An error occurred:

Check: EMG2-250 Exch2K3

Microsoft Exchange Server 2003: EMG2-250 Exch2K3 (in version v1 r5)

Title

SMTP Connection Restrictions do not use the "Deny All" strategy. (Cat II impact)

Discussion

E-mail is only as secure as the recipient. Recipient SMTP servers that accept messages from all sources provide a way for rogue senders (such as SPAMMERS) or malicious users to insert message batches (that may be SPOOFED or FORGED) into the message transfer path. This setting controls which IP addresses are allowed to connect to this Virtual Server to download messages. Two strategies exist for this control, “Deny None” or “Deny All”. Exceptions can be listed in the form of IP addresses, which can also be wildcarded as subnet groups. To significantly reduce the attack vector for unauthorized connections, the “Deny All” approach must be used, stating authorized connections from “only the list below”. Depending on the server’s role in the infrastructure, the list of clients or other SMTP servers authorized to connect to this virtual server should be specified.

Check Content

Access the mail server inbound connections configuration. Procedure: Exchange System Manager >> administrative groups >> [administrative group] >> Servers >> [Server] >> Protocols >> SMTP >> [specific SMTP server] >> properties >> Access tab >> Connection control >> Connection button "Only the list below” should be selected, with a list of addresses or subnets authorized to connect to this server. Criteria: If "Only the list below” is selected, with a list of addresses or subnets authorized to connect to this server, this is not a finding.

Fix Text

Set the Inbound Connections configuration. Procedure: Exchange System Manager >> administrative groups >> [administrative group] >> Servers >> [Server] >> Protocols >> SMTP >> [specific SMTP server] >> properties >> Access tab >> Connection control >> Connection button Select “Only the list below” and list addresses or subnets authorized to connect to this server.

Additional Identifiers

Rule ID: SV-20328r1_rule

Vulnerability ID: V-18694

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
No CCIs are assigned to this check

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
No controls are assigned to this check