SMTP Connection Restrictions do not use the "Deny All" strategy.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18694	EMG2-250 Exch2K3	SV-20328r1_rule	ECSC-1	Medium

Description
E-mail is only as secure as the recipient. Recipient SMTP servers that accept messages from all sources provide a way for rogue senders (such as SPAMMERS) or malicious users to insert message batches (that may be SPOOFED or FORGED) into the message transfer path. This setting controls which IP addresses are allowed to connect to this Virtual Server to download messages. Two strategies exist for this control, “Deny None” or “Deny All”. Exceptions can be listed in the form of IP addresses, which can also be wildcarded as subnet groups. To significantly reduce the attack vector for unauthorized connections, the “Deny All” approach must be used, stating authorized connections from “only the list below”. Depending on the server’s role in the infrastructure, the list of clients or other SMTP servers authorized to connect to this virtual server should be specified.

Description

E-mail is only as secure as the recipient. Recipient SMTP servers that accept messages from all sources provide a way for rogue senders (such as SPAMMERS) or malicious users to insert message batches (that may be SPOOFED or FORGED) into the message transfer path. This setting controls which IP addresses are allowed to connect to this Virtual Server to download messages. Two strategies exist for this control, “Deny None” or “Deny All”. Exceptions can be listed in the form of IP addresses, which can also be wildcarded as subnet groups. To significantly reduce the attack vector for unauthorized connections, the “Deny All” approach must be used, stating authorized connections from “only the list below”. Depending on the server’s role in the infrastructure, the list of clients or other SMTP servers authorized to connect to this virtual server should be specified.

STIG	Date
Microsoft Exchange Server 2003	2014-08-19

Details

Check Text ( C-22412r1_chk )
Access the mail server inbound connections configuration. Procedure: Exchange System Manager >> administrative groups >> [administrative group] >> Servers >> [Server] >> Protocols >> SMTP >> [specific SMTP server] >> properties >> Access tab >> Connection control >> Connection button "Only the list below” should be selected, with a list of addresses or subnets authorized to connect to this server. Criteria: If "Only the list below” is selected, with a list of addresses or subnets authorized to connect to this server, this is not a finding.

Check Text ( C-22412r1_chk )

Access the mail server inbound connections configuration.

Procedure: Exchange System Manager >> administrative groups >> [administrative group] >> Servers >> [Server] >> Protocols >> SMTP >> [specific SMTP server] >> properties >> Access tab >> Connection control >> Connection button

"Only the list below” should be selected, with a list of addresses or subnets authorized to connect to this server.

Criteria: If "Only the list below” is selected, with a list of addresses or subnets authorized to connect to this server, this is not a finding.

Fix Text (F-19340r1_fix)
Set the Inbound Connections configuration. Procedure: Exchange System Manager >> administrative groups >> [administrative group] >> Servers >> [Server] >> Protocols >> SMTP >> [specific SMTP server] >> properties >> Access tab >> Connection control >> Connection button Select “Only the list below” and list addresses or subnets authorized to connect to this server.