Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Open relay test results

Hi all. I'm a new Ironport user, having just started working for a company that had a Spam and Virus Blocker already up and running.

We've been put on some blacklists for acting as an open relay. Apparently my predecessor had already done much of the work involved in fixing this problem, but we're still on blacklists. I'm not sure when the last time we really were an open relay was; it could have been before the Ironport was ever installed. I want to clear our name, but before I start requesting removals, I want to be 100% sure that the problem is addressed.

I've run some online open relay tests, and most report that we are not an open relay, but when I tried http://www.rbl.jp/svcheck.php , 5 of their 19 tests came back as "accepted".

I searched the Ironport knowledge base and found that our settings already match the recommendation -- our RAT is set to reject "all other recipients".

Here are the recipients from the tests that came back as "accepted":

>>> RCPT TO: <rlytest%h.rbl.jp@server01.mycompany.com>
>>> RCPT TO: <"rlytest@h.rbl.jp"@server01.mycompany.com>
>>> RCPT TO: <h.rbl.jp!rlytest@server01.mycompany.com>
>>> RCPT TO: <"rlytest%h.rbl.jp"@mycompany.com>
>>> RCPT TO: <"rlytest@h.rbl.jp"@mycompany.com>


"server01" is the name of our Exchange server. Our firewall is set to forward port 25 to the Ironport.

Some of the tests suggested that even an "accepted" message was not a sure sign of being an open relay, and that the mail server might accept it and then silently discard it anyway. Is this something I need to fix, or is it already handled by the Ironport? How can I tell for sure? I've considered telnet'ing in from my home PC and reproducing the commands shown on that site using a real email address of my own, but I'm not really confident in this procedure, or in the procedure of "properly" malforming email addresses. Any advice?

Can anyone recommend further steps for me to take to be sure we are not operating an open relay?

8 REPLIES
New Member

Re: Open relay test results

Hello Tilden,

You can use the CLI (Command LIne) command "findevent" to collect all loglines that belong to a certain message and use that information to see what has happened with the message.
If you search your log (using the grep command on the CLI) for "rlytest" you should find the loglines that are recorded for your relay tests. if you use the MID value found in those lines as input for the "findevent" command you get it clear.

good luck!

Steven

New Member

Re: Open relay test results

Thank you for the quick reply, Steven.

It seems as though my Ironport does not have the "findevent" command. When I tried it I got an "unknown command: findevent" message, and the "help" message does not list findevent. Are you sure that command exists in the Spam and Virus Blocker, and not just other Ironport models?

I notice that there are two upgrades available to download for my Ironport, so maybe it's just that my current version is too old. I'm not sure I'm daring enough to install the upgrades during business hours, so I'll probably do that on the weekend.

Thanks again.

Re: Open relay test results

What version of AsyncOS are you running, looks like you have an old version since the findevent command is available since around 6.0 if im right..

New Member

Re: Open relay test results

The System Overview section says 4.7.0-148. I see 4.7.2 in my list of available upgrades.

Re: Open relay test results

I would recommend to upgrade your system, the findevent command is not available in your system, neither are lots of other improvements, features and bugfixes.

You cannot upgrade straight to 6.5.1 from your version, you probably have to upgrade multiple times to get to 6.5.1, starting with 4.7.2, then upgrade to the following available upgrade..

New Member

Re: Open relay test results

Thanks, I'll definitely upgrade as far as I can at some point. It's a question of timing.

What kind of downtime can I expect when performing upgrades? I'm wondering if I can afford to do it during business hours or if I should wait until the weekend.

Re: Open relay test results

If you have a cluster, you will have almost 'no' downtime.
First upgrade the first appliance, it will continue to deliver mail during the upgrade, you only have some downtime while the system is rebooting. Then upgrade the second.

If you do have a cluster, during the reboot, your second appliance will take over the mailflow. If you don't have a cluster, I recommend to do the upgrades during non-business hours..

New Member

Re: Open relay test results

Wellll....turns out it's a moot point, because now my Ironport is bricked.

One of the updates failed, and our support contract has expired, so Ironport support can't help us fix it. Bummer. I'll have to weigh my options here and decide if it's worth renewing.

The good news is our email server, which no longer sits behind the Ironport, passes every single one of those relay tests.

Thanks a lot for your input, everyone. If I decide to stick with the Ironport, I'm sure I'll be back. :)

322
Views
0
Helpful
8
Replies
CreatePlease login to create content