This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

mxtoolbox "may be an open relay"

Hi there,

i searched all the Topics and found multiple Questions but no answer.

 

I configured some Mailprotection today after we got massive spam. (SPF,DKIM, dmarc). RDNS, Hostname etc is ok.

The only left over warning is this one:


SMTP Server Disconnected: May be an open relay.

With that SMTP-Message:

Connecting to ************

220 ************ ESMTP ready. [797 ms]
EHLO PWS3.mxtoolbox.com
250-**************** Hello pws3.mxtoolbox.com [64.20.227.134]
250-SIZE 104857600
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP [828 ms]
MAIL FROM:<supertool@mxtoolbox.com>
250 OK [828 ms]
RCPT TO:<test@example.com>

SendSMTPCommand: You hung up on us after we connected. Please whitelist us. (connection lost)

PWS3v2 6297ms

The Smtp-log by the UTM:

2016:02:01-18:05:38 remote exim-in[29901]: 2016-02-01 18:05:38 SMTP connection from [64.20.227.134]:60937 (TCP/IP connection count = 1)

2016:02:01-18:05:40 remote exim-in[5287]: 2016-02-01 18:05:40 H=pws3.mxtoolbox.com [64.20.227.134]:60937 Warning: Exception matched: Skipping greylisting for this message
2016:02:01-18:05:40 remote exim-in[5287]: 2016-02-01 18:05:40 H=pws3.mxtoolbox.com [64.20.227.134]:60937 Warning: Exception matched: Skipping antispam for this message
2016:02:01-18:05:40 remote exim-in[5287]: 2016-02-01 18:05:40 H=pws3.mxtoolbox.com [64.20.227.134]:60937 F=<supertool@mxtoolbox.com> rejected RCPT <test@example.com>: Relay not permitted
2016:02:01-18:05:40 remote exim-in[5287]: 2016-02-01 18:05:40 SMTP connection from pws3.mxtoolbox.com [64.20.227.134]:60937 closed by DROP in ACL
I totally whitelisted the mxtoolbox-ip So that can't be the reason.
Any Solution would be nice. Thank you


This thread was automatically locked due to age.
Parents Reply Children
  • Did anyone find a solution? I get the same result on my PCI Compliance test and is there a way to disable the clear text authentication method on the SMTP proxy for unencrypted (non-SSL/TLS) sessions.

     

    G.

  • Dino, what happens if you put *.* in 'Require TLS Negotiation Sender Domains' on the 'Advanced' tab of 'SMTP'?  That should prevent any unencrypted SMTP connections.

    UPDATE 2017-04-25: This trick doesn't work.

    In any case, if you don't allow relaying except from your internal mail server, you have zero exposure.  Your PCI compliance tester should know that his tool can provide non-negatives that are not positives.  After they're done, ask to see the notes that they have kept for the next scan.  If they hadn't kept any, find a different provider.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I don't recommend requiring TLS for SMTP connections.   You will probably miss traffic that you want.    

    In order to determine if this was something safe to implement, you would need:

    • A reporting mechanism to tell you which of your non-blocked incoming mail came by HTTP instead of HTTPS
    • What certificate integrity rules will be enforced if this feature is enabled
    • Whether the correspondents in your mail log had qualifying certificate chains
    • After implementation, how you would parse logs to identify sites that need an exception, and
    • How that exception would be configured 

    UTM comes up lacking on both the documentation and the reporting requirements.

  • "I don't recommend requiring TLS for SMTP connections.

    • "A reporting mechanism to tell you which of your non-blocked incoming mail came by HTTP instead of HTTPS"

    Does anyone know how to enable this in exim?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I had to search the forum to infer that "exim" is the UTM mail subsystem.  

    If there are known ways to query the mail engine from something other than the UTM user interface, I would love to see a "getting started guide" for doing so.  The UTM user interface is an obstacle to doing any type of global mail analysis.

    At present our UTM mail manager sits behind a Barracuda email filter.   I have been presently surprised at UTM's ability to detect spam that Barracuda allows through, and I have not yet had any false positives.

    Despite this good experience, I have not been willing to make UTM my only email filter because it does not filter on Reverse DNS of the sending server, and because of the weak management interface.  I would be willing to develop a custom reporting tool if I had enough information to get started.

     

  • Hey Bob, your suggestion did not really do anything. The problem I have is that the email protection SMTP server or proxy is using an unencrypted channel for the transmission of data. What I am trying to do is drop the connection on port 25 when telnet is used. I believe the Sophos UTM is blocking with a 550 Relay not permitted but is this the correct approach or am I missing something here?

  • Doug, you said, "it does not filter on Reverse DNS of the sending server."  What does the barracuda do that the UTM doesn't?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Reverse DNS -- If I get unwanted spam from x.x.x.x at server1.emailmarketing.com, I can blacklist the IP Address, try to guess all of the servers that the sender users, or just block all of the servers named *.emailmarketing.com.   I can block all mail from servers in brazil or Russia, if I feel no need to communicate there, by blocking reverse dns names ending in an .ru

    The difference between the latter and country blocking is that country blocking logs no information in the spam filter (what did I miss) and it is not dependent on blocking all other ports.

    The Barracuda management interface allows very granular multi-attribute searches on the message logs, then displays a list which I can review individually or download to a CSV file for further analysis.  

    There is no way for me to ask UTM for all of the traffic from a particular server (or parent domain), with the disposition of those messages.  That means that I cannot know which servers should be blocked for bad behavior.

  • Have you tried iview? It does offer a far better reporting experience than the UTM alone.

  • I did build an IView environment.  It seemed to provide some aggregate reporting, but nothing at the detail level.   My questions tend to be:

    "Tell me everything Sally did on the Internet between <date1> and <date2>"
    This actually gets complicated, because you want to know whether sally went to all these site, or sally went to aol.com and aol.com went to all of these sites without her knowledge.   The request# and referring URL fields can be used to answer the question in this way, but first you need to extract and understand the raw data.

    Tell me all of the uncategorized sites that users visited recently.  (Mine have action "warn").   I only worry about the entries that have the three-entry sequence of warn-proceed-access.   IF the user made a mistake and quit, I don't care.   If the user clicked through to an invalid site name, I don't care.   But if it is a real site, I want to get it categorized, either to save users the warning next time or to do triage if I retroactively learn that the site was dangerous.

    Tell me all of the sites that were blocked because of certificate problems, so I can decide what to do.