UCF STIG Viewer Logo

A public OHS installation must limit email to outbound only.


Overview

Finding ID Version Rule ID IA Controls Severity
V-221454 OH12-1X-000217 SV-221454r879887_rule Medium
Description
Incoming E-mail has been known to provide hackers with access to servers. Disabling the incoming mail service prevents this type of attacks. Additionally, Email represents the main use of the Internet. It is specialized application that requires the dedication of server resources. To combine this type of transaction processing function with the file serving role of the web server creates an inherent conflict. Supporting mail services on a web server opens the server to the risk of abuse as an email relay. This check verifies, by checking the OS, that incoming e-mail is not supported.
STIG Date
Oracle HTTP Server 12.1.3 Security Technical Implementation Guide 2022-12-09

Details

Check Text ( C-23169r415045_chk )
1. Check whether the OHS server is configured to accept SMTP connections. (e.g., telnet localhost 25).

2. If it is, this is a finding.
Fix Text (F-23158r415046_fix)
Configure the server to disallow inbound SMTP connections.