A public OHS installation must limit email to outbound only.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-221454	OH12-1X-000217	SV-221454r415047_rule		Medium

Description
Incoming E-mail has been known to provide hackers with access to servers. Disabling the incoming mail service prevents this type of attacks. Additionally, Email represents the main use of the Internet. It is specialized application that requires the dedication of server resources. To combine this type of transaction processing function with the file serving role of the web server creates an inherent conflict. Supporting mail services on a web server opens the server to the risk of abuse as an email relay. This check verifies, by checking the OS, that incoming e-mail is not supported.

Description

Incoming E-mail has been known to provide hackers with access to servers. Disabling the incoming mail service prevents this type of attacks. Additionally, Email represents the main use of the Internet. It is specialized application that requires the dedication of server resources. To combine this type of transaction processing function with the file serving role of the web server creates an inherent conflict. Supporting mail services on a web server opens the server to the risk of abuse as an email relay. This check verifies, by checking the OS, that incoming e-mail is not supported.

STIG	Date
Oracle HTTP Server 12.1.3 Security Technical Implementation Guide	2021-12-29

Details

Check Text ( C-23169r415045_chk )
1. Check whether the OHS server is configured to accept SMTP connections. (e.g., telnet localhost 25). 2. If it is, this is a finding.

Fix Text (F-23158r415046_fix)
Configure the server to disallow inbound SMTP connections.