2.4.3 Ensure 'Receive connector' is set to 'TLS'

Information

This policy setting configures the advertised and accepted authentication mechanisms for the receive connector.

The primary function of receive connectors in the front-end transport service is to accept anonymous and authenticated Simple Mail Transfer Protocol (SMTP) connections in the Exchange environment.

Note: Some available values have dependencies and exclusions:

None is not compatible with other values.

BasicAuthRequireTLS requires BasicAuth and Tls.

ExternalAuthoritative can only be combined with Tls.

Tls is required when RequireTLS parameter is $true.

ExternalAuthoritative, requires PermissionGroups parameter to be ExchangeServers.

Rationale:

Configuring this setting enables the encryption of email between client and servers. This reduces the risk of eavesdropping, interception, and alteration of the email and adds protection by encrypting the sender and recipient information that cannot be encrypted by the sender.

Impact:

No impact is expected.

Solution

To implement the recommended state, execute the following PowerShell cmdlet:

Set-ReceiveConnector -Identity <'IdentityName'> -AuthMechanism 'Tls'

Note: If more than one receive connector exists on the mailbox server, run this command to update all receive connectors.

Get-ReceiveConnector | Set-ReceiveConnector -AuthMechanism 'Tls'

Default Value:

N/A

See Also

https://workbench.cisecurity.org/benchmarks/12442

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Windows

Control ID: f541e19c99d981d24df99f6d44c3a2527d01eb298eaefb1698a9bff55e5dadda