Title

SMTP Queue Monitor is not configured with a threshold and alert. (Cat II impact)

Discussion

Monitors are automated “process watchers” that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. Exchange 2003 built-in monitors enable the administrator to generate alerts if thresholds are reached, better enabling them to react in a timely fashion. This field offers choices of alerts when a ‘warning’ or ‘critical’ threshold is reached on the SMTP queue. A good rule of thumb (default) is to issue warnings when SMTP queue growth exceeds 10 minutes and critical messages when it exceeds 20 minutes, which should only exist occasionally. Frequent alerts against this counter may indicate a network or other issue (such as inbound SPAMMER traffic) that directly impacts E-mail delivery. Notification choices include E-Mail alert to an E-Mail enabled account, for example, an E-Mail Administrator, or invoke a script to take other action, for example, to add an Event to the Microsoft Application Event Log, where external monitors might detect it.

Check Content

If SMTP queue monitoring is performed via a third party tool as part of an overall data center monitoring strategy, then this check is N/A. Review SMTP queue monitoring and notification. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Servers >> [server] >> Properties >> Monitoring tab >> SMTP Queue Threshold >> Details button 'Warning" should be 10 or more minutes, and "Critical" should be 20 or more minutes. Minumim notification should be an E-mail alert to an administrator account. Criteria: If 'Warning" is 10 or more minutes, and "Critical" is 20 or more minutes with minumim notification indicating an E-mail to an Administrator or Incident Response team account, this is not a finding.

Fix Text

Configure SMTP queue monitoring and notification. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Servers >> [server] >> Properties >> Monitoring tab >> SMTP Queue Threshold >> Details button 1) Add the monitor, if needed: Click ADD, select SMTP queue Threshold. Add one monitor for each SMTP queue. 2) Set the warning and critical thresholds. Set Warning value not less than 10 minutes and Critical value not less than 20 Minutes. Values should be realistic for the queue and site operational requirements. 3) Create the notifications: Exchange System Manager >> Tools >> Monitoring and Status >> Notifications: Declare notifications and communication methods as required by the local organization policy. At minimum, E-mail an on-call Exchange administrator account or an Incident Response administrator. A script may be invoked to perform other actions.

Additional Identifiers

Rule ID: SV-20371r1_rule

Vulnerability ID: V-18715

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.