Title

E-mail Services are not protected by having an Edge Transport Server (E-mail Secure Gateway) performing outbound message signing at the perimeter. (Cat II impact)

Discussion

Individual messages can be protected by requiring message signing at the creation point (Outlook), at the originator’s discretion, enabling integrity protection for their messages. However, messages can also be created by report generators and other applications using automated processes that do not typically sign messages. By signing outbound messages as they exit into the public Internet, the sending SMTP server gives all receivers the opportunity to authenticate the sending domain and server as authentic. (using the DNS-based DKIM record), and validate the message content as unaltered in transit (using the DKIM public key to rehash). In this way, forgeries are prevented, SPAMMERs are more easily tracked. To be effective, it should be noted that unless both senders and receivers participate, sender authentication techniques are of limited effectiveness. For receivers not configured to recognize signed messages, there is no impact to processing – they default to treating the messages as if from anonymous sender origin, and examine it with the evaluation methods that are available. The DKIM (Domain Keys Identified Mail) process is not part of Exchange 2003 functionality; so inbound messages that reach an Exchange server as the first receiving touchpoint will not be able to perform this type of sender authentication. However, most e-mail Secure Gateway products now offer this feature.

Check Content

Interview the E-mail Administrator or the IAO. Access the System Security documentation that identifies perimeter protection in the form of an Edge Transport Server role ( E-mail Secure Gateway) offering outbound signed message transmissions. Criteria: If an Edge Transport Server (E-mail Secure Gateway) role exists and performs outbound E-mail message signing at the perimeter, this is not a finding.

Fix Text

Implement an Edge Transport Server (E-mail Secure Gateway) that includes DKIM functionality. Ensure that each domain creates mail server certificates and signs outbound messages at the perimeter. NOTE: Each domain must also populate the Public DNS with the appropriate public keys to enable receiver validation.

Additional Identifiers

Rule ID: SV-20557r1_rule

Vulnerability ID: V-18818

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.