This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

mxtoolbox "may be an open relay"

Hi there,

i searched all the Topics and found multiple Questions but no answer.

 

I configured some Mailprotection today after we got massive spam. (SPF,DKIM, dmarc). RDNS, Hostname etc is ok.

The only left over warning is this one:


SMTP Server Disconnected: May be an open relay.

With that SMTP-Message:

Connecting to ************

220 ************ ESMTP ready. [797 ms]
EHLO PWS3.mxtoolbox.com
250-**************** Hello pws3.mxtoolbox.com [64.20.227.134]
250-SIZE 104857600
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP [828 ms]
MAIL FROM:<supertool@mxtoolbox.com>
250 OK [828 ms]
RCPT TO:<test@example.com>

SendSMTPCommand: You hung up on us after we connected. Please whitelist us. (connection lost)

PWS3v2 6297ms

The Smtp-log by the UTM:

2016:02:01-18:05:38 remote exim-in[29901]: 2016-02-01 18:05:38 SMTP connection from [64.20.227.134]:60937 (TCP/IP connection count = 1)

2016:02:01-18:05:40 remote exim-in[5287]: 2016-02-01 18:05:40 H=pws3.mxtoolbox.com [64.20.227.134]:60937 Warning: Exception matched: Skipping greylisting for this message
2016:02:01-18:05:40 remote exim-in[5287]: 2016-02-01 18:05:40 H=pws3.mxtoolbox.com [64.20.227.134]:60937 Warning: Exception matched: Skipping antispam for this message
2016:02:01-18:05:40 remote exim-in[5287]: 2016-02-01 18:05:40 H=pws3.mxtoolbox.com [64.20.227.134]:60937 F=<supertool@mxtoolbox.com> rejected RCPT <test@example.com>: Relay not permitted
2016:02:01-18:05:40 remote exim-in[5287]: 2016-02-01 18:05:40 SMTP connection from pws3.mxtoolbox.com [64.20.227.134]:60937 closed by DROP in ACL
I totally whitelisted the mxtoolbox-ip So that can't be the reason.
Any Solution would be nice. Thank you


This thread was automatically locked due to age.
  • As I can see from the logs, your UTM is doing just what it is supposed to do...dropping relaying attempts.
    Are you only concerned about that mxtoolbox "May be an open relay" message ?
  • Yeah. I thought there have to be something like "relaying denied". So the Helo gets a clean quit.
  • Did anyone find a solution? I get the same result on my PCI Compliance test and is there a way to disable the clear text authentication method on the SMTP proxy for unencrypted (non-SSL/TLS) sessions.

     

    G.

  • mxtoolbox didnt have the reason why is droped, thats why

  • Dino, what happens if you put *.* in 'Require TLS Negotiation Sender Domains' on the 'Advanced' tab of 'SMTP'?  That should prevent any unencrypted SMTP connections.

    UPDATE 2017-04-25: This trick doesn't work.

    In any case, if you don't allow relaying except from your internal mail server, you have zero exposure.  Your PCI compliance tester should know that his tool can provide non-negatives that are not positives.  After they're done, ask to see the notes that they have kept for the next scan.  If they hadn't kept any, find a different provider.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I don't recommend requiring TLS for SMTP connections.   You will probably miss traffic that you want.    

    In order to determine if this was something safe to implement, you would need:

    • A reporting mechanism to tell you which of your non-blocked incoming mail came by HTTP instead of HTTPS
    • What certificate integrity rules will be enforced if this feature is enabled
    • Whether the correspondents in your mail log had qualifying certificate chains
    • After implementation, how you would parse logs to identify sites that need an exception, and
    • How that exception would be configured 

    UTM comes up lacking on both the documentation and the reporting requirements.

  • "I don't recommend requiring TLS for SMTP connections.

    • "A reporting mechanism to tell you which of your non-blocked incoming mail came by HTTP instead of HTTPS"

    Does anyone know how to enable this in exim?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I had to search the forum to infer that "exim" is the UTM mail subsystem.  

    If there are known ways to query the mail engine from something other than the UTM user interface, I would love to see a "getting started guide" for doing so.  The UTM user interface is an obstacle to doing any type of global mail analysis.

    At present our UTM mail manager sits behind a Barracuda email filter.   I have been presently surprised at UTM's ability to detect spam that Barracuda allows through, and I have not yet had any false positives.

    Despite this good experience, I have not been willing to make UTM my only email filter because it does not filter on Reverse DNS of the sending server, and because of the weak management interface.  I would be willing to develop a custom reporting tool if I had enough information to get started.

     

  • Hey Bob, your suggestion did not really do anything. The problem I have is that the email protection SMTP server or proxy is using an unencrypted channel for the transmission of data. What I am trying to do is drop the connection on port 25 when telnet is used. I believe the Sophos UTM is blocking with a 550 Relay not permitted but is this the correct approach or am I missing something here?

  • Doug, you said, "it does not filter on Reverse DNS of the sending server."  What does the barracuda do that the UTM doesn't?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA