Internal Relay PCI Compliance Issue

[angst7]

I've got a CPanel server running Exim 4.69 (WHM 11.28.33). I'm trying to get PCI compliance for a customer, and the only issue left is that Exim is accepting certian malformed HELO statements that spoof a local domain, permitting relaying to internal accounts. First an example that works correctly (assume myhost.com is the user domain and server.com is the server hosting the domain):

telnet server.com 25
HELO myhost.com
250 server.com Hello someisp.com [xx.xx.xx.xx]
MAIL FROM someuser@myhost.com
550 "REJECTED - Bad HELO - Host impersonating [myhost.com]"
Connection closed by foreign host.

So given a properly formed (albeit spoofed) HELO it correctly rejects the unauthorized mail. Now if I just malform the HELO:

telnet server.com 25
HELO MAIL FROM someuser@myhost.com
250 server.com Hello someisp.com [xx.xx.xx.xx]
MAIL FROM: someuser@myhost.com
250 OK
RCPT TO: someuser@myhost.com
250 Accepted

SecurityMetrics PCI scan barfs on this and indicates an open relay (albeit for interal mail). No external relay seems to be possible using this method, but they fail the scan nonetheless. Is there some way to prevent Exim from accepting an obviously malformed HELO?

For the record, the following options are all set to ON:

Require incoming SMTP connections to send HELO before MAIL
Require incoming SMTP connections to send a HELO that does not match the primary hostname or a local IP address.
Require incoming SMTP connections to send a HELO that does not match this server's local domains.
Require incoming SMTP connections to send HELO conforming to internet standards (RFC2821 4.1.1.1)

Thanks for any help or insight.

[angst7]

Moderators: I inadvertently posted this to the wrong section. Please move this to Email Discussions. Thanks.

[MJHawkins]

Hi

Did you find a solution to this? I have exactly the same problem. The Security Metrics scan is failing me due to open SMTP relay even though no external mail can be relayed. They verbally told me I need to shut down the internal relaying but they can't/won't tell me how to do it and I can't find any info on it on the web.

If I do find an answer I'll post here, perhaps you could do the same? Someone else, somewhere must have had this issue.

[angst7]

I never managed to resolve the issue. In the end the customer who needed the PCI compliance ended up writing a letter accepting responsibility for any problems related to this specific issue. I'd still love to find a fix for it, but I don't have one currently.

[furquan]

BUMP ...

Me too facing the same issue

While sending mails using a script hosted on another server AND the user account is on my server, The user is getting getting the below error – “ 550 "REJECTED - Bad HELO - Host impersonating [ domain.com ]

Any hints any one ?