The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Internal Relay PCI Compliance Issue

Discussion in 'E-mail Discussions' started by angst7, Nov 12, 2010.

  1. angst7

    angst7 Registered

    Joined:
    Sep 14, 2004
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    I've got a CPanel server running Exim 4.69 (WHM 11.28.33). I'm trying to get PCI compliance for a customer, and the only issue left is that Exim is accepting certian malformed HELO statements that spoof a local domain, permitting relaying to internal accounts. First an example that works correctly (assume myhost.com is the user domain and server.com is the server hosting the domain):

    telnet server.com 25
    HELO myhost.com
    250 server.com Hello someisp.com [xx.xx.xx.xx]
    MAIL FROM someuser@myhost.com
    550 "REJECTED - Bad HELO - Host impersonating [myhost.com]"
    Connection closed by foreign host.

    So given a properly formed (albeit spoofed) HELO it correctly rejects the unauthorized mail. Now if I just malform the HELO:

    telnet server.com 25
    HELO MAIL FROM someuser@myhost.com
    250 server.com Hello someisp.com [xx.xx.xx.xx]
    MAIL FROM: someuser@myhost.com
    250 OK
    RCPT TO: someuser@myhost.com
    250 Accepted

    SecurityMetrics PCI scan barfs on this and indicates an open relay (albeit for interal mail). No external relay seems to be possible using this method, but they fail the scan nonetheless. Is there some way to prevent Exim from accepting an obviously malformed HELO?

    For the record, the following options are all set to ON:

    Require incoming SMTP connections to send HELO before MAIL
    Require incoming SMTP connections to send a HELO that does not match the primary hostname or a local IP address.
    Require incoming SMTP connections to send a HELO that does not match this server's local domains.
    Require incoming SMTP connections to send HELO conforming to internet standards (RFC2821 4.1.1.1)

    Thanks for any help or insight.
     
  2. angst7

    angst7 Registered

    Joined:
    Sep 14, 2004
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Moderators: I inadvertently posted this to the wrong section. Please move this to Email Discussions. Thanks.
     
  3. MJHawkins

    MJHawkins Registered

    Joined:
    Oct 6, 2006
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Hi

    Did you find a solution to this? I have exactly the same problem. The Security Metrics scan is failing me due to open SMTP relay even though no external mail can be relayed. They verbally told me I need to shut down the internal relaying but they can't/won't tell me how to do it and I can't find any info on it on the web.

    If I do find an answer I'll post here, perhaps you could do the same? Someone else, somewhere must have had this issue.
     
  4. angst7

    angst7 Registered

    Joined:
    Sep 14, 2004
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    I never managed to resolve the issue. In the end the customer who needed the PCI compliance ended up writing a letter accepting responsibility for any problems related to this specific issue. I'd still love to find a fix for it, but I don't have one currently.
     
  5. furquan

    furquan Well-Known Member

    Joined:
    Jul 27, 2002
    Messages:
    425
    Likes Received:
    0
    Trophy Points:
    16
    BUMP ...

    Me too facing the same issue :(

    While sending mails using a script hosted on another server AND the user account is on my server, The user is getting getting the below error – “ 550 "REJECTED - Bad HELO - Host impersonating [ domain.com ]

    Any hints any one ?
     
Loading...

Share This Page