Mailbox Server is not protected by an Edge Transport Server (E-mail Secure Gateway) performing Sender Authentication at the perimeter.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18665	EMG2-043 Exch2K3	SV-20274r1_rule	ECSC-1	Medium

Description
Email is only as secure as the recipient. When the recipient is an E-Mail server accepting inbound messages, authenticating the sender enables the receiver to better assess message quality and to validate the sending domain as authentic. One or more authentication techniques used in combination can be effective in reducing SPAM, PHISHING, and FORGERY attacks. There are two primary methods of sender authentication; Sender ID Framework (SIDF), and Domain Keys Identified Mail (DKIM). The Sender ID Framework (SIDF) receiver accesses specially formatted DNS records (SPF format) that contain the IP address of authorized sending servers for the sending domain that can be compared to data in the email message header. Receivers are able to validate the authenticity of the sending domain, eliminate PHISHING SPAM, and can be used in combination with DKIM. SIDF is a Microsoft creation, and is available on Exchange 2003 Servers. The DKIM receiver accesses specially formatted DNS records that contain the Public Key for the sending domain’s authorized outbound mail servers. The key is used to decrypt the hash in the message header and determine whether the message has been modified. DKIM is not effective against replay attacks, but can detect forgeries. Some false positives are possible if interim E-Mail forwarders append text to the message body. DKIM is a Cisco creation, and is available on most Edge Transport Server (E-mail Secure Gateway) products.

Description

Email is only as secure as the recipient. When the recipient is an E-Mail server accepting inbound messages, authenticating the sender enables the receiver to better assess message quality and to validate the sending domain as authentic. One or more authentication techniques used in combination can be effective in reducing SPAM, PHISHING, and FORGERY attacks. There are two primary methods of sender authentication; Sender ID Framework (SIDF), and Domain Keys Identified Mail (DKIM). The Sender ID Framework (SIDF) receiver accesses specially formatted DNS records (SPF format) that contain the IP address of authorized sending servers for the sending domain that can be compared to data in the email message header. Receivers are able to validate the authenticity of the sending domain, eliminate PHISHING SPAM, and can be used in combination with DKIM. SIDF is a Microsoft creation, and is available on Exchange 2003 Servers. The DKIM receiver accesses specially formatted DNS records that contain the Public Key for the sending domain’s authorized outbound mail servers. The key is used to decrypt the hash in the message header and determine whether the message has been modified. DKIM is not effective against replay attacks, but can detect forgeries. Some false positives are possible if interim E-Mail forwarders append text to the message body. DKIM is a Cisco creation, and is available on most Edge Transport Server (E-mail Secure Gateway) products.

STIG	Date
Microsoft Exchange Server 2003	2014-08-19

Details

Check Text ( C-22384r1_chk )
Interview the E-mail Administrator or the IAO. Request documentation that indicates sender authentication techniques are in place on a secure email gateway server outside the enclave at the perimeter. Sender authentication for anonymous connections may take the form of Sender ID Framework (SIDF) or Domain Keys Internet Mail (DKIM), both DNS-based methods of sender authentication. Note: Sender authentication is not always reliable, because not all senders of electronic mail participate in creating public DNS sender profiles for their E-mail infrastructure. Criteria: If sender authentication is configured and approved on a perimeter-based E-mail Secure Gateway, this is not a finding.

Check Text ( C-22384r1_chk )

Interview the E-mail Administrator or the IAO. Request documentation that indicates sender authentication techniques are in place on a secure email gateway server outside the enclave at the perimeter. Sender authentication for anonymous connections may take the form of Sender ID Framework (SIDF) or Domain Keys Internet Mail (DKIM), both DNS-based methods of sender authentication. Note: Sender authentication is not always reliable, because not all senders of electronic mail participate in creating public DNS sender profiles for their E-mail infrastructure.

Criteria: If sender authentication is configured and approved on a perimeter-based E-mail Secure Gateway, this is not a finding.

Fix Text (F-19312r1_fix)
Implement perimeter-based protection in the form of an Edge Transport Server role (E-mail Secure Gateway) filtering mechanism that performs, among other protections, Sender Authentication upon receipt.