2.2.10 Ensure 'External send connector authentication: Domain security' is set to 'True'

Information

This setting is part of the process to enable mutual Transport Layer Security (TLS) authentication for the domains serviced by this send connector. If this parameter is enabled, the Send connector will attempt to establish a mutual Transport Layer Security (TLS) connection with remote servers when sending mail.

Rationale:

In order to enable mutual Transport Layer Security (TLS) authentication for the domains serviced by this send connector, multiple parameters must be configured (see below).

Configuring these parameters enables the use of TLS instead of basic authentication where credentials are sent across the network in plaintext.

The following parameters are addressed in separate recommendations in this benchmark.

DNSRoutingEnabled to $true

IgnoreStartTLS to $false

Impact:

The organization's servers will only be able to send e-mail to remote servers that support Domain Security (Mutual Auth TLS).

Solution

To implement the recommended state, execute the following PowerShell cmdlet:

Set-SendConnector 'Connector name' -DomainSecureEnabled $true

Default Value:

True

See Also

https://workbench.cisecurity.org/benchmarks/12442

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Windows

Control ID: f166a3b52ffe16926681db3af262595a00e94dd100cdae024c06a57b627c2631