How to disable anonymous relay to the Intranet

[lxq]

hi all,i can anonymous email to intranet in pmg，how to disable？

Telnet xxx.xxx.xxx.xxx 25
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xxx.xxx.
Escape character is '^]'.
220 IT-PMG-01.contoso.com ESMTP Proxmox
helo test.contoso.com
250 IT-PMG-01.contoso.com
mail from:<test@contoso.com>
250 2.1.0 Ok
Rcpt to:<test@contoso.com>
250 2.1.5 Ok
Data
354 End data with <CR><LF>.<CR><LF>
test mail
.
250 2.0.0 Ok: queued as 0B8A846107E

Thinks,

 

[Stoiko Ivanov]

* you can e-mail all domains listed in your 'Relay Domains' from everywhere (because PMG is the MX for those domains)
* you can e-mail everyone, if you're connecting from a trusted IP (listed in Networks) - when connecting to the internal port

* which ports are your internal and external port? (internal port has less protections)
* is contoso.com listed as Relay Domain?
* which networks have you entered in the 'Networks' tab (Configuration-> Mail Proxy)?

I hope this helps!

 

[lxq]

* you can e-mail all domains listed in your 'Relay Domains' from everywhere (because PMG is the MX for those domains)
* you can e-mail everyone, if you're connecting from a trusted IP (listed in Networks) - when connecting to the internal port

* which ports are your internal and external port? (internal port has less protections)
* is contoso.com listed as Relay Domain?
* which networks have you entered in the 'Networks' tab (Configuration-> Mail Proxy)?

I hope this helps!

Hello Stoiko,
I use the Internet 25 port test；
Contoso.com is a relay domain；
Configuration-> Mail Proxy-Networks is server network,but no work

Best regards

 

[Stoiko Ivanov]

I use the Internet 25 port test；

Sorry was not clear enough - which ports have you configured in 'Configuration' -> 'Mail Proxy' -> 'Ports'
(the external port is stricter in where you can send mails to (only to a relay domain)

Contoso.com is a relay domain；

then it is expected that you can send an email to '@contoso.com'

an open relay would be if you could connect from an external IP and send an e-mail to an unrelated domain (e.g. to @gmail.com)

Configuration-> Mail Proxy-Networks is server network,but no work

Not sure what you mean by that?

I hope this helps!

 

[lxq]

Sorry was not clear enough - which ports have you configured in 'Configuration' -> 'Mail Proxy' -> 'Ports'
(the external port is stricter in where you can send mails to (only to a relay domain)


then it is expected that you can send an email to '@contoso.com'

an open relay would be if you could connect from an external IP and send an e-mail to an unrelated domain (e.g. to @gmail.com)


Not sure what you mean by that?

I hope this helps!

i configuration
Mail Proxy--Ports
External SMTP Port 25
Internal SMTP Port 26
Networks
None
i can not send an e-mail to an unrelated domain (e.g. to @gmail.com)
but i can send an e-mail to @contoso.com

 

[danielb]

i can not send an e-mail to an unrelated domain (e.g. to @gmail.com)
but i can send an e-mail to @contoso.com

That's not an open relay. That's how an MX is supposed to work.

 

[lxq]

That's not an open relay. That's how an MX is supposed to work.

Thanks，I deleted sender is *@contoso.com also anonymous messages in exchange rules

 

[The Merchant]

That's not an open relay. That's how an MX is supposed to work.

Sorry for reviving an old thread, but are you telling me that PMG is suppose to allow anonymous senders send mails from your PMG as long as it is to a domain listed under "Relay domains"?

 

[danielb]

As long as the destination domain is in the relay domain list, yes (and if the backend server validates the destination mailbox is valid too)

 

[The Merchant]

As long as the destination domain is in the relay domain list, yes (and if the backend server validates the destination mailbox is valid too)

Isn't that a security issue? So basically if I know your listed domains and email accounts, I can send internal spam and phishing mails inside your organization?

The real question is, is there a way to combat this?

My first thought is by rules if it's possible to check the sender IP, but I haven't checked yet.

Or is it possible to password protect the relay?

 

[danielb]

That's how email works : anybody can send emails to your mailbox. And that's the reason pmg exists : limit the risk of receiving spam and orher unwanted email

 

[The Merchant]

That's how email works : anybody can send emails to your mailbox. And that's the reason pmg exists : limit the risk of receiving spam and orher unwanted email

Hi Daniel. Thanks for the reply. I understand that everybody can send to my mailbox but not why everybody can send from my relay. This can cause phishing mails if someone knows a trusted mail from my server by sending from my mail to another one of my mails. Hope I make sense.

 

[danielb]

Nope, I dont understand your concern. Everybody can send an email to your inbox, and the only way to reach your inbox from the outside should be though your PMG. It only adds a security layer.

 

[The Merchant]

My concern is that if you know my email right now you can send a mail from 1@mymail to 2@mymail through my PMG using any SMTP tool

 

[The Merchant]

But only from and to domains listed in my trusted domains.

 

[danielb]

And that's the expected behavior. Now, to protect you from this sender address spoofing, you need to setup SPF/DKIM/DMARC

 

[The Merchant]

And that's the expected behavior. Now, to protect you from this sender address spoofing, you need to setup SPF/DKIM/DMARC

I've setup SPF (it was before as well) but PMG completely ignores the SPF.
I've been through multiple threats where other users cannot make the SPF check work as expected.

 

[danielb]

Check your SPF is correctly setup with an online tool, eg https://dmarcadvisor.com/fr/spf-check/

 

[The Merchant]

I've setup SPF (it was before as well) but PMG completely ignores the SPF.

I did. It's 100% valid. The problem is just that SpamAssassin doesn't weight SPF rules very high.
I tried increasing the SPF_FAIL and SPF_NONE rules but it caused e-mails from Gmail to be blocked, which is very weird - apparently Gmail doesn't use SPF i guess, since a Gmail mail triggers the SPF_NONE rule.

I'm currently testing the relay from a SMTP Test Tool, and trying to identify what rules are applied to the mails sent from the SMTP Test Tool, and manually trying to finetune the rules in SpamAssassin