E-mail Services are not protected by having an Edge Transport Server (E-mail Secure Gateway) performing outbound message signing at the perimeter.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18818	EMG2-038 Exch2K3	SV-20557r1_rule	ECTM-1	Medium

Description
Individual messages can be protected by requiring message signing at the creation point (Outlook), at the originator’s discretion, enabling integrity protection for their messages. However, messages can also be created by report generators and other applications using automated processes that do not typically sign messages. By signing outbound messages as they exit into the public Internet, the sending SMTP server gives all receivers the opportunity to authenticate the sending domain and server as authentic. (using the DNS-based DKIM record), and validate the message content as unaltered in transit (using the DKIM public key to rehash). In this way, forgeries are prevented, SPAMMERs are more easily tracked. To be effective, it should be noted that unless both senders and receivers participate, sender authentication techniques are of limited effectiveness. For receivers not configured to recognize signed messages, there is no impact to processing – they default to treating the messages as if from anonymous sender origin, and examine it with the evaluation methods that are available. The DKIM (Domain Keys Identified Mail) process is not part of Exchange 2003 functionality; so inbound messages that reach an Exchange server as the first receiving touchpoint will not be able to perform this type of sender authentication. However, most e-mail Secure Gateway products now offer this feature.

Description

Individual messages can be protected by requiring message signing at the creation point (Outlook), at the originator’s discretion, enabling integrity protection for their messages. However, messages can also be created by report generators and other applications using automated processes that do not typically sign messages. By signing outbound messages as they exit into the public Internet, the sending SMTP server gives all receivers the opportunity to authenticate the sending domain and server as authentic. (using the DNS-based DKIM record), and validate the message content as unaltered in transit (using the DKIM public key to rehash). In this way, forgeries are prevented, SPAMMERs are more easily tracked. To be effective, it should be noted that unless both senders and receivers participate, sender authentication techniques are of limited effectiveness. For receivers not configured to recognize signed messages, there is no impact to processing – they default to treating the messages as if from anonymous sender origin, and examine it with the evaluation methods that are available. The DKIM (Domain Keys Identified Mail) process is not part of Exchange 2003 functionality; so inbound messages that reach an Exchange server as the first receiving touchpoint will not be able to perform this type of sender authentication. However, most e-mail Secure Gateway products now offer this feature.

STIG	Date
Microsoft Exchange Server 2003	2014-08-19

Details

Check Text ( C-22528r1_chk )
Interview the E-mail Administrator or the IAO. Access the System Security documentation that identifies perimeter protection in the form of an Edge Transport Server role ( E-mail Secure Gateway) offering outbound signed message transmissions. Criteria: If an Edge Transport Server (E-mail Secure Gateway) role exists and performs outbound E-mail message signing at the perimeter, this is not a finding.

Check Text ( C-22528r1_chk )

Interview the E-mail Administrator or the IAO. Access the System Security documentation that identifies perimeter protection in the form of an Edge Transport Server role ( E-mail Secure Gateway) offering outbound signed message transmissions.

Criteria: If an Edge Transport Server (E-mail Secure Gateway) role exists and performs outbound E-mail message signing at the perimeter, this is not a finding.

Fix Text (F-19488r1_fix)
Implement an Edge Transport Server (E-mail Secure Gateway) that includes DKIM functionality. Ensure that each domain creates mail server certificates and signs outbound messages at the perimeter. NOTE: Each domain must also populate the Public DNS with the appropriate public keys to enable receiver validation.