UCF STIG Viewer Logo

SMTP connectors allow unauthenticated relay.


Overview

Finding ID Version Rule ID IA Controls Severity
V-18699 EMG2-736 Exch2K3 SV-20338r1_rule ECSC-1 High
Description
Identification and Authentication provide the foundation for access control. The key to preventing SPAM insertion into the SMTP message transfer path is to require authentication at each ‘hop’ of the journey from sender to receiver. Allowing unauthenticated relaying on an internal host allows internal users or applications to submit unauthenticated mail messages, a form of internally spoofed SPAM that can be difficult to trace. Allowing unauthenticated relaying on an “Internet Facing” host would enable any unauthenticated party to use your Exchange Server to resend mail. This practice is often employed by spammers to obfuscate the source of their messages. Allowing unauthenticated relaying will almost inevitably result in abuse of the relay by spammers and increased load on the connector. It can also result in the appearance of the host’s domain on Reputation Black Lists. This setting controls whether unauthenticated computers are allowed to resend (relay) E-mail messages through this connector to external domains. (Authenticated users and computers can always relay messages regardless of this control's setting.) It is recommended that no unauthenticated connections be allowed in the SMTP path.
STIG Date
Microsoft Exchange Server 2003 2014-08-19

Details

Check Text ( C-22417r1_chk )
Validate SMTP Connector Relay authentication.

Procedure: Exchange System Manager>>Administrative Groups>> [Administrative Group]>>Routing Groups>> [routing group]>>Connectors>> [SMTP connector]>> >>Properties >> Address Space tab

The “Allow messages to be relayed to these domains” should be unchecked.

Criteria: If “Allow messages to be relayed to these domains” is unchecked, this is not a finding.
Fix Text (F-19345r1_fix)
Prevent unauthenticated mail relaying.

Procedure: Exchange System Manager>>Administrative Groups>> [Administrative Group]>>Routing Groups>> [routing group]>>Connectors>> [SMTP connector]>> >>Properties >> Address Space tab

Clear the “Allow messages to be relayed to these domains” checkbox.