Check: EMG2-146 Exch2K3
Microsoft Exchange Server 2003:
EMG2-146 Exch2K3
(in version v1 r5)
Title
SMTP virtual Server does not Restrict Relay Access. (Cat II impact)
Discussion
E-mail is only as secure as the recipient. This control is used to limit the servers that may use this server as a relay. If an Simple Mail Transport Protocol (SMTP) sender does not have a direct connection to the Internet (for example, an application that produces reports to be E-mailed) then it will need to use an SMTP Virtual Server that does have a path to the Internet (for example, a local E-mail server) as a relay. SMTP relay functions must be protected so that third parties are not able to hijack a relay service for their own purposes. Most commonly, hijacking of relays is done by SPAMMERS to disguise the source of their messages, and may also be used to cover the source of more destructive attacks. Relays can be restricted in one of three ways; by blocking relays (restrict to a blank list of servers), by restricting use to lists of valid servers, or by restricting use to servers that can authenticate. A fourth configuration, ‘allow all except the list below’, should never be used. Because authenticated connections are the most secure for SMTP virtual servers, it is recommended that relays allow only servers that can authenticate.
Check Content
Access the System Security Plan. Determine whether the server being reviewed is authorized to perform as a relay. Validate relay restriction configuration. Procedure: Exchange System Manager>>Administrative Groups>> [Administrative Group]>>Servers>> [server]>>Protocols>> SMTP >> [specific SMTP virtual server]>> >>Properties >> Access Tab >> Relay restrictions >> Relay Button. For servers authorized to perform as a relay: “Allow all computers which successfully authenticate to it” should be selected. Criteria: If “Allow all computers which successfully authenticate to it” is selected, this is not a finding. For servers not authorized to perform as a Relay: “Select only the List below” with no servers listed should be selected. Criteria: If “Select only the List below” with no servers listed, this is not a finding.
Fix Text
Configure E-Mail relay exclusions. Procedure: For servers that are authorized to relay messages, configure the following: Exchange System Manager>>Administrative Groups>> [Administrative Group]>>Servers>> [server]>>Protocols>> SMTP >> [specific SMTP virtual server]>> >>Properties >> Access Tab >> Relay restrictions >> Relay Button Select “Allow all computers which successfully authenticate to it”. For servers that are not authorized to relay messages, configure the following: Exchange System Manager>>Administrative Groups>> [Administrative Group]>>Servers>> [server]>>Protocols>> SMTP >> [specific SMTP virtual server]>> >>Properties >> Access Tab >> Relay restrictions >> Relay Button Procedure: Select “Allow only the list below” and specify no servers in the list.
Additional Identifiers
Rule ID: SV-20340r1_rule
Vulnerability ID: V-18700
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |