interface level, web GUI -> Network -> IP Interfaces

Choose the interface you are after, and then you'll see Telnet listed in the services section.

If you are asking about turning down port 25 --- port 25 would be how mail is sent/received on the appliance - so, if you are expecting mail flow - I would not suggest turning that off --- unless you have private ports set.

You can configure the listening/sending port from the web GUI -> Network -> Listeners

This will list any/all listeners configured, and the ports in use.

Submit/Commit any changes needed.

Hope this helps!

-Robert

(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

3 REPLIES
Cisco Employee

ESA disable closed relay

If you are asking how to disable telnet - that is set at the IP Interface level, web GUI -> Network -> IP Interfaces

Choose the interface you are after, and then you'll see Telnet listed in the services section.

If you are asking about turning down port 25 --- port 25 would be how mail is sent/received on the appliance - so, if you are expecting mail flow - I would not suggest turning that off --- unless you have private ports set.

You can configure the listening/sending port from the web GUI -> Network -> Listeners

This will list any/all listeners configured, and the ports in use.

Submit/Commit any changes needed.

Hope this helps!

-Robert

(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

Bronze

ESA disable closed relay

Hi Robert,

To clarify, a penetration test was carried out against a client's infrastucture. The ESA allowed them to spoof the sender's email address (via telnet) as coming from an inside address.

Since this is happening during the SMTP conversation, I wasn't sure it get through, but it's being held up as a knock against the ESA security. I have a screen capture of the converstation.

Since anything done via telnet could be automated, I'm looking for the way to disable the following....

mail from:legit-user@inside-domain.com

250 sender <legit-user@inside-domain.com> ok

rcpt to:legit-user@inside-domain.com

250 recipient <legit-user@inside-domain.com> ok

data

354 go ahead

This is proof of concept that your mail server could be used for phishing inside the company.

Regards,

Pen Tester

.

250 ok: Message 560945 accepted

Cisco Employee

ESA disable closed relay

If that is the case - then you would need to limit the telnet access on the network down to the sending Exchange/mail server - or other deemed OK hosts on the network, and disallow all other traffic --- that way you would not be allowing everyone on the internal network to be able to send direct telnet over port 25 to the waiting listener.

You would need to take care to not block out IPs of internal servers/hosts that are expected to properly send direct to the ESA in order to process mail. 

If you have the RAT set for the domains expecting to move mail - this should only be sending to those (internal) domains. 

One thing to keep in mind - if you are in a paranoid/security driven configuration - think about implementing Rate Limiting for Envelope Servers on the mail flow policy --- that way, you would be limiting the amount of traffic a from address may be generating...

in telnet session - you'd see:

452 Too many recipients received this hour

Then that user would be locked for the clock hour...

As long as you have notifications enabled to send to your ESA admin or mail-distro - you'd then be notified in case you have malicious user, and be able to thwart this in a timely fashion.

-Robert

394
Views
0
Helpful
3
Replies
This widget could not be displayed.