The scan report I got for mail relay appears to be false. The result is different when I try to relay from the command line. Below is the report from GVM:
Summary
The remote SMTP server is insufficiently protected against mail relaying.
Detection Result
The scanner was able to relay mails by sending those sequences:
Request: MAIL FROM: openvasvt@nyx
Answer: 250 OK
Request: RCPT TO: openvasvt@example.com
Answer: 250 Accepted
Request: data
Answer: 354 Enter message, ending with “.” on a line by itself
Request: OpenVASVT-Relay-Test
.
Answer: 250 OK id=1kIaO1-004Kpo-Ls
When I try to reproduce this on the command line, I get the following:
telnet mail.xxxxxxxxxxxx.com 587
Trying XXX.185.52.XXX…
Connected to mail.xxxxxxxxxxxx.com.
Escape character is ‘^]’. 220-xxxx4154.xxxxxxx.com ESMTP Exim 4.93 #2 Fri, 18 Sep 2020 12:16:05 -0500
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
MAIL FROM: openvasvt@nyx
550 HELO required before MAIL
ehlo haxor@home.com 250-xxxxxxx.xxxxxx.com Hello haxor@home.com [XXX.118.XX.XX]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
MAIL FROM: openvasvt@nyx
250 OK
RCPT TO: openvasvt@example.com
550 SMTP AUTH is required for message submission on port 587
Connection closed by foreign host.
I have performed the scan twice and gotten this false report. Each time I try from the command line, I cannot relay as the server closes the connection immediately after RCPT TO:. Why this discrepancy ? Can GVM be updated to include the entire mail transaction so the mail server version is seen in the report ?
That shows that the Mail is accepted, please check your MTA.and your MTA logs. Maybe it is dropped later or some wired anti-spam solution is accepting it.
That is what the GVM report tells me, that the mail is accepted. When I try to replicate that on the command line the results are markedly different. I have scanned on two occasions and the report says the server is an open relay, when I try to mimic the GVM session with telnet, the mail is not accepted for relay as shown in the original post
You are doing something different, first i would use netcat and NOT telnet, that is not a clear socket connection. Then you are talking different to your MTA. Please have t look into the SMTP RFC. So what does your mail-log say ? It´s more important to see what your mail-log is saying.
What happened on port 25 ? Whit out seeing the complete scan results, i can´t tell you more. It could be that your MTA accepts on port 25 and need auth on port 587 (that looks like a broken MTA setup). You need to investigate this by reading:
No changes have been carried out on mail server before or after the scan. Why is the response to RCPT TO: openvasvt@example.com different from the scan report and when I use netcat ?
You did not look into the Logs or the SMTP RFC, first send the HELO and then the MAIL-FROM , HELO or EHELO is resetting the state back and Exim in rejecting the Mail.
nc mail.xxxxxxxx.com 25
220-***************************************************************************
220-*********************************************************************
220 *******************
helo haxor@home.com
250 xxxxx.xxxxxx.com Hello haxor@home.com [154.xxx.xx.70]
MAIL FROM: openvasvt@nyx
250 OK
RCPT TO: openvasvt@example.com
550 “Sorry, you are sending to/from an address that has been blacklisted”
^C
You are correct. Thanks for your response:
I tried it with a modified helo:
nc mail.xxxxxxxx.com 25
220-***************************************************************************
220-*********************************************************************
220 *******************
helo openvas@xxxxxx.xxxxxxx.com
250 xxxxx.xxxx.com Hello openvas@xxx.xxxxxxx.com [154.xxx.xx.70]
MAIL FROM: openvasvt@xxx
250 OK
RCPT TO: xxxxxx@hotmail.com
250 Accepted
data
354 Enter message, ending with “.” on a line by itself
Testing relay
.
250 OK id=1kJaU6-000VfN-2h
^C
I guess I would not have made these mistakes if the entire transaction was in the report. I was actually doubting which mail server the report was from when I did not see the banner in the report.
For the records, the mentioned VT is now reporting the SMTP banner as well as the full sequence like below.
SMTP banner:
220 mymailhost.mydomain ESMTP Postfix (Debian/GNU)<CR><LF>
The scanner was able to relay mail by sending the following sequences:
Request: HELO mydomain<CR><LF>
Answer: 250 mymailhost.mydomain<CR><LF>
Request: MAIL FROM: <openvasvt@mydomain><CR><LF>
Answer: 250 2.1.0 Ok<CR><LF>
Request: RCPT TO: <admin@mydomain><CR><LF>
Answer: 250 2.1.5 Ok<CR><LF>
Request: data<CR><LF>
Answer: 354 End data with <CR><LF>.<CR><LF><CR><LF>
Request: Subject: OpenVASVT-Relay-Test<CR><LF>To: OpenVASVT-Relay-Test <admin@mydomain><CR><LF>From: OpenVASVT-Relay-Test <openvasvt@mydomain><CR><LF><CR><LF>This is a OpenVASVT-Relay-Test to test the mail server at:<CR><LF><CR><LF>mymailhost.mydomain<CR><LF><CR><LF>if it is configured as an open mail relay.<CR><LF><CR><LF>If you have received this message please forward it to the administrator of this mail server and ask to protect it against mail relaying.<CR><LF>.<CR><LF>
Answer: 250 2.0.0 Ok: queued as 497C13FC8D<CR><LF>