How to disable anonymous relay to the Intranet

L

lxq

New Member
Dec 21, 2019
6
0
1
32
hi all,i can anonymous email to intranet in pmg,how to disable?

Telnet xxx.xxx.xxx.xxx 25
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xxx.xxx.
Escape character is '^]'.
220 IT-PMG-01.contoso.com ESMTP Proxmox
helo test.contoso.com
250 IT-PMG-01.contoso.com
mail from:<test@contoso.com>
250 2.1.0 Ok
Rcpt to:<test@contoso.com>
250 2.1.5 Ok
Data
354 End data with <CR><LF>.<CR><LF>
test mail
.
250 2.0.0 Ok: queued as 0B8A846107E

Thinks,
 
* you can e-mail all domains listed in your 'Relay Domains' from everywhere (because PMG is the MX for those domains)
* you can e-mail everyone, if you're connecting from a trusted IP (listed in Networks) - when connecting to the internal port

* which ports are your internal and external port? (internal port has less protections)
* is contoso.com listed as Relay Domain?
* which networks have you entered in the 'Networks' tab (Configuration-> Mail Proxy)?

I hope this helps!
 
Stoiko Ivanov said:
* you can e-mail all domains listed in your 'Relay Domains' from everywhere (because PMG is the MX for those domains)
* you can e-mail everyone, if you're connecting from a trusted IP (listed in Networks) - when connecting to the internal port

* which ports are your internal and external port? (internal port has less protections)
* is contoso.com listed as Relay Domain?
* which networks have you entered in the 'Networks' tab (Configuration-> Mail Proxy)?

I hope this helps!
Click to expand...
Hello Stoiko,
I use the Internet 25 port test;
Contoso.com is a relay domain;
Configuration-> Mail Proxy-Networks is server network,but no work

Best regards
 
lxq said:
I use the Internet 25 port test;
Click to expand...
Sorry was not clear enough - which ports have you configured in 'Configuration' -> 'Mail Proxy' -> 'Ports'
(the external port is stricter in where you can send mails to (only to a relay domain)

lxq said:
Contoso.com is a relay domain;
Click to expand...
then it is expected that you can send an email to '@contoso.com'

an open relay would be if you could connect from an external IP and send an e-mail to an unrelated domain (e.g. to @gmail.com)

lxq said:
Configuration-> Mail Proxy-Networks is server network,but no work
Click to expand...
Not sure what you mean by that?

I hope this helps!
 
Stoiko Ivanov said:
Sorry was not clear enough - which ports have you configured in 'Configuration' -> 'Mail Proxy' -> 'Ports'
(the external port is stricter in where you can send mails to (only to a relay domain)


then it is expected that you can send an email to '@contoso.com'

an open relay would be if you could connect from an external IP and send an e-mail to an unrelated domain (e.g. to @gmail.com)


Not sure what you mean by that?

I hope this helps!
Click to expand...
i configuration
Mail Proxy--Ports
External SMTP Port 25
Internal SMTP Port 26
Networks
None
i can not send an e-mail to an unrelated domain (e.g. to @gmail.com)
but i can send an e-mail to @contoso.com
 
danielb said:
That's not an open relay. That's how an MX is supposed to work.
Click to expand...
Sorry for reviving an old thread, but are you telling me that PMG is suppose to allow anonymous senders send mails from your PMG as long as it is to a domain listed under "Relay domains"?
 
As long as the destination domain is in the relay domain list, yes (and if the backend server validates the destination mailbox is valid too)
 
danielb said:
As long as the destination domain is in the relay domain list, yes (and if the backend server validates the destination mailbox is valid too)
Click to expand...
Isn't that a security issue? So basically if I know your listed domains and email accounts, I can send internal spam and phishing mails inside your organization?

The real question is, is there a way to combat this?

My first thought is by rules if it's possible to check the sender IP, but I haven't checked yet.

Or is it possible to password protect the relay?
 
That's how email works : anybody can send emails to your mailbox. And that's the reason pmg exists : limit the risk of receiving spam and orher unwanted email
 
danielb said:
That's how email works : anybody can send emails to your mailbox. And that's the reason pmg exists : limit the risk of receiving spam and orher unwanted email
Click to expand...
Hi Daniel. Thanks for the reply. I understand that everybody can send to my mailbox but not why everybody can send from my relay. This can cause phishing mails if someone knows a trusted mail from my server by sending from my mail to another one of my mails. Hope I make sense.
 
Nope, I dont understand your concern. Everybody can send an email to your inbox, and the only way to reach your inbox from the outside should be though your PMG. It only adds a security layer.
 
My concern is that if you know my email right now you can send a mail from 1@mymail to 2@mymail through my PMG using any SMTP tool
 
danielb said:
And that's the expected behavior. Now, to protect you from this sender address spoofing, you need to setup SPF/DKIM/DMARC
Click to expand...
I've setup SPF (it was before as well) but PMG completely ignores the SPF.
I've been through multiple threats where other users cannot make the SPF check work as expected.
 
Last edited:
The Merchant said:
I've setup SPF (it was before as well) but PMG completely ignores the SPF.
Click to expand...
I did. It's 100% valid. The problem is just that SpamAssassin doesn't weight SPF rules very high.
I tried increasing the SPF_FAIL and SPF_NONE rules but it caused e-mails from Gmail to be blocked, which is very weird - apparently Gmail doesn't use SPF i guess, since a Gmail mail triggers the SPF_NONE rule.

I'm currently testing the relay from a SMTP Test Tool, and trying to identify what rules are applied to the mails sent from the SMTP Test Tool, and manually trying to finetune the rules in SpamAssassin
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back