This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMTP Authentication (Sophos as smtp relay to internal Exchange server)

Hi,

 

we have Sophos as SMTP relay to our internal Exchange server. SMTP authentication is not yet enabled on the Exchange.

So the Sophos will relay the emails to the Exchange.

Right now is possible to send emails using SMTP port (25) from one or our domain's user accounts to any another of our domain's user accounts without authentication. Which is, of course to me, a very big security vulnerability. (I tested it with telnet from outside of our networks... like if I were an attacker).

 

So the questions are:

 

1) Right now (when SMTP authentication is not enabled in the Exchange server),  is there a way to stop that behavior?

 

2) Once we enable SMTP authentication in the Exchange server, the sophos will still be whitelisted as the Exchange server needs to "rely" on the Sophos. How can we stop that behavior then?

 

 



This thread was automatically locked due to age.
Parents
  • The Bee said:

    Right now is possible to send emails using SMTP port (25) from one or our domain's user accounts to any another of our domain's user accounts without authentication. Which is, of course to me, a very big security vulnerability. (I tested it with telnet from outside of our networks... like if I were an attacker).

    Please read my post about SPF! This is one possible way that you can use!

    https://en.wikipedia.org/wiki/Sender_Policy_Framework

     

    Regards

    mod

  • Most mail servers will accept mail on port 25. How else would I be able to send mail to one of your users?

    Telneting to a mail server and entering a valid user with data etc and a mail from will result in the mail server accepting the mail (either from your domain user or a complete stranger)

    Are you getting this mixed up with an open relay?

  • Hi Louis,

    if you setup a SPF txt record in public dns for your own domain and setup your utm to check SPF records, no one can send an email from an external source with a sender address from your own mail domain. In SPF is defined which sender addresses are allowed to send mails for this mail domain.

    regards

    mod

  • Hi Mod,

    yes I'm familiar with SPF, DKIM & DMARC etc. However, I think this thread has some crossed wires here.

    The OP states that he can send mail on port 25 from outside to any of his users. I'd be surprised if he couldn't. Without further detail, my guess is the OP has telneted to his mail server, entered a valid recipient, the data and from a sender and the mail server has accepted this (as you would expect it to)

    The above is not the same as "relaying" mail for the OP's domain. The mail server is simply accepting mail for a valid recipient by the sound of it.

    Now, if the OP turned around and said that he could send mail VIA his mail server to another user outside of his domain (without authentication or other restrictions), then that is entirely a different matter as an open relay he would have.

    But it's no big shock to be able to telnet to a mail server and send an email to a valid recipient.

  • Hi Louis-M,

     

    Louis-M said:
    But it's no big shock to be able to telnet to a mail server and send an email to a valid recipient.

     

     

    so it is considered "normal" to being able to do that? because for me that's a big security issue that might lead to phishing or so... being able to send emails on behalf of another person? attacked could do that and tell "please reply to this other email account" or maybe attach malware/virus/etc?

     

    Also, in my case, I'm not only able to use valid recipients/sender, but also invalid/non-existent recipients and/or senders.

Reply
  • Hi Louis-M,

     

    Louis-M said:
    But it's no big shock to be able to telnet to a mail server and send an email to a valid recipient.

     

     

    so it is considered "normal" to being able to do that? because for me that's a big security issue that might lead to phishing or so... being able to send emails on behalf of another person? attacked could do that and tell "please reply to this other email account" or maybe attach malware/virus/etc?

     

    Also, in my case, I'm not only able to use valid recipients/sender, but also invalid/non-existent recipients and/or senders.

Children
No Data