2.2.9 Ensure 'External send connector authentication: IgnoreStartTLS' is set to 'False'

Information

This policy setting specifies whether to ignore the StartTLS option offered by a remote sending server. StartTLS is a protocol command used to inform the email server that the email client wants to upgrade from an insecure connection to a secure one using TLS or SSL.

Rationale:

In order to enable mutual Transport Layer Security (TLS) authentication for the domains serviced by this send connector, multiple parameters must be configured (see below).

Configuring these parameters enables the use of TLS instead of basic authentication where credentials are sent across the network in plaintext.

The following parameters are addressed in separate recommendations in this benchmark.

DomainSecureEnabled to$true

DNSRoutingEnabled to $true

Impact:

The organization's servers will only be able to send e-mail to remote servers that support Domain Security (Mutual Auth TLS).

Solution

To implement the recommended state, execute the following PowerShell cmdlet:

Set-SendConnector 'Connector Name' -IgnoreSTARTTLS $false

Default Value:

None

See Also

https://workbench.cisecurity.org/benchmarks/12442

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Windows

Control ID: 12c349c846f2a7f07e3924138db1623baf4858c938651f160e2bf62210593576