Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1394
Views
0
Helpful
3
Replies

Internal Relay is Vulnerable from External

Anas Hijjawi
Level 1
Level 1

‎08-04-2013 03:08 AM

Hi All,

We have enabled Internal relay for our servers, now,we have done security and vulnerabilty tests, we found that we can telnet on port 25 from the internet to the Ironport and send emails internally on behalf of it.

Snapshot of the Pen. test is attached

Did any one faced this issue before, or it could be a bug in the IOS 7.1.5-017

Thanks

Thanks, Anas *--* Please rate the useful post,its free ;) *--*
Labels:
Preview file
62 KB
0 Helpful
3 Replies 3

David Miller
Level 1
Level 1

‎08-05-2013 03:44 AM

I'm not sure I am understanding your question completely, but you should only have known IP addresses such as your Exchange server in the relay list in the HAT table, and then only they can relay through the ESA.  If the ESA is your inbound and outbound email gateway then anyone can try and connect over SMTP to port 25, whether that connection will be accepted is down to your policies and the reputation of the sending IP.

0 Helpful

Anas Hijjawi
Level 1
Level 1
In response to David Miller

‎08-05-2013 07:11 AM

Hi David,

Actually we have enabled the relay from inside for some specific servers to allow them to send internal notifications, but the problem is that when you try to telnet from the internet to the ironport on port 25, and try to send email to any user in the domain it will be successfull. means any hacker can send a spoofed email to the domain users on behalf of the ironport

Thanks, Anas *--* Please rate the useful post,its free ;) *--*
0 Helpful

acalzolari
Level 1
Level 1
In response to Anas Hijjawi

‎08-05-2013 08:41 AM

Hello,

Relaying is the ability to send a mail to any domain (ie any domain other than the ones that you declare on the Ironport - in the RAT section).

An Ironport appliance will accept any mail as long as the recipient is part of the domains it manages - once again those listed in the RAT section) - this is default behaviour for any MTA. The appliance doesn't care about the sender's domain to detect if the mail is internal or not.

So, so far, the issue you describe is perfectly normal.

If you want to restrict inbound connections to the appliance, you must configure the HAT section so that you get only one entry with your servers listed in it and the ACCEPT behaviour and the default entry with the REJECT behaviour. This way, only your servers will be able to connect to your appliance and dispatch its mails, any other servers will be rejected.

Kind regards,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents