A security scan of Messaging Gateway (SMG) reports that the SMG scanner is acting as an open SMTP relay.

The SMG Outbound SMTP listener operates as an open relay for trusted IPs, networks, and hosts on the Outbound Mail Acceptance list (Administration > Configuration > host > SMTP > Outbound)

This is expected behavior for the SMG Outbound MTA. The list of hosts, IPs, and networks on the Administration > Configuration > host > SMTP > Outbound > Outbound Mail Acceptance list should be carefully curated to ensure that only SMTP sources that should be trusted with outbound relay access (internal mail servers, internal application servers, etc) are on the list.

In some cases, if an SMTP connection from the internet traverses a load balancer or SMTP proxy which rewrites the source IP of the connection to an IP on the Outbound Mail Acceptance list, the SMG Outbound MTA may be exposed as an open relay to the internet since the connection would be seen as coming from a trusted IP rather than the original source IP. In these instances, SMTP connections which traverse the load balancer or proxy should be routed to the Inbound MTA IP on SMG. If SMG is configured as outbound only or only has a single IP address, the load balancer or proxy will either need to be reconfigured or their IP removed from the Outbound Mail Acceptance list.