Title

The SMTP Virtual Server Session Size is not set to "Unlimited". (Cat III impact)

Discussion

E-Mail system availability depends in part on best practices strategies for setting tuning configurations. This setting controls the maximum SMTP Virtual Server session sizes (inbound and outbound) and applies globally to the Simple Mail Transfer Protocol (SMTP) protocol. If the session size limit is set too low, the SMTP server may increase the number of sessions spawned, which increases the risk that other set limits will be reached. Controlling session resource usage is best done by controlling the number of messages in a session. It is is recommended that this setting remain at the default of ‘Unlimited’.

Check Content

Perform for each SMTP virtual server: Note: If “administrative groups” do not display in the list, highlight the topmost “Exchange” item in the left hand list, then access the Action menu, select Properties, check the “Display Routing Groups” box, and the “display administrative groups” box. Exit Exchange Manager, then restart it, and repeat the “check” steps. Procedure: Exchange System Manager >> Administrative Groups >> [administrator group] >> Servers >> [server] >> Protocols >> SMTP >> [specific SMTP server] >> Properties >>Messages Tab The "Limit Session Size to (KB)" field should be cleared. Criteria: If the “Limit Session Size to (KB)" is cleared, this is not a finding.

Fix Text

Set the SMTP Session Size Limit. Procedure: Exchange System Manager >> Administrative Groups >> [administrator group] >> Servers >> [server] >> Protocols >> SMTP >> [specific SMTP server] >> Properties >>Messages Tab Clear the “Limit Session size to (KB)” field.

Additional Identifiers

Rule ID: SV-20280r1_rule

Vulnerability ID: V-18668

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.