Title

E-mail Server Global Sending or Receiving message size is set to Unlimited. (Cat II impact)

Discussion

E-Mail system availability depends in part on best practices strategies for setting tuning configurations. Message size limits should be set to 30 megabytes at most, but often are smaller, depending on the organization. The key point in message size is that it should be set globally, and it should not be set to ‘unlimited’. Selecting the “no limit” radio button on either field is likely to result in abuse and can lead to rapid filling of server disk space. Message size limits may be applied in Routing Group connectors, SMTP connectors, Public Folders, and on the user account under AD. Changes at these lower levels are discouraged, as the single global setting is usually sufficient. This practice prevents conflicts that could impact availability and it simplifies server administration.

Check Content

Verify that the “Set message size”, is not set to Unlimited. Procedure: Exchange System Manager >> Global Settings >> Message Delivery>> Properties >> Defaults tab The "Send Size" and "Receive Size" should have a value, and not have "unlimited" selected. Criteria: If "Send Size" and "Receive Size" have a value, and have not selected "unlimited", this is not a finding.

Fix Text

Set the Global Send and Receive message sizes. Procedure: Exchange System Manager >> Global Settings >> Message Delivery>> Properties >> Defaults tab Set "Send Size" and "Receive Size" to a value (do not select Unlimited). Default size limits are as follows (to be used if other sizes are not justified): Send Size =10,240 Receive Size = 10,240

Additional Identifiers

Rule ID: SV-20276r1_rule

Vulnerability ID: V-18666

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.