UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

SMTP Connection Restrictions do not use the "Deny All" strategy.


Overview

Finding ID Version Rule ID IA Controls Severity
V-18694 EMG2-250 Exch2K3 SV-20328r1_rule ECSC-1 Medium
Description
E-mail is only as secure as the recipient. Recipient SMTP servers that accept messages from all sources provide a way for rogue senders (such as SPAMMERS) or malicious users to insert message batches (that may be SPOOFED or FORGED) into the message transfer path. This setting controls which IP addresses are allowed to connect to this Virtual Server to download messages. Two strategies exist for this control, “Deny None” or “Deny All”. Exceptions can be listed in the form of IP addresses, which can also be wildcarded as subnet groups. To significantly reduce the attack vector for unauthorized connections, the “Deny All” approach must be used, stating authorized connections from “only the list below”. Depending on the server’s role in the infrastructure, the list of clients or other SMTP servers authorized to connect to this virtual server should be specified.
STIG Date
Microsoft Exchange Server 2003 2014-08-19

Details

Check Text ( C-22412r1_chk )
Access the mail server inbound connections configuration.

Procedure: Exchange System Manager >> administrative groups >> [administrative group] >> Servers >> [Server] >> Protocols >> SMTP >> [specific SMTP server] >> properties >> Access tab >> Connection control >> Connection button

"Only the list below” should be selected, with a list of addresses or subnets authorized to connect to this server.

Criteria: If "Only the list below” is selected, with a list of addresses or subnets authorized to connect to this server, this is not a finding.
Fix Text (F-19340r1_fix)
Set the Inbound Connections configuration.

Procedure: Exchange System Manager >> administrative groups >> [administrative group] >> Servers >> [Server] >> Protocols >> SMTP >> [specific SMTP server] >> properties >> Access tab >> Connection control >> Connection button

Select “Only the list below” and list addresses or subnets authorized to connect to this server.