Title

E-mail services and servers are not protected by routing all SMTP traffic through an Edge Transport Server. (Cat I impact)

Discussion

Separation of roles supports operational security for application and protocol services. Since 2006, Microsoft best practices had taken the direction of creating operational “roles” for servers within E-mail services. The Edge Transport server role (also called the E-mail Secure Gateway) was created to focus authentication and sanitization tasks in one server, to provide Internet facing protection for internal E-mail servers. Microsoft Exchange 2003 does not offer the Edge Transport server role. In the E-mail services infrastructure, it has become imperative that inbound messages be examined prior to their being forwarded into the enclave, primarily due to the amount of SPAM and malware contained in the message stream. Similarly, outbound messages must be examined so that an organization might locate, or perhaps intercept, messages with potential data spillage of sensitive or important information. The Edge Transport E-mail server role, which includes ‘appliances’ such as “Iron Port”, “Iron Mail” and the like, is designed to group protective measures for both inbound and outbound messages. Its charter is to face the Internet, and to scrutinize all SMTP traffic, to determine whether to grant continued passage to its destination Inbound E-mail sanitization steps include (but are not limited to) the following: • Sender Authentication • Sender Reputation Evaluation (White-listing and Black-listing) • SPAM content scoring • Virus and Malware removal • Web Link URL evaluation • Absent sender information • SPOOFED domain sources (such as the local domain appearing as inbound mail) • 0-Day attack detection • Archiving or Quarantining trapped messages • Alerting and Reporting when configured items are identified. Failure to implement an E-mail Secure Gateway increases risk that raw messages will reach the internal servers and networks, thereby increasing risk of their compromise. Even though Exchange 2003 E-mail Services are able to perform many of these evaluations, their Windows domain membership requires that they be internal to the enclave rather than expose the domain interaction to the Public Internet. Attempting to sanitize E-mail after it arrives inside the domain is not longer an acceptable or effective security measure. By using an Edge Transport Server (E-mail Secure Gateway), any SMPT-specific attack vectors are more optimally secured.

Check Content

Procedure: Interview the IAO. Review documentation that describes the infrastructure for E-mail services. Verify that an Edge Transport Server (or E-mail Secure Gateway) is installed and active on the network. Ensure that all inbound and outbound E-mail messages pass through and are examined by a perimeter-based Edge Transport Server. Criteria: If the site employs an Edge Transport Server or E-mail Secure Gateway. Ensure that all inbound and outbound E-mail messages are routed through the gateway.

Fix Text

Procedure: Install and configure an Edge Transport Server role in the infrastructure. Ensure that all SMTP traffic passes through this gateway, prior to forwarding messages into the enclave mail servers.

Additional Identifiers

Rule ID: SV-21609r1_rule

Vulnerability ID: V-19546

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.