Check: EMG2-043 Exch2K3
Microsoft Exchange Server 2003:
EMG2-043 Exch2K3
(in version v1 r5)
Title
Mailbox Server is not protected by an Edge Transport Server (E-mail Secure Gateway) performing Sender Authentication at the perimeter. (Cat II impact)
Discussion
Email is only as secure as the recipient. When the recipient is an E-Mail server accepting inbound messages, authenticating the sender enables the receiver to better assess message quality and to validate the sending domain as authentic. One or more authentication techniques used in combination can be effective in reducing SPAM, PHISHING, and FORGERY attacks. There are two primary methods of sender authentication; Sender ID Framework (SIDF), and Domain Keys Identified Mail (DKIM). The Sender ID Framework (SIDF) receiver accesses specially formatted DNS records (SPF format) that contain the IP address of authorized sending servers for the sending domain that can be compared to data in the email message header. Receivers are able to validate the authenticity of the sending domain, eliminate PHISHING SPAM, and can be used in combination with DKIM. SIDF is a Microsoft creation, and is available on Exchange 2003 Servers. The DKIM receiver accesses specially formatted DNS records that contain the Public Key for the sending domain’s authorized outbound mail servers. The key is used to decrypt the hash in the message header and determine whether the message has been modified. DKIM is not effective against replay attacks, but can detect forgeries. Some false positives are possible if interim E-Mail forwarders append text to the message body. DKIM is a Cisco creation, and is available on most Edge Transport Server (E-mail Secure Gateway) products.
Check Content
Interview the E-mail Administrator or the IAO. Request documentation that indicates sender authentication techniques are in place on a secure email gateway server outside the enclave at the perimeter. Sender authentication for anonymous connections may take the form of Sender ID Framework (SIDF) or Domain Keys Internet Mail (DKIM), both DNS-based methods of sender authentication. Note: Sender authentication is not always reliable, because not all senders of electronic mail participate in creating public DNS sender profiles for their E-mail infrastructure. Criteria: If sender authentication is configured and approved on a perimeter-based E-mail Secure Gateway, this is not a finding.
Fix Text
Implement perimeter-based protection in the form of an Edge Transport Server role (E-mail Secure Gateway) filtering mechanism that performs, among other protections, Sender Authentication upon receipt.
Additional Identifiers
Rule ID: SV-20274r1_rule
Vulnerability ID: V-18665
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |