UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Exchange global outbound message size must be controlled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-259683 EX19-MB-000130 SV-259683r942363_rule Low
Description
Email system availability depends in part on best practice strategies for setting tuning configurations. Message size limits should be set to 10 MB at most but often are smaller, depending on the organization. The key point in message size is that it should be set globally and should not be set to "unlimited". Selecting "unlimited" on "MaxReceiveSize" is likely to result in abuse and can contribute to excessive server disk space consumption. Message size limits may also be applied on send and receive connectors, public folders, and on the user account under Active Directory (AD). Changes at these lower levels are discouraged, as the single global setting is usually sufficient. This practice prevents conflicts that could impact availability and simplifies server administration.
STIG Date
Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide 2024-01-10

Details

Check Text ( C-63422r942361_chk )
Review the Email Domain Security Plan (EDSP) or document that contains this information.

Determine the global maximum message send size.

Open the Exchange Management Shell and enter the following command:

Get-TransportConfig | Select-Object -Property Name, Identity, MaxSendSize

If the value of "MaxSendSize" is not set to "10MB", this is a finding.

or

If "MaxSendSize" is set to an alternate value and has signoff and risk acceptance in the EDSP, this is not a finding.
Fix Text (F-63330r942362_fix)
Update the EDSP to specify the "MaxSendSize" value or verify that this information is documented by the organization.

Open the Exchange Management Shell and enter the following command:

Set-TransportConfig -MaxSendSize 10MB

or

Enter the value as identified by the EDSP that has obtained a signoff with risk acceptance.