2.2.8 Ensure 'External send connector authentication: DNS routing' is set to 'True'

Information

This policy setting determines if DNS is used to route outbound mail via the send connector.

Rationale:

In order to enable mutual Transport Layer Security (TLS) authentication for the domains serviced by this send connector, multiple parameters must be configured. Configuring these parameters enables the use of TLS instead of basic authentication where credentials are sent across the network in plaintext.

The following parameters are addressed in separate recommendations in this benchmark.

DomainSecureEnabled to $true

IgnoreStartTLS to $false

Impact:

The organization's servers will only be able to send e-mail to remote servers that are located through DNS routing. This is the default value.

Warning: If a SmartHosts parameter is specified, the DNSRoutingEnabled parameter must be set to $false.

Solution

To implement the recommended state, execute the following PowerShell cmdlet:

Set-SendConnector 'Connection to Contoso.com' -DNSRoutingEnabled $true

Default Value:

True

See Also

https://workbench.cisecurity.org/benchmarks/12442

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-11

Plugin: Windows

Control ID: d314a2e886255b1a49337f27d442200d72782e7257c0f2bb7fa83f6afa6b19dd