Security Audit - Questions

SiteWorx General Discussion
1

I had a security audit done on my server. I’m unsure about a couple of items.

  1. smtp (25/tcp)

The remote SMTP server is insufficiently protected against relaying
This means that spammers might be able to use your mail server
to send their mails to the world.

Nessus was able to relay mails by sending those sequences:

MAIL FROM: <nessus@www.domain.net>
RCPT TO: <nobody%security*****.com@[xxx.xxx.xxx.xxx]>

Risk factor : Medium

Solution : upgrade your software or improve the configuration so that
your SMTP server cannot be used as a relay any more.

Does this sound right? If so, how is SMTP secured?

  1. imap2 (143/tcp)
The remote host is running Remote PC Access Server.

This service could be used by an attacker to partially take control of the remote
system if they obtain the credentials necessary to log in (through a brute force
attack or by sniffing the network, as this protocol transmits usernames and
passwords in plain text).

An attacker may use it to steal your password or prevent your system from working
properly.


Solution : Disable this service if you do not use it.
Risk factor : Medium

My server is RHEL ES3 (Linux). Does this make sense?

2

Hi Nick,

Regarding #1,
it is highly unprobable that the server is actually relaying anything it isn’t supposed to. To confirm this, we’d have to have information about where computer performing the test was located (especially if the same computer used an e-mail account that connects to the server that was tested on - this would allow relaying via pop before smtp authentication, which would be legtimate - or if the test was performed on the server it was testing), - and also the “hidden” parts of the message you pasted, IE the **** and the xxx parts. Even if the message got into the mail queue on the server, it’s even more unlikey the message was actually relayed to the intended recipient. You can open a support ticket with the complete details of this and we can confirm this if you like.

Regarding #2,
I’m not sure why this is saying that imap port 143 is a “Remote PC Access Server”. This one doesn’t really make sense, unless pcanywhere or something similar uses port 143 as well. Regardless, port 143 is imap, and this is fine. Nothing to worry about.
Paul