Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Internal Relay is Vulnerable from External

Hi All,

We have enabled Internal relay for our servers, now,we have done security and vulnerabilty tests, we found that we can telnet on port 25 from the internet to the Ironport and send emails internally on behalf of it.

Snapshot of the Pen. test is attached

Did any one faced this issue before, or it could be a bug in the IOS 7.1.5-017

Thanks

Thanks, Anas *--* Please rate the useful post,its free ;) *--*
  • Email Security
3 REPLIES
New Member

Internal Relay is Vulnerable from External

I'm not sure I am understanding your question completely, but you should only have known IP addresses such as your Exchange server in the relay list in the HAT table, and then only they can relay through the ESA.  If the ESA is your inbound and outbound email gateway then anyone can try and connect over SMTP to port 25, whether that connection will be accepted is down to your policies and the reputation of the sending IP.

New Member

Internal Relay is Vulnerable from External

Hi David,

Actually we have enabled the relay from inside for some specific servers to allow them to send internal notifications, but the problem is that when you try to telnet from the internet to the ironport on port 25, and try to send email to any user in the domain it will be successfull. means any hacker can send a spoofed email to the domain users on behalf of the ironport

Thanks, Anas *--* Please rate the useful post,its free ;) *--*
New Member

Internal Relay is Vulnerable from External

Hello,

Relaying is the ability to send a mail to any domain (ie any domain other than the ones that you declare on the Ironport - in the RAT section).

An Ironport appliance will accept any mail as long as the recipient is part of the domains it manages - once again those listed in the RAT section) - this is default behaviour for any MTA. The appliance doesn't care about the sender's domain to detect if the mail is internal or not.

So, so far, the issue you describe is perfectly normal.

If you want to restrict inbound connections to the appliance, you must configure the HAT section so that you get only one entry with your servers listed in it and the ACCEPT behaviour and the default entry with the REJECT behaviour. This way, only your servers will be able to connect to your appliance and dispatch its mails, any other servers will be rejected.

Kind regards,

672
Views
0
Helpful
3
Replies