UCF STIG Viewer Logo

Receive Connector must restrict relay access.


Overview

Finding ID Version Rule ID IA Controls Severity
Exch-HB-204 Exch-HB-204 Exch-HB-204_rule Medium
Description
This control is used to limit the servers that may use this server as a relay. If an Simple Mail Transport Protocol (SMTP) sender does not have a direct connection to the Internet (for example, an application that produces reports to be emailed) then it will need to use an SMTP Receive Connector that does have a path to the Internet (for example, a local email server) as a relay. SMTP relay functions must be protected so that third parties are not able to hijack a relay service for their own purposes. Most commonly, hijacking of relays is done by SPAMMERS to disguise the source of their messages, and may also be used to cover the source of more destructive attacks. Because authenticated connections are the most secure for SMTP Receive Connectors, it is recommended that relays allow only servers that can authenticate.
STIG Date
Microsoft Exchange 2010 Hub Transport Server Role 2012-05-31

Details

Check Text ( C-_chk )
Open the Exchange Management Shell and enter the following command.

Get-ReceiveConnector | Select Name, Identity, PermissionGroups

If the value of "PermissionGroups" is not "ExchangeUsers" for any non-internet connector, this is a finding.
Fix Text (F-_fix)
Open the Exchange Management Shell and enter the following command.

Set-ReceiveConnector -Identity <'ReceiveConnector'> -PermissionGroups 'ExchangeUsers'