Internal Relay PCI Compliance Issue

angst7

Registered
Sep 14, 2004
4
0
151
I've got a CPanel server running Exim 4.69 (WHM 11.28.33). I'm trying to get PCI compliance for a customer, and the only issue left is that Exim is accepting certian malformed HELO statements that spoof a local domain, permitting relaying to internal accounts. First an example that works correctly (assume myhost.com is the user domain and server.com is the server hosting the domain):

telnet server.com 25
HELO myhost.com
250 server.com Hello someisp.com [xx.xx.xx.xx]
MAIL FROM [email protected]
550 "REJECTED - Bad HELO - Host impersonating [myhost.com]"
Connection closed by foreign host.

So given a properly formed (albeit spoofed) HELO it correctly rejects the unauthorized mail. Now if I just malform the HELO:

telnet server.com 25
HELO MAIL FROM [email protected]
250 server.com Hello someisp.com [xx.xx.xx.xx]
MAIL FROM: [email protected]
250 OK
RCPT TO: [email protected]
250 Accepted

SecurityMetrics PCI scan barfs on this and indicates an open relay (albeit for interal mail). No external relay seems to be possible using this method, but they fail the scan nonetheless. Is there some way to prevent Exim from accepting an obviously malformed HELO?

For the record, the following options are all set to ON:

Require incoming SMTP connections to send HELO before MAIL
Require incoming SMTP connections to send a HELO that does not match the primary hostname or a local IP address.
Require incoming SMTP connections to send a HELO that does not match this server's local domains.
Require incoming SMTP connections to send HELO conforming to internet standards (RFC2821 4.1.1.1)

Thanks for any help or insight.
 

angst7

Registered
Sep 14, 2004
4
0
151
Moderators: I inadvertently posted this to the wrong section. Please move this to Email Discussions. Thanks.
 

MJHawkins

Registered
Oct 6, 2006
1
0
151
Hi

Did you find a solution to this? I have exactly the same problem. The Security Metrics scan is failing me due to open SMTP relay even though no external mail can be relayed. They verbally told me I need to shut down the internal relaying but they can't/won't tell me how to do it and I can't find any info on it on the web.

If I do find an answer I'll post here, perhaps you could do the same? Someone else, somewhere must have had this issue.
 

angst7

Registered
Sep 14, 2004
4
0
151
I never managed to resolve the issue. In the end the customer who needed the PCI compliance ended up writing a letter accepting responsibility for any problems related to this specific issue. I'd still love to find a fix for it, but I don't have one currently.
 

furquan

Well-Known Member
Jul 27, 2002
473
4
168
BUMP ...

Me too facing the same issue :(

While sending mails using a script hosted on another server AND the user account is on my server, The user is getting getting the below error – “ 550 "REJECTED - Bad HELO - Host impersonating [ domain.com ]

Any hints any one ?