Exchange Internal Receive connectors must not allow anonymous connections.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-228391	EX16-MB-000470	SV-228391r766722_rule		Medium

Description
This control is used to limit the servers that may use this server as a relay. If a Simple Mail Transport Protocol (SMTP) sender does not have a direct connection to the Internet (for example, an application that produces reports to be emailed), it will need to use an SMTP Receive connector that does have a path to the Internet (for example, a local email server) as a relay. SMTP relay functions must be protected so third parties are not able to hijack a relay service for their own purposes. Most commonly, hijacking of relays is done by spammers to disguise the source of their messages and may also be used to cover the source of more destructive attacks. Relays can be restricted in one of three ways: by blocking relays (restrict to a blank list of servers), by restricting use to lists of valid servers, or by restricting use to servers that can authenticate. Because authenticated connections are the most secure for SMTP Receive connectors, it is recommended that relays allow only servers that can authenticate.

Description

This control is used to limit the servers that may use this server as a relay. If a Simple Mail Transport Protocol (SMTP) sender does not have a direct connection to the Internet (for example, an application that produces reports to be emailed), it will need to use an SMTP Receive connector that does have a path to the Internet (for example, a local email server) as a relay. SMTP relay functions must be protected so third parties are not able to hijack a relay service for their own purposes. Most commonly, hijacking of relays is done by spammers to disguise the source of their messages and may also be used to cover the source of more destructive attacks. Relays can be restricted in one of three ways: by blocking relays (restrict to a blank list of servers), by restricting use to lists of valid servers, or by restricting use to servers that can authenticate. Because authenticated connections are the most secure for SMTP Receive connectors, it is recommended that relays allow only servers that can authenticate.

STIG	Date
Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide	2021-06-23

Details

Check Text ( C-30624r766716_chk )
NOTE: In some instances, AnonymousUsers may be necessary for organization-specific operations. In such cases, allowing AnonymousUsers must be paired with restricting to specific lists of servers allowed to access. In addition, the risk must be documented and accepted by the ISSO, ISSM, or AO. Open the Exchange Management Shell and enter the following command: Get-ReceiveConnector \| Select Name, Identity, PermissionGroups For each Receive connector, if the value of "PermissionGroups" is "AnonymousUsers" for any receive connector, this is a finding.

Check Text ( C-30624r766716_chk )

NOTE: In some instances, AnonymousUsers may be necessary for organization-specific operations. In such cases, allowing AnonymousUsers must be paired with restricting to specific lists of servers allowed to access. In addition, the risk must be documented and accepted by the ISSO, ISSM, or AO.
Open the Exchange Management Shell and enter the following command:

Get-ReceiveConnector | Select Name, Identity, PermissionGroups

For each Receive connector, if the value of "PermissionGroups" is "AnonymousUsers" for any receive connector, this is a finding.

Fix Text (F-30609r766721_fix)
Open the Exchange Management Shell and enter the following command: Set-ReceiveConnector -Identity <'IdentityName'> -PermissionGroups and enter a valid value user group. Note: The value must be in single quotes. Example: Set-ReceiveConnector -Identity <'IdentityName'> -PermissionGroups ExchangeUsers Repeat the procedures for each Receive connector.