False Mail Relay Report?

phisto · September 18, 2020, 6:16pm

The scan report I got for mail relay appears to be false. The result is different when I try to relay from the command line. Below is the report from GVM:

Summary

The remote SMTP server is insufficiently protected against mail relaying.

Detection Result

The scanner was able to relay mails by sending those sequences:
Request: MAIL FROM: openvasvt@nyx
Answer: 250 OK
Request: RCPT TO: openvasvt@example.com
Answer: 250 Accepted
Request: data
Answer: 354 Enter message, ending with “.” on a line by itself
Request: OpenVASVT-Relay-Test
.
Answer: 250 OK id=1kIaO1-004Kpo-Ls

When I try to reproduce this on the command line, I get the following:

telnet mail.xxxxxxxxxxxx.com 587
Trying XXX.185.52.XXX…
Connected to mail.xxxxxxxxxxxx.com.
Escape character is ‘^]’.
220-xxxx4154.xxxxxxx.com ESMTP Exim 4.93 #2 Fri, 18 Sep 2020 12:16:05 -0500
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
MAIL FROM: openvasvt@nyx
550 HELO required before MAIL
ehlo haxor@home.com
250-xxxxxxx.xxxxxx.com Hello haxor@home.com [XXX.118.XX.XX]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
MAIL FROM: openvasvt@nyx
250 OK
RCPT TO: openvasvt@example.com
550 SMTP AUTH is required for message submission on port 587
Connection closed by foreign host.

I have performed the scan twice and gotten this false report. Each time I try from the command line, I cannot relay as the server closes the connection immediately after RCPT TO:. Why this discrepancy ? Can GVM be updated to include the entire mail transaction so the mail server version is seen in the report ?

Lukas · September 19, 2020, 8:15am

That shows that the Mail is accepted, please check your MTA.and your MTA logs. Maybe it is dropped later or some wired anti-spam solution is accepting it.

phisto · September 19, 2020, 9:01am

That is what the GVM report tells me, that the mail is accepted. When I try to replicate that on the command line the results are markedly different. I have scanned on two occasions and the report says the server is an open relay, when I try to mimic the GVM session with telnet, the mail is not accepted for relay as shown in the original post

Lukas · September 19, 2020, 9:24am

You are doing something different, first i would use netcat and NOT telnet, that is not a clear socket connection. Then you are talking different to your MTA. Please have t look into the SMTP RFC. So what does your mail-log say ? It´s more important to see what your mail-log is saying.

What happened on port 25 ? Whit out seeing the complete scan results, i can´t tell you more. It could be that your MTA accepts on port 25 and need auth on port 587 (that looks like a broken MTA setup). You need to investigate this by reading:

The MTA Logs
The MTA configuration
The Scan-Report including ports used.

phisto · September 19, 2020, 9:41am

Below are sessions to port 25 and 587 using netcat:

nc mail.xxxxxxxxxx.com 25
220-***************************************************************************
220-*********************************************************************
220 *******************
MAIL FROM: openvasvt@nyx
550 HELO required before MAIL
helo haxor@home.net
250 xxxxxxx.xxxxxxx.com Hello haxor@home.net [154.xxx.xx.70]
RCPT TO: openvasvt@example.com
503 sender not yet given
MAIL FROM: openvasvt@nyx
250 OK
RCPT TO: openvasvt@example.com
550 “Sorry, you are sending to/from an address that has been blacklisted”

nc mail.xxxxxxxxxx.com 587
220-gator4154.hostgator.com ESMTP Exim 4.93 #2 Sat, 19 Sep 2020 04:31:22 -0500
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
MAIL FROM: openvasvt@nyx
550 HELO required before MAIL
helo haxor@home.com
250 gator4154.hostgator.com Hello haxor@home.com [154.xxx.xx.70]
MAIL FROM: openvasvt@nyx
250 OK
RCPT TO: openvasvt@example.com
550 SMTP AUTH is required for message submission on port 587

No changes have been carried out on mail server before or after the scan. Why is the response to RCPT TO: openvasvt@example.com different from the scan report and when I use netcat ?

Lukas · September 19, 2020, 9:48am

You did not look into the Logs or the SMTP RFC, first send the HELO and then the MAIL-FROM , HELO or EHELO is resetting the state back and Exim in rejecting the Mail.

Please have a look into you MTA logs.

phisto · September 19, 2020, 10:00am

I get the same result:

nc mail.xxxxxxxx.com 25
220-***************************************************************************
220-*********************************************************************
220 *******************
helo haxor@home.com
250 xxxxx.xxxxxx.com Hello haxor@home.com [154.xxx.xx.70]
MAIL FROM: openvasvt@nyx
250 OK
RCPT TO: openvasvt@example.com
550 “Sorry, you are sending to/from an address that has been blacklisted”
^C

nc mail.xxxxxxxx.com 587
220-xxxxxx.xxxxxxxx.com ESMTP Exim 4.93 #2 Sat, 19 Sep 2020 04:51:57 -0500
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
helo haxor@home.com
250 gator4154.hostgator.com Hello haxor@home.com [154.xxx.xx.70]
MAIL FROM: openvasvt@nyx
250 OK
RCPT TO: openvasvt@example.com
550 SMTP AUTH is required for message submission on port 587

cfi · September 19, 2020, 10:43am

I also don’t think that this is a false report. Probably the following plays a role here:

The VT is using an HELO based on the accepted HELO name of the VT check_smtp_helo.nasl which is either one of these two:

openvasvt@$scannerhost
openvasvt@example.com (the default which can be changed in the preferences of the “SMTP settings” VT preferences found within the “Settings” family)

It could indeed make sense to include the sent HELO request and the SMTP banner. This will be added in the next couple of weeks.

phisto · September 19, 2020, 11:01am

You are correct. Thanks for your response:
I tried it with a modified helo:

nc mail.xxxxxxxx.com 25
220-***************************************************************************
220-*********************************************************************
220 *******************
helo openvas@xxxxxx.xxxxxxx.com
250 xxxxx.xxxx.com Hello openvas@xxx.xxxxxxx.com [154.xxx.xx.70]
MAIL FROM: openvasvt@xxx
250 OK
RCPT TO: xxxxxx@hotmail.com
250 Accepted
data
354 Enter message, ending with “.” on a line by itself
Testing relay
.
250 OK id=1kJaU6-000VfN-2h
^C

I guess I would not have made these mistakes if the entire transaction was in the report. I was actually doubting which mail server the report was from when I did not see the banner in the report.

Lukas · September 19, 2020, 11:09am

Why don´t you check your MTAs logs, that would easy give you the answer ?

cfi · November 16, 2020, 8:46am

For the records, the mentioned VT is now reporting the SMTP banner as well as the full sequence like below.

SMTP banner:

220 mymailhost.mydomain ESMTP Postfix (Debian/GNU)<CR><LF>

The scanner was able to relay mail by sending the following sequences:

Request: HELO mydomain<CR><LF>
Answer:  250 mymailhost.mydomain<CR><LF>
Request: MAIL FROM: <openvasvt@mydomain><CR><LF>
Answer:  250 2.1.0 Ok<CR><LF>
Request: RCPT TO: <admin@mydomain><CR><LF>
Answer:  250 2.1.5 Ok<CR><LF>
Request: data<CR><LF>
Answer:  354 End data with <CR><LF>.<CR><LF><CR><LF>
Request: Subject: OpenVASVT-Relay-Test<CR><LF>To: OpenVASVT-Relay-Test <admin@mydomain><CR><LF>From: OpenVASVT-Relay-Test <openvasvt@mydomain><CR><LF><CR><LF>This is a OpenVASVT-Relay-Test to test the mail server at:<CR><LF><CR><LF>mymailhost.mydomain<CR><LF><CR><LF>if it is configured as an open mail relay.<CR><LF><CR><LF>If you have received this message please forward it to the administrator of this mail server and ask to protect it against mail relaying.<CR><LF>.<CR><LF>
Answer:  250 2.0.0 Ok: queued as 497C13FC8D<CR><LF>