Prevent anonymous users from sending through my PMG?

[The Merchant]

Hello. I'm using PMG as a mail proxy for my Exchange mailserver.

Yesterday I noticed that it's possible to send mails anonymously from the domains listed in my relay domains, to any other domain listed in my relay domains. I tested from an unrelated external network, and i was able to send emails from my relay using a simple SMTP tester, but only from and to mydomains.tld.

I was convinced that only IPs listed in the networks tab were allowed to send FROM the relay.

Luckily this hasn't been abused yet except from 1 single phishing mail that made me aware of the issue (so thanks spammer).

How do i prevent any other network to send from the relay, except from those listed in trusted networks - regardless of the sender and receiver domain?

I hope my question makes sense.

I've posted some screenshots of my configuration.

Thanks in advance.

 

[Stoiko Ivanov]

Yesterday I noticed that it's possible to send mails anonymously from the domains listed in my relay domains, to any other domain listed in my relay domains. I tested from an unrelated external network, and i was able to send emails from my relay using a simple SMTP tester, but only from and to mydomains.tld.

This is how SMTP works - there is no built-in authentication between Servers sending mail over the internet.

The Access control in PMG works as follows:
* everybody (the public internet) can send e-mails to your _Relay Domains_ (this includes your users) on the external port (defaults to 25)
* everybody coming from a _Trusted Network_ can send mail everywhere on the internal port (defaults to 26)

If you want to prevent address spoofing - the technologies are called SPF, DKIM, DMARC (but they also do not work 100%)

I hope this helps

 

[MarekW]

This is how SMTP works - there is no built-in authentication between Servers sending mail over the internet.

The Access control in PMG works as follows:
* everybody (the public internet) can send e-mails to your _Relay Domains_ (this includes your users) on the external port (defaults to 25)
* everybody coming from a _Trusted Network_ can send mail everywhere on the internal port (defaults to 26)

If you want to prevent address spoofing - the technologies are called SPF, DKIM, DMARC (but they also do not work 100%)

I hope this helps

What if I need to use PMG as an SMTP server for a third party application? That application requires to enter a user and password in the SMTP configuration and it does not accept an empty user/password.

 

[Stoiko Ivanov]

What if I need to use PMG as an SMTP server for a third party application? That application requires to enter a user and password in the SMTP configuration and it does not accept an empty user/password.

which application is that - as I think I have not encountered any that really _needs_ SMTPAUTH on the client side?

anyways - why not point that application to your downstream server, which has the mailboxes (and thus also accounts) ?

 

[MarekW]

which application is that - as I think I have not encountered any that really _needs_ SMTPAUTH on the client side?

anyways - why not point that application to your downstream server, which has the mailboxes (and thus also accounts) ?

It is https://www.streamsoft.eu/
And yes - we finally ended up with using the internal mail server which is the good old Domino 9.0 mail server

Thanks for your advice!

Marek